Getting Started With WordPress Theme Development

WordPress Theme Development

Why WordPress Theme Development?

WordPress is the most popular CMS currently available, so if you want exposure for your project why wouldn’t you develop it in WordPress. If you already know Java, HTML and CSS and already use those skills to make websites then WordPress could be the next logic step.

While knowing PHP is a bonus it is not actually required to build a WordPress theme. If you have some Bootstrap skills that can give you are slight advantage but once again it is not necessary. it is not to difficult to build a custom WordPress theme from scratch.

What is a WordPress Theme?

A WordPress theme is basically a template that changes the look of your website. Modifying the theme changes the look of your site externally but the way the back-end operates generally doesn’t change. This means that webmasters can move between WordPress sites without needing any extra training or knowledge to operate them. Yet the sites can all look differently. You can check out thousands of free WordPress themes at WordPress.org or premium Themes at Themeforest.net. If you have seen a site that you think looks interesting you can check it out with WP Theme Detector. You will be pointed at the theme.

Most developers don’t realize but you really only need two files to make a WordPress theme.

  1. index.php – the main template file
  2. style.css – the main style file

While this is strictly true, a developer who sticks to just these 2 files will usually end up with functional but quite basic theme.

GNU General Public License WordPressBefore we start we would like to mention the GNU General Public License (GPL). All WordPress themes are governed under this licence whether they are free or premium. The GPL four basic freedoms.

  1. Freedom to run the program for any purpose.
  2. Freedom to study how the program works and to change it, so it performs computing as you wish.
  3. Freedom to redistribute copies, so you can help your neighbor.
  4. Freedom to distribute copies of your modified versions, giving the community a chance to benefit from your changes.

However if you do not plan to distribute the theme then you will not have to adopt the GPL licence.

Set Up a Local Development Environment

Try to make sure the local development environment is identical to the final destination production server. A local development environment is preferable for a few reasons.

  1. Speed of development.
  2. Testing is easier.
  3. lack of internet connection will not hamper development.
We recommend your local development environment be made up of.
  1. Linux, Ubuntu or (if you really have to) Windows
  2. Apache or Nginx
  3. MySQL or MariaDB
  4. PHP
  5. A good text editor (we recommend Notepad++ or PhpStorm)

External WordPress Development Tools

You will need an internet connection for these but we are assuming that eventually you will want to upload your theme anyway.

  1. A good introduction to WordPress debugging https://nacin.com/2010/04/23/5-ways-to-debug-wordpress/
  2. WordPress.org Theme Unit Test Data is an XML file containing dummy test data that you can upload to test how themes perform with different types and layouts of content.
  3. Debug Bar is a plugin that provides debugging in the WordPress admin area.

There are other tools but these 3 are a good start.

Where to Start?

We recommend that you start by looking at some of the default themes that come with WordPress. At this point I have to come clean about something. I have never actually started a WordPress theme from scratch. I have always started with a default theme and modified from there. These days I have highly modified and unrecognisable versions of default themes that are my starting point for new projects. I figure why reinvent the wheel. A great way to start is download one of the themes listed below and just start hacking.

Here is a list of default themes.

If you are an experienced developer and don’t want to deal with inbuilt biases in the above listed themes then a great way to start is to generate your self an underscore theme. Just navigate to Underscores’ website and enter a name for your theme. You will be prompted to download a skeleton for a WordPress theme.

Upload the theme to /wp-content/themes in your WordPress installation. You can now start tinkering with the look and feel of your Theme.

This is just a quick starter guide and not meant to be an in-depth expert instructional on how to make a WordPress theme. Stay tuned that article is coming.

 

 

 

WordPress Security Update and Features – Vulnerabilities Have Been Plugged

WordPress Security Update and Features

As of May 7th, WordPress’ content management system (CMS) has a brand-new set of security features which adds a higher level of protection lots of its users say they wanted years ago. These new provisions were added along with the official release of the updated WordPress 5.2, which came out on the same day.

WordPress Site Health StatusThe security provisions include support for the following: updates that are cryptographically-signed,  modern cryptography library, a section for the backend of the admin panel for Site Health, as well protection for the dreaded White-Screen-of-Death (WSOD), which will allow website admins admission to the site’s backend if some sort of catastrophic PHP error occurs.

Since WordPress is loaded onto more than 33 percent of Internet websites, the new provisions are expected to ease website owners’ fears regarding cyber-attacks.

Updates that are Cryptographically-Signed

Perhaps the largest and most vital of the new security components is the one for the offline digital signature system on WordPress. Now, WordPress can sign update packages digitally using the new Ed25519 public-key signature system, which makes it possible for local installations to confirm the update is authentic prior to installing it.

This feature is a vital step for preventing cyber-attacks like a supply chain attack onto every WordPress website. Security companies have been warning WordPress users about this kind of threat for over 2 years.

According to Scott Arciszewski, who is the Chief Development Officer for Paragon Initiative Enterprises, prior to this WordPress update, all that was needed to be able to attack all the websites using WordPress was to hack into the WordPress update server.  Arciszewski is one of the people who helped develop the security for the WordPress update system, as well as some of the other new security features.

He added that now that the new security update is in place, a cyber attacker would have to find a way to steal WordPress core development team’s signing key. Thus things are much more secure.

WordPress Acquires a More Modern Cryptographic Library

Another part of Arciszewski’s efforts to make WordPress more secure was to replace its old cryptographic library with one that is more modern and up to date. With the new update, WordPress’ CMS supports the Libsodium library for every type of cryptographic operation. Previous it used mcrypt, which is now gone.

Libsodium has been added to WordPress’ CMS source code. Another addition is the sodium_compat library, which acts like a polyfill to support older PHP servers which do not support Libsodium. This addition puts WordPress in the same company as other web development tools that already supported Libsodium natively such as Magento 2.3+, Joomla 3.8+ and PHP 7.2+.

Additionally, with this added to WordPress’ CMS core, now theme and plugin developers may begin to support it too.

For more information on that, WordPress theme and plugin developers can read more on using the new security feature in a blog post Arciszewski has published with info on how they can use Libsodium to replace older mcrypt cryptographic roles.

New Section for Site Health

Likely the first of these new security additions most users will notice is the new section for “Site Health” located in the Tools menu in the admin panel. It involves 2 pages, Site Health Info as well as Site Health Status.

The Site Health Status page runs several straightforward security checks and then delivers a report listing what it found, along with information on how to correct them. There are also other bundled tests and website owners and website developers may also design tests on their own in order to check the security on other parts of their WordPress websites.

The other page, Site Health Info, is exactly what it sounds like. It delivers lots of data on the site, along with server setup. It’s used for debugging or if server details must be shared with IT professionals due to required support services.

Information is given on the WordPress installation, as well as the primary server, any plugins or themes, and data on the file storage usage.

Servehappy Project

One of the other new security additions is the Servehappy project. This was supposed to have been added to WordPress 5.1, but got loaded in two parts instead. One was installed in WordPress 5.1 and the other in WordPress 5.2. The part in WordPress 5.1 gave users the ability to show a warning if a server was using PHP versions that were outdated.

WordPress 5.2 added protection for the dreaded ‘White Screen Of Death’ (WSOD), which is also called “Fatal error protection.” This works as a  WordPress website “Safe Mode.”

The new feature can temporarily disable any theme or plugin if a PHP fatal error occurs. This then allows admins to get into their website’s backend so they can fix it.

It too was supposed to have been installed with WordPress 5.1, but got delayed when studies by security experts discovered a few possible scenarios where a hacker could have misused WSOD and actually been able to turn off a WordPress security feature and then attack WordPress websites all over the Internet.

Plans for the Future

These new updates don’t mean work has stopped on figuring out other ways to improve security on WordPress sites. Other plans in the works are things like Project Gossamer, which is planned to be released along with WordPress 5.4.

Project Gossamer is expected to port the exact system of code-signing which is used during main WordPress updates and make it a framework WordPress developers can employ for code-signing WordPress plugin and theme updates.

WordPress Xmlrpc.php Why You Need To Disable It Right Now!

What is the Xmlrpc.php File and What Does it Do?

The xmlrpc.php file was implemented to let let webmasters interact with their sites. For all intense and purposes it acted like an API. A really bad and insecure one. “RPC” stands for Remote Procedure Call, a method that uses XML passed via HTTP as the transport mechanism.  While Xmlrpc.php had many functions, trackbacks and pingbacks are the most widely used and problematic.

Other functions allowed webmasters interact through mobile or even load pre-written articles. This was important when internet connections were slow and made editing online difficult. The internet has moved on and is much faster so this functionality is not as useful as it once was.

XML-RPC Early Days to Now

Pre-2008 XML-RPC could be disabled. This was a handy feature that allowed a webmaster to turn off the unnecessary functionality. In 2008 the WordPress iPhone app was added to the app store and webmasters could no longer easily disable XML-RPC functionality. This left WordPress sites open and vulnerable. Why do we say vulnerable? As we hinted above xmlrpc.php was not created with security in mind.

WordPress has implemented a new REST API and will be phasing out XML-RPC. The solution is still in a transition phase and XML-RPC is still available. So webmasters should still be concerned. Once the API is fully implemented and XML-RPC is removed then webmasters can relax about xmlrpc.php and start worrying about the new issues that the API will have.

Why Webmasters should Disable Xmlrpc.php

Security of a website is possibly the main concern of webmasters after content. XML-RPC greatly hinders a webmasters ability to maintain security.

Why is xmlrpc.php a security risk? There are 2 main methods.

1. XML-RPC allows for brute force attacks on WordPress installations. a hacker will use a bot programme to brute force attack a Website. By attacking xmlrpc.php the hacker can bypass most of the security plugins that WordPress are designed to detect and block brute force attacks. A hacker can test thousands of username and password combinations in seconds.

2.  DDoS attacks are the next big issue with XML-RPC. Hackers can use the pingback feature of WordPress to send thousands of pingback request that can make MySQL or whatever database package is being used to fall over. This will take the WordPress site offline and in severe cases can cause a corruption of the MySQL database.

While strong passwords can help to hold off a hacker using method 1. It will not help a hacker who is attempting method 2.

One thing we do have to mention is that the very popular Jetpack plugin still uses XML-RPC.  If you are considering disabling xmlrpc.php and are using Jetpack then you might need to reconsider what we are proposing.

 How a Webmaster can Disable xmlrpc.php

Now that we have established that disabling xmlrpc can be a good thing. How do we do it? There are 3 methods of disabling xmlrpc.php.
Diable xmlrpc

  1. Using a plugin to disable xmlrpc.php. We have tried two and they both work well. Disable XML-RPC and Remove & Disable XML-RPC Pingback. You do this by going to the Plugins area and clicking on Add new , search for xmlrpc, pick one of the plugins and click the install now button.
  2. Deleting the xmlrpc.php file. This sounds drastic but it does not actually affect WordPress at all. The only systems it will affect are trackback on pingback. You may need to get a systems admin to do this for you. The only problem is that when WordPress is upgraded it can put the file back.
  3. A webmaster can block access to xmlrpc.php with web server commands, although once again the services of a system administrator may be required.  Both Apache and NGINX, which are the two main Web Server applications allow for the blocking of access to certain files in a directory.

Conclusion

While xmlrpc.php is not long for this world, it currently is still an issue and must be dealt with. The new API will be taking over all the functionality of xmlrpc.php whilst providing much more security. We highly recommend disabling it especially if you are having issues with hackers.

XML-RPC was a great solution 10+ years ago but is now very long in the tooth. The developers of WordPress have recognized this and are phasing it out. WordPress Webmasters should prepare themselves for the day when xmlrpc.php no longer exists.

 

5 WordPress Mistakes You Need To Avoid

Making WordPress Mistakes

If you have found this site, then you probably already know what WordPress is and what it does. It is easily the most popular CMS on the web and looks like it will be for a long time to come. Its ease of use, simplicity to set up and modify and the plethora of plugins are what combine to make WordPress so popular. While this is true, it is also what makes it easy to make big mistakes on your website.

Avoiding WordPress Mistakes

If you are about to use WordPress it is a given that you will be making mistakes. If you are using WordPress right now, it is a given that you are making mistakes right now. It is just the nature of the beast. WordPress is simple to use but the thousands of themes and just as many if not more plugins mean that there is a lot of code there that can be bugged or conflict. Let us help you with the knowledge we have picked up along the way.

1. How do you pick the right WordPress theme?

Picking the right WordPress ThemeFind a site that you like type it into WP Theme Detector. It will give you a run down on the type of site it is and indicate if it is a WordPress site. The theme will be highlighted and a link will be provided to the theme itself. Follow the link and examine the theme in detail.

Some questions you need to ask yourself when considering a theme is.

Is the theme responsive and look good on a mobile or tablet? As time progresses, people are using mobile devices more to access the web.  Make sure the theme you pick works well with mobile phones and tablets.

Does the theme styling help represent what the topic of my blog will be? Websites and Blogs will have a niche that they cater for. In the same way most theme creators are generally thinking of a particular niche when building the theme. So pick a theme that has the niche in its description or has a child theme or installable demos that represent the niche you are interested in.

Is the theme creator reliable? If you used the theme detector above then the answer to this is generally yes. However look at reviews for the theme and check when the theme was last updated. This can be a good indicator as to whether the theme developer is still actively supporting the theme.

2. Do You Use Optimizaed Images?

Optimizing images for websites is one of the most undervalued strategies for making a site more user friendly. It is especially important for mobile users. Google has recently announced that site loading speed is a ranking factor. There are a few WordPress plugins that will optimize images on the fly.

Make sure that the images you chose are relevant to the niche and that they have some impact. Images that are completely off topic will make users leave the site early and go back to Google. This is known in SEO circles as user bounce and Google frowns upon it. It is a signal that is highlighting the fact that users are not finding what they are looking for on the website.

3. Do Not Forget To Backup Your Website

WordPress Backup PluginsDo you think that WordPress automatically backs up your site data? If that is what you believe then you are sadly mistaken. Out of the box WordPress has no backup mechanism yet backing up a site is one of the most important things you can do as a website owner. It is such an obvious but crucial mistake that first time bloggers make.

There are a plethora of backup. To find them just go to plugins area and search for backup. Most that come up in search are excellent and using anyone of them will keep you from losing sleep at night. Some backup plugins we recommend are as follows:

Anyone of these above plugins will save you much heartache in the future.

4. Installing too many plugins

Plugins are what make WordPress powerful and flexible. Often this is a double edged sword. At last count there were over sixty thousand plugins available for WordPress. Not all of them are compatible with the latest version of the CMS and not all of them are supported by their creators.

This where the problem lies. Plugins are what make WordPress but they are also its biggest vulnerability. When using plugins follow these simple rules.

  • Only use plugins that you absolutely need. Superfluous plugins should be deleted.
  • Only install supported, compatible plugins that have lots of recent good reviews.
  • Check that the plugin does not slow your site down.
  • Make sure that the plugin does not clash with the theme you have chosen.
  • Plugins can clash with each other, not just with themes. So installing too many plugins can cause unwanted errors on  a WordPress site.

5. Not Taking WordPress Security Into Account

WordPress security selectionWordPress security is becoming more important as the years go by.  As one of the most popular Website platforms, WordPress will garner its fair share of hackers. If a hacker is going to look for a vulnerability why not look for it in a CMS that has so many installations. A hacker will benefit much more by finding a way into a WordPress site. What can you do to make your WordPress site more secure?

  1. Install a security plugin.
  2. Make sure all passwords are extremely strong.
  3. Set an unusual name for the Admin account. (Do not call it “admin”)
  4. Avoid nulled or cracked premium themes.
  5. Disable file editing
  6. Use a SSl certificate if you can.
  7. Change your WP-LOGIN url. Most hackers use bots that attack certain files. Wp-login does quite a few database look ups and a dedicated hacker can use a bot to make the database fall over and gain command line access.
  8. Delete xmlrpc.php. This file is not really needed and a hacker can use a bot as above to gain command line access.
  9. install a limit login attempts plugin.
  10. Hide wp-config.php and .htaccess files

Conclusion

If you are reading this then this is your first foray into blogging or at least are relatively new to WordPress. Don’t let what we have said above dishearten you. WordPress for all its foibles is an excellent website/blogging platform. Moving forward, whatever mistakes you make, learn from them. Most online entrepreneur will fail a few times before they hit onto the one idea or site that lets them work from and live the lifestyle they desire.

 

 

How to Choose a WordPress Theme?

How to Choose a WordPress Theme

How do I choose a WordPress theme? Is possibly the most question I am most asked as a WordPress developer. While the answer is not all that technical, what it highlights is that there is a lot of choice and therefore complexity, which leads to confusion.

I will be breaking the answer down into 10 simple points to consider when looking for a WordPress theme.

1. Simplicity

Keep the WordPress theme simpleWe have all seen WordPress sites that have flashy images, banners and sliders. Some look great and some look a little bit overdone. One thing they all have is complexity. While not always, often this kind of complexity will mean an extension of the sites load time. Load time is increasingly becoming a more important in Google’s ranking factors. A slow loading site, especially the mobile portion will be penalized for having a slow loading time. Consider Google’s AMP as a partial fix for those who want a fast loading site for mobile but a flashier site for those using PC’s and laptops. More on AMP here !

Sometimes themes have unnecessary bloat in them. So even if the theme you end up choosing is not flashy it still can have a lot of plugins, css and images to load. Many plugins that are  shipped with themes are not needed so you may want to deactivate or even delete them. The KISS principle can apply in many parts of life but it is particularly pertinent in website design.

2. Look At As Many Themes As Time Will Allow

Search for a themeOften a client will come to me after seeing one particular site and want me to replicate it. We have all been there. Seen a site that we have been smitten by and want an almost exact copy of it. There are usually a few problems with this. The site might not be a WordPress site and the theme might be a privately bought theme.  If this is the case you may require the  services of a web developer and depending on your budget this may get more expensive than you want.

If it is a WordPress site then either go to WordPress.org which has many free great but usually simpler themes. Look through the examples. I usually tell them to browse through at least five pages. Then I will point them at Themeforest.net and tell them to look through at least 5 pages again or enter some search terms and see what pops up. These themes cheap but are not free. They are however usually much nicer looking, optimized, well supported by the author and will not break your bank balance.

You will probably see a theme that similar to the one you had in mind or you might see one that is even better. If you have seen a site that you like test it with WordPress Theme Detector as it might have a theme you can get.

3. Choose A Responsive Theme

Responsive WordPress ThemeNot long ago responsive theme choice was exactly that just a choice. Those days are now gone. responsive themes are now mandatory. Mobile traffic has surpassed pc traffic on the web years ago, so theme choice and theme design should think mobile first. Not only are responsive much more comfortable for mobile users, they also have the benefit of helping with SEO. Google has long held the view that ease of use should help SEO. Responsive themes make mobile navigation easier and Google has made it clear that responsive design along with AMP is what it considers best practice.

4. Page Builders

Does the theme support or include page builders? Page builders are not mandatory if all you are doing is creating a blog. Page builders make it easier to create landing pages and to make sites look more professional. A couple of negatives are that they do add a layer of complexity and require a more knowledge about page layout. If the page builder plugin gets deactivated then the page builder extensions will revert to ASCII code and could be lost.

5. SEO Optimized

There are some good plugins for WordPress that can Optimize the onsite SEO of your site, we recommend Yoast SEO, All in one SEO used to be the best SEO plugin but is starting to show its age, The SEO Framework. A theme needs to work well with these plugins but should inherently have some onsite SEO modifications.

6. Reviews and Ratings

If you have narrowed down the field to about 5 possible themes but can’t decide which one, the reviews and ratings can be a great guide.

Free Themes on WordPress.org will have the review and ratings just below the download button. At themeforest.net the reviews are under the theme thumbnail in the WordPress sub directory.

7. Ongoing Support

As the core of WordPress CMS changes from update to update, themes will often need to modify to work with the new code. This can pose some problems especially for relatively old or unpopular themes.

While many themes at WordPress.org are well supported, especially the popular ones. There are many old and little used themes that have not kept up to date with core functionality of WordPress.

Themeforest.net theme developers tend to keep their themes up to date as they have a monetary incentive to do so. This is not a hard and fast rule and that is why we recommend popular themes. If a theme developer is making a good living from their theme then it is in their best interests to keep it modern and working.

8. Think About Color and Font

Color is important. Marketing is all about visual appearance. Matching the logo should not be the only consideration. The colors of the website should enhance the logo or as web developers like to say “make it pop”. Unless you are in a creative field dark colors should be avoided and neutral colors with a hint of color should be employed.

9. Consider a Premium Theme

Premium WordPress themes have come a long way. Most have the best page builders and sliders built into them. What we like most about them is that they are well supported. As we have said before when a theme is monetized well, that is the best incentive for a theme developer to update and support the theme. Some themes like Avada have had over a half a million sales at Themeforest.net. Other popular themes are BeTheme, The7 and Newspaper. These themes have many pre-made web designs that you just need to load.

10. Is it Fit For Purpose?

How to select a WordPress themeA website has a purpose. That purpose could be a blog, news site, enterprise, marketing, e-Commerce, Informational, Photography and many more. The theme should match the purpose of the website. Most premium themes have many different designs that can be applied to almost any niche. Free WordPress.org themes also have these designs but usually not to the same extent. Choose a theme that either is built around the niche you are interested in or has a built in design available that fits the niche you are interested in.