wordpress customization and security
TRANSCRIPT
Joe Casabona
• Web Developer. Writer. Nerd*. – *Computer, Device, Star Wars
• Yankee Fan
• Responsive Design with WordPress– Out Dec 2013– www.rwdwp.com– Discount Code for 35% off: RWDWP
site: Casabona.org | twitter: @jcasabona | email: [email protected] slides/resources: casabona.org/blogcon-13
Phil Erbhttp://philerb.comTwitter: @philerb
Systems Admin & ProgrammerUniversity of Scranton
Co-Founder & Director of TechnologySolve the Net
Lover of WordPress
WordPress Theme Customization
Themes: A Primer
• A WordPress Theme:– Provides control over the look and presentation of
the material on your website.
• The Codex!– Your best friend during development– codex.wordpress.org
Important Files
Tip: Don’t Modify the Core!
style.css
• Includes Theme Definition /*Theme Name: Millennium FlightsTheme URI: http://www.milenniumflights.comDescription: A custom theme for Millennium Flights, Inc.Version: 1.0Author: Joe CasabonaAuthor URI: http://www.casabona.orgTags: blue, white, two-column, flexible-width*/
• Keep Common Classes in mine (rwdwp.com/12)
• RWD Tip: Put all CSS in One File
functions.php
• Place misc PHP functions, code, and variables• Considered a “plugin” file for your theme• Remember “Separation of Concerns”– Themes should only effect display, not content or
functionality • Uses: Actions, Filters, side-wide functions• RWD Tip: Use this file for server-side
detection
index.php
• The backbone of WordPress themes
• Everything that doesn’t have its own template file will use index.php
• Used to display a list of posts or content.
• DO NOT remove The Loop from this page
header.php and footer.php
• Template Files to use throughout the theme
• get_header() and get_footer()
• wp_head() and wp_footer()
The WordPress Hierarchy
wphierarchy.com
Template Files
• Sophisticated Display Controls• Only required files: style.css and index.php• Custom templates down to the single post
level• Example: Custom Post Type named“classes”
single-classes.php single.php index.php
Page Templates
• Naming Convention– page-no-sidebar.php
<?php/*Template Name: No Sidebar*/
?>
The Loop
Defined
• The Loop is used by WordPress to display each of your posts. Using the Loop, WordPress processes each of the posts to be displayed on the current page and formats them according to how they match specified criteria within the Loop tags. Any HTML or PHP code placed in the Loop will be repeated on each post
Essentially…
• The Loop has functions to: – Make sure that you have posts to display– Display those posts.
<?php if (have_posts()) : ?><?php while (have_posts()) : the_post(); ?>
//print post information using template tags<?php endwhile; ?>
<?php else : ?>print “No posts found.”;
<?php endif; ?>
Template Tags
• Functions in WordPress designed to print information about the Current Post
• Some tags include:– the_title(), the_time(), the_content(),
the_excerpt(), the_category(), the_tags(), the_permalink()
If time permits…
Let’s Look at a Live Theme!
Securing Your WordPress Site
Source: Torque.io - WordPress Core is Secure – Stop Telling People Otherwise
Yes … but …
The code may be secure, but there are always things to improve
Backup ALL the Things
My hosting provider does that,why should I?
How do I backup WordPress?
Services– ValutPress
Plugins– BackupBuddy– BackWPUp
The good old fashioned way mysqldump -udbuser mydb > db.sql zip -r backup.zip /webfolder/ db.sql
Backup Best Practices
Create a backup schedule that makes sense for your site.
Get an off-site copy
Test your backups
Secure the Server
To the extent that you can
Use strong passwords
FTP, SSH, and control panels will get hackers access to your sites
Use SFTP instead of FTP,if possible
Understand file permissions
“777” makes everything work …for other people too.
Install an SSL certificate
Securing Core
Secure the login process
Wait, my password is sent over the Internet in plain text???
Don’t use “admin”
Stronger Authentication
Use strong passwordsForce Strong Passwords
Limit the number of bad loginsLogin Lockdown
Use multi-factor authenticationGoogle AuthetnicatorDuo Two-Factor Authentication
Always use SSL encryptionfor login forms and personal info
No SSL? Passwords are Plain Text!
Only give users theaccess they need
This includes YOU
Don’t always run as admin
Don’t let your databasebe predictable
Change the database table prefix
Plugins, Themes, and Updates
Only use trusted sources
DON’T Google “free WordPress themes”
Only one of these is trustworthy
Source: WPMU.org - Why You Should Never Search For Free WordPress Themes
Keep core, plugins, andthemes up to date
Security Services, Plugins & Tools
Security Tools
Sucuri Site scanner, monitoring, and security plugin
Better WP Security
Wordfence
Updates and Management
ManageWP
InfiniteWP
WP Remote
Use a good hosting provider!
Keep Yourself Secure Too!
If your computer is hacked,your site could be next!
Install OS and application updates
Run antivirus software
Use encrypted protocols (HTTPS, SFTP)
Use strong passwords for everything
Keep your ear to theWordPress community
The products and the issues are ever evolving.
Where to get the news
WPSecure.net
Sucuri’s blog
WP Updates Notifier plugin
Check out more on the NEPAWPResources page
Questions? Comments? Statements of Disgust?
References & Links
• VaultPresshttp://vaultpress.com/
• BackupBuddyhttp://ithemes.com/purchase/backupbuddy/
• BackWPUphttp://wordpress.org/plugins/backwpup/
• Codex: Administration over SSLhttp://codex.wordpress.org/Administration_Over_SSL
References & Links
• How to Change the WordPress Databasehttp://www.wpbeginner.com/wp-tutorials/how-to-change-the-wordpress-database-prefix-to-improve-security/
• Login Lockdownhttp://wordpress.org/plugins/login-lockdown/
• Force Strong Passwordshttp://wordpress.org/plugins/force-strong-passwords/
• Google Authetnicatorhttp://wordpress.org/plugins/google-authenticator/
• Duo Two-Factor Authenticationhttp://wordpress.org/plugins/duo-wordpress/
References & Links
• WPMU.org: Why You Should Never Search For Free WordPress Themeshttp://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
• Sucurihttp://www.sucuri.net/http://wordpress.org/plugins/sucuri-scanner/
• Better WP Securityhttp://wordpress.org/plugins/better-wp-security/
• Wordfencehttp://wordpress.org/plugins/wordfence/
References & Links
• WPSecure.nethttp://wpsecure.net/
• WP Updates Notifierhttp://wordpress.org/plugins/wp-updates-notifier/
• Sucuri bloghttp://blog.sucuri.net/category/wordpress