Installation Instructions

If watching is your thing, heres a two-minute video which shows the installation steps: Or just follow along with the steps below. There are three important things to do in order to get your installation up and running smoothly. Everything else is optional. In your WordPress admin, go to the Products / Manage Settings menu and check these things: First Important Thing! You must put the automatically generated API key into your FoxyCart settings (click here for the advanced menu in the FoxyCart admin). Enter this code on the FoxyCart site in the API Key box and check the box that says Enable Cart Validation. This ensures that no link tampering can take place on your product pages. If you dont enter this code on your FoxyCart account, nothing will happen when you try to add products to the cart. Second Important Thing! Check your jQuery settings. If you are already using jQuery on your site, you may uncheck the jQuery include option so you dont get two competing versions which causes problems. By default, FoxyShop uses the latest version of jQuery. Third Important Thing! Check your permalinks. For best results, set your permalinks to Month and Name or Day and Name and click Save to flush your rewrite settings. If your product pages arent showing up, flush your rewrite settings again. If your product pages appear unstyled, you might be using a WordPress framework that bypasses header.php and footer.php. See the FAQ for suggestions or use a shortcode. There are a lot more settings on this page that you can review, but those are the critical ones. I recommend that you use FoxyCart version 0.7.1 and set the password hashing to phpass. By doing this, youll be able to take advantage of WordPress user integration and other cool stuff. And its just plain more secure. If you want to enable custom file uploading, make sure that the /wp-content/uploads/ folder is writable or at least that there is a writable folder underneath it called customuploads.

Theme Customization
FoxyShop makes it easy to change the look of your store by editing theme files. These theme files are used by FoxyShop to format and display your products and categories. By default, FoxyShop looks for theme files in your template directory. If it doesnt find them there, it will use the ones in /wp-content/plugins/foxyshop/themefiles/. If you are using a child theme, the plugin will check in your child theme folder and then the parent theme folder before resorting to the defaults. Dont modify the files in the themefiles directory or any upgrades you make will blow away your changes. Keep edited files in your theme directory to keep them safe. Additionally, its usually a good idea to only copy the files you will be editing instead of copying all of them. This way, if any of the default theme files are changed in future versions youll have

the latest and greatest code without having to make any manual changes. (This falls under the heading of best practices.) Heres a list of all the template files and what you can do with them:
Single Product Single Product Shortcode Category Home Category Page Category Page Shortcode All Products Search Products Store Header foxyshop-singleproduct.php foxyshop-singleproductshortcode.php foxyshop-allcategories.php foxyshop-singlecategory.php foxyshop-singlecategoryshortcode.php foxyshop-singleproduct.php foxyshop-search.php Shows a products main details (/products/xyzproduct/) Shows a products main details when called from a shortcode Shows top-level categories (/product-cat/) Shows the products in a category (/productcat/category-name/) Shows the products in a category when called from a shortcode Shows all products (/all-products/) Controls the product search display (/productsearch/)

foxyshop-header.php Shows above the store on all FoxyShop pages Shows below the store on all FoxyShop pages useful for loading scripts or styles only on FoxyShop pages Shows the product information on the category and search pages Roll your own checkout integration or add thirdparty feeds Add your own logo or message to the customizable packing slip Access the scripts that make the customer product upload work. You can disable swfobject if necessary here.

Store Footer foxyshop-footer.php Product Loop Datafeed Endpoint Printable Receipt foxyshop-productloop.php foxyshop-datafeedendpoint.php foxyshop-receipt.php

Custom File foxyshop-singleUpload product.php

CSS

FoxyShop loads a default style sheet from /wp-content/plugins/foxyshop/css/foxyshop.css. This style sheet is designed to be as unobtrusive as possible. It simply sets floats and basic styles and is as generic as possible so that it wont interfere with your site-wide stylesheet. There are a few basic colors and widths specified at the top which you can easily overwrite with your stylesheet by either calling your stylesheet after wp_head() or specifying your overwrite styles as body .theclassname so that they have a higher context. It should be noted that the default FoxyShop installation was designed for a container that is 900px wide. If you would like to get rid of the default FoxyShop stylesheet completely, you can do so by sticking this in your functions.php file:
add_action('init', 'my_foxyshop_dequeue', 11); function my_foxyshop_dequeue() { wp_dequeue_style('foxyshop_css'); }

Setting up Products
FoxyShop lets you set a lot of information about each product. Lets go through each of the fields to explain how they work. Tip: Each of the edit areas in the product entry page can be dragged around and/or minimized. If you arent using one, you can minimize it and move the order so that it fits better for your workflow. Check the Screen Options button at the top-right of the screen if you are missing an entry box.

Tip: if you will have multiple products that have a similar setup, I recommend installing the excellent Duplicate Post plugin by Enrico Battocchi. This plugin works perfectly for FoxyShop products. Keep in mind that it doesnt copy images to the new product.
Product Details

In the product details panel, set your base price. This is the price from which all variations will adjust. If you dont enter anything for your product code, the code will be set as the products internal WordPress post ID. The default weight and weight type (english or metric) can be set on your settings page. Note that if you select metric, you should also select this option in your FoxyCart admin control panel. You can enter weight that is accurate to a tenth of an ounce/gram and can also enter 1.5 in the lb/kg box and the correct number of oz/gm will be automatically calculated on-the-fly.
Product Quantity

There are three quantity options: minimum, maximum, and disable. If you enter a minimum quantity, that number will be pre-filled in the product quantity box. If you enter a maximum, the

quantity box becomes a dropdown with all valid selections. For this reason its not recommended that you enter a very large number in the maximum quantity box. The minimum and maximum entries are also passed to the cart so that customers cant order more or less than you set. If you check the Hide Quantity option, the quantity box will not be displayed with the product. This does not affect the cart, and quantity can still be changed in the cart itself.
Other Product Detail Settings

If you have shipping categories added on your settings page, there will be a drop-down here with your available shipping categories. These categories should mirror the categories youve setup on your FoxyCart account. You can also choose to have a product hidden from the public view. When this box is checked, the product can still be accessed directly but wont be shown in any categories or on the allproducts page. It will be shown on the product sitemap feed. If your SSO settings allow for checkout account required on a product-by-product basis, there will be a checkbox here called Require Account For Checkout.
Product Categories

Farther down in the right column you can check off your product categories. You can, of course, select as many categories as you want. If you want a product category to be hidden, put an underscore in front of it like this: _Hidden Category. These categories are for display only. If you want to control shipping, youll need to setup shipping categories in the FoxyCart admin control panel and copy the category names to your FoxyShop settings page.
Sale Pricing

If you have a sale price for a particular product, enter it in the sale price box. If you would like to enter a start date and/or an end date you can do that as well. Enter your dates as month/day/year (or month/day for the current year, its not very picky) and the date will be validated. (Sorry to you non-US people!) If the date is accepted, FoxyShop will only apply the sale price within the date range specified. Please note that date ranges are not necessary: you can just use a straight sale price that is always available or you can simply use a start date or an end date. If you are using WordPress 3.1+ youll get a nice calendar drop-down when clicking on the date fields.
Discounts and Subscriptions

If you want to add a discount to your product, you can use straight FoxyCart codes in the discount boxes. Refer to FoxyCart documentation for more information on creating valid

discount codes. Because the boxes are kind of skinny, they expand when you click on them to make entering discount strings easier. If you want to create subscriptions, click the Subscription Attributes link and enter your information. Again, use FoxyCart documentation for more information on subscriptions. Note that this section will not appear if you have not enabled it on your settings page. The start and end dates can hold strtotime() arguments like +3 months, +7 days, etc. The dates will automatically be parsed on the product page and passed to FoxyCart in the correct format.
Inventory Levels

If you have enabled the inventory feature and turned on the datafeed, you will be able to manage inventory levels right here. Just enter a product code (more boxes will appear for variations) and the current stock as well as any custom alert levels. The default alert level can be set on the settings page. Each product or variation must have a unique product code. You can set your product codes on a per-variation basis like this: Small{c:shirt-small}.
Product Tags

If you have enabled Related Product Tags youll get another box in the sidebar menu which will allow you to tag the product. Other products with the same tags will show up in the Related Products section of the sidebar. Note that these are a custom taxonomy and not traditional Post Tags. If you want to use Post Tags, see the Advanced Settings page.
Images

FoxyShop includes an image bar to make adding your images very easy. Just click the button, select your image and click upload. Once uploaded, the image will appear on the image bar. You can upload more images, rename images, or drag them around. The image in the yellow box is the featured image. Note, that you dont need to save your product after making image changes, they are all saved on-the-fly.
Tip: in many browsers you can paste a url into the Filename box to load a remote image directly. Related and Bundled Products

If enabled, you can add specific related products. If you have a specific order in which youd like them to appear, you can put the IDs in the Order box, separated by comma. You can also attach products to be bundled together. This will add multiple products at once. By default, this will add all secondary products with a price of $0.00. If you want all products to the

cart with their regular price, theres a setting in the Advanced Settings section. Be aware that at this time theres nothing to stop people from removing the paid item and leaving the free items in the cart so this feature may not be too useful. Also, it doesnt work well when adding more than five products at once as Internet Explorer has a URL length restriction. This feature must be turned on in the Settings page.
Custom Fields

Custom fields are enabled for FoxyShop products so you can extend the system with your own special fields. Additionally, if you enter cart, coupon, redirect, or output and a value the results will be passed directly to the shopping cart. These are reserved terms that FoxyCart will recognize (see FoxyCart documentation for more information).
Variations

Since product variations are a big deal and kind of complicated, theres a separate page just for variations right here.

Product Variations
If you are a visual learner, heres an overview of the FoxyShop variations and how they work. To add a product variation, enter a variation name like Size. Next, select the type of variation this should be: a dropdown menu, a single line of text, a free text area, a checkbox, a list of radio boxes, or a custom file upload. You can also select Description as a variation although this is just a spot for you to enter some HTML it doesnt display any variations to be chosen. Quotes and periods can not be used in variation names. You should also avoid using any reserved terms for other fields like price, weight, name, category, etc. Really anything from this list.
Dropdown/Radio

Each line will be displayed in a drop-down menu or in a list with radio checkboxes. Enter one variation for each line. If you want to change attributes about the product like price or weight, use this example:
Variation Name{p+1.50|w-1|c:product_code|y:shipping_category| dkey:display_key|ikey:image_id}

P changes the price. You can use + to add to the base price, to subtract from the base price, or : to just set the price. C changes the product code. You can also do c+ to append something to the existing code. W changes the product weight. Y changes the shipping category. DKEY lets you display other fields. More on this in a moment.

IKEY lets you select a certain image to be displayed when this selection is made. Image ID numbers can be found by holding the mouse over the image in the Image Bar. If you want to set a certain variation be the default, put it first or put a * in the name. The star will be removed before displaying and it will be the default selected option.

Tip: If you are using a drop-down and want to make a price distinction for a downloadable product, use price:x instead of p to change your price. This will change your price on the page but not in the cart, as this causes some weird reactions with FoxyCart since it will use the price specified with the downloadable product.
Single Line of Text

You can enter your text box size and the maximum number of characters allowed. Neither of these entries is required and if they arent entered default values will be used for the width and no maximum will be set.
Multiple Lines of Text

You can choose how many lines of text you want your box to show at once. If nothing is entered, the default will be three. Keep in mind that your users shouldnt be submitting lots and lots of data as Internet Explorer 7 and 8 have issues accepting over 2047 characters in the address url string.
Checkbox

The checkbox is a mixture between the Dropdown and Single Line of Text but you can enter pricing change data.
Custom File Upload

If this is chosen, the user will be able to upload a file. The file will be given a unique name and placed in the /wp-content/uploads/customuploads/ folder. The filename will be passed along as a product variation during checkout and you can retrieve the file at your convenience. Please note that for security, only the following files types can be uploaded: jpg, gif, jpeg, png, doc, docx, xls, xlsx, pdf, txt, tif, psd. If you need to adjust this list, you can easily set a special variable in your wp-config.php file. See Advanced Settings for instructions on how to do this.
Chainable Variations

It is very simple to set some variations to be dependent on a dropdown menu selection. For this example we have a variation called Personalization with two options: Not Personalized and Personalized. Of course the Personalized option costs $5 more and we want to capture the customers personalization text. You would set it up like this:

First Variation: Personalization (dropdown)

No Personalization Personalization{p+5|dkey:p}

Second Variation: Personalization Text (single line of text) Enter a Display Key of p. The display key can be any string (so you can have multiple keys). If a value is entered in the Display Key box for a variation, it will be hidden until an option is selected from a dropdown menu that has a dkey value that matches it. If you are using multiple ship-to recipients, the dkey for a ship-to recipient other than Yourself is shipto. You can add as many variations as you would like and you can even drag them around if youd like to change the order.
Saved Variations

If you have a complicated variation set, you can save time and simplify the maintenance of your variations by using saved variations. On the FoxyShop tools page you can add as many saved variations as you would like and then select those variations from the dropdown on the product page. If you ever need to make a change to a variation, that change will be applied to all the products at once. Just make sure not to change the reference name or the link to the products will break.

Widgets and Shortcodes

Shortcodes

There may be times where were you want to display product information on a regular page instead of using the built-in permalink structure. There are several shortcodes to aid in this process. If you would like to use Shortcodes inside of a page or post, you can do so by passing in the products slug. Full Product Details
[showproduct name="product-slug"]

Product Category Page

[productcategory name="category-slug"]

Add To Cart Link (URL Only)

[productlink name="product-slug"]

Add To Cart Link (Formatted Link)

[product name="product-slug"]Add To Cart[/product] Alternate: [product name="product-slug"] With Variations: [product name="product-slug" variations="Color=Green&Size=Large"]Add To Cart[/product]

The theme customization files for the product details and the category page can be found in the /themefiles/ directory. Read more about editing theme files. These shortcodes dont, by default, do everything that a regular product page does since there isnt a permanent url attached. For this reason, its recommended that you use the permalink structure if you can.
Widgets

FoxyShop has some pre-loaded widgets available on the Appearances / Widgets menu:

Add a Shopping Cart link that automatically updates with the quantity and price Display products in a featured category Display a list of categories

If youd like a widget to show only a specific product, heres some code to do that. Just put this code in your functions.php file.

Subscriptions and Single Sign-On

Subscriptions

FoxyShop lets you turn WordPress into a full-on Subscription management system. To turn on subscription features, check the Enable Subscriptions checkbox in the FoxyShop settings. Youll then see options to set the frequency, start date, and end date of your subscription product. Its strongly recommended that you read through the FoxyCart documentation for instructions on setting up your subscription products. Note that FoxyShop expands on the FoxyCart functionality by letting you set a strtotime() value in the start or end dates like +3 months.
Single Sign-On

FoxyShop supports the FoxyCart Single Sign-On (SSO) feature which you can read about here. The SSO feature lets you sync your WordPress users and your FoxyCart users so that when logged in, that login is transferred to FoxyCart and the customers saved FoxyCart account information is retrieved at checkout. Furthermore, the FoxyCart ID number is stored as user meta data in the WordPress database so that after checkout, subscriptions and other data can be tied to the WordPress account.

IMPORTANT! Make sure that when you setup your store at FoxyCart you set your password hashing to phpass on the advanced settings tab. Do this before you start adding users so that your passwords can sync back and forth with WordPress. Even if you dont intend to use SSO, this is a good idea for security.

Whenever a WordPress account is created or updated, a FoxyCart account is created or updated as well. The password is also synced to the FoxyCart account. In the WordPress user profile an administrator will be able to see the FoxyCart account number. This information is hidden from non-administrators. The FoxyShop settings let you make a logged in WordPress account either optional or mandatory or mandatory on a product-by-product basis. Theres also a feature in the Datafeed Endpoint (youll have to enable the xml datafeed) that will, when activated, automatically create or update WordPress users when a checkout has been completed. To turn this feature on, check the option Create/Update WordPress User After Checkout. If you would like to add your own fields to the user registration screen you can try out the Cimy User Extra Fields plugin. FoxyShop also supports custom filters to easily tie into the FoxyCart user update process with your own fields (address, phone, etc).

Advanced Settings
FoxyShop has a number of advanced settings which you can set in your wp-config.php file which will allow you to unlock different features or adjust the way FoxyShop works. When adding the codes, make sure that the codes are placed before the require_once(ABSPATH . 'wpsettings.php'); line.
Complete List Advanced Features

Change the products slug to something-else:

define('FOXYSHOP_PRODUCTS_SLUG','something-else');

Change the product-cat slug to something-else: Allow products to accept comments:

define('FOXYSHOP_PRODUCT_COMMENTS',1);

define('FOXYSHOP_PRODUCT_CATEGORY_SLUG','something-else');

Allow products to use tags: Skip HMAC Verification:

define('FOXYSHOP_PRODUCT_TAGS',1);

define('FOXYSHOP_SKIP_VERIFICATION',1);

Allow a certain file-type to be uploaded. Add extensions separated by comma:

define('FOXYSHOP_ALLOWED_EXTENSIONS','mov,avi,mp4');

Bundled products are added at full price instead of $0.00:

define('FOXYSHOP_BUNDLED_PRODUCT_FULL_PRICE',1);

Change the path that FoxyShop looks for template files: Force a certain version of jQuery:
define('FOXYSHOP_JQUERY_VERSION','1.5.2');

define('FOXYSHOP_TEMPLATE_PATH','/full/path/here/');

Keep FoxyShop from embedding the FoxyCart include files (if you need to do so manually):
define('FOXYSHOP_SKIP_FOXYCART_INCLUDES',1);

Throughout the admin, change Product to Class or something else:

define('FOXYSHOP_PRODUCT_NAME_SINGULAR','Class'); define('FOXYSHOP_PRODUCT_NAME_PLURAL','Classes');

Setup a url base. This is often necessary for Windows IIS:

define('FOXYSHOP_URL_BASE','/index.php');

Change cURL Timeouts:

define('FOXYSHOP_CURL_CONNECTTIMEOUT', 10); define('FOXYSHOP_CURL_TIMEOUT', 15);

Keep Orders and Subs From Searching Automatically:

define('FOXYSHOP_AUTO_API_DISABLED', 1);

Disable the Social Media Meta Tags in Header:

define('FOXYSHOP_DISABLE_SOCIAL_MEDIA_META', 1);

Customizing With Hooks

FoxyShop allows developers to hook their own functions into the plugin to enable easier implementation of your desired customizations. Here is a list of some of the available hooks and filters with descriptions:
Action Hooks

foxyshop_save_product: Hook into the product saving process. foxyshop_order_search_buttons: Add more buttons to the order management page to integrate your own reports foxyshop_order_line_item: Add more links to the end of each order line to integrate your own actions foxyshop_show_user_profile_data: Add more custom fields to the user profile (only for admin viewing) foxyshop_admin_product_details: Add your own options to the product details metabox in the admin. Sample Code

Filter Hooks

foxyshop_save_sso_to_foxycart: Lets you hook your own function in to add your own metadata to update the FoxyCart user. This could be address, phone number, etc. Sample Code Here. foxyshop_setup_product_info: Lets you add your own keys into the $product array every time it is built. Sample Code Here. foxyshop_template_redirect: Lets you modify the FoxyShop template being returned. Sample Code Here. (ver 3.4+)

There are a lot more undocumented hooks so if you are looking for something specific, chances are it is already added. If you have a particular need or a place where a hook would be really helpful for you, as a developer, please contact me and I will consider adding to the plugin core. My goal is to make FoxyShop very easy for you to customize.

Function Reference
Javascript Considerations

FoxyShop uses several jQuery libraries. If you are already using these libraries it is suggested that you disable the FoxyShop versions to avoid conflicts. FoxyShop uses the latest stable jQuery release from the Google CDN. If you are already using a different version of jQuery, you can uncheck the Automatically Insert jQuery option on the settings page. Note that FoxyShop uses WordPresss enqueue method so it wont conflict with any other plugins which are using jQuery includes the right way. Foxyshop uses PrettyPhoto 3.1.2 for slideshow display. If you want to use your own gallery plugin that is just fine. To disable, look in foxyshop-single-product.php. Foxyshop uses Uploadify 2.1.4 for custom file upload. If you are already loading Uploadify on a site-wide basis, comment out the include lines in foxyshop-custom-upload.php in your theme file. Uploadify is also loading swfobject 2.2 so that might have to be commented out as well.
Helper Functions

The helperfunctions.php file is located in the plugin folder and has all the functions that make FoxyShop so easy to use. Ill describe each function here and give you some tips and tricks. If there is anything that you really want to change in the core, please contact me and lets talk. I want to make this developer friendly and Ill figure out a way to help you get what you are after. foxyshop_insert_foxycart_files()

This simply loads in the FoxyCart includes to the head of your document. If you havent entered your FoxyCart domain yet on the settings page, this wont load at all and shopping cart links and forms will act screwy if you try to submit them. foxyshop_setup_product() Within the loop or any other time you need to access a product, call this function and it will get all the product data and load it into an array. It also loads all associated images into a sub-array of $product['images'] and variations into $product['variations']. Weight and sale prices are also calculated in this function. Its nice not having to do this stuff manually all the time. foxyshop_start_form() This function initializes the form and sets all the hidden values that are needed. foxyshop_product_variations() This function loops through all the variations and shows the proper type of field. Its easily the most complicated section of the code. For your sake, I hope you dont have to mess with it. The next two functions are part of this one: foxyshop_run_variations() and foxyshop_add_spaces(). You can pass in the location of the Quantity Box (above, below, or hidden), whether price variations should be shown, and any special code youd like added above or below each variation. By default, theres no wrapping div around each variation and each includes a clearing div at the end. You can easily overwrite this if your markup doesnt like the clearing divs. foxyshop_get_shipto() Returns the Multiple Ship To fields if that feature is turned on. Note that this references a javascript file in the plugin folder to do the magic cookie and display stuff. foxyshop_quantity() Returns the quantity box or dropdown box with appropriate values filled in. It is usually called by foxyshop_product_variations() but you can call it yourself if you so desire. foxyshop_product_link() This creates an add to cart link for any product. Just pass in the link text (you can use %name % as a replaceable string if you like). If you just want a link, set the second parameter to true. The third parameter allows you to pass in variations as an array or serialized (color=Green&size=Large). foxyshop_price()

This function returns your price and sale price if applicable. The class names are important so that the variation processor javascript can update the price when a dropdown is changed. foxyshop_is_on_sale() This is a handy function if you want to know whether the product is currently on sale or not. It simply compares the price and original price. Returns true or false. foxyshop_is_product_new() This function accepts a number (14 by default) and will return true if the product is newer than x days. foxyshop_get_main_image() Returns the url for the main image. If there is a featured image, it pulls that one. If not, it uses the first image it finds. If no image is found it returns /wp-content/plugins/foxyshop/images/nophoto.png. Feel free to change this file (or the location) if you want. By default, the function will return the thumbnail size, but you can pass in any size: thumbnail, medium, large, or full. You could even pass in id, title, or featured if you wanted to get those details. foxyshop_image_slideshow() If there is more than one image, this function will write an unordered list (class: foxyshop_slideshow) with all the images. By default it pulls the thumbnail and links to the full image. If you prefer, you can pass in a different size for the actual image returned but it will always link to the full. Also, it will include the featured image by default (true) unless you ask it to skip the featured image since it is already shown above. If using ikeys, its going to force this parameter to be true. foxyshop_category_children() This function writes out all the child categories for the parent (or top level if nothing is passed in). This automatically checks for images being used by the Taxonomy Images plugin. foxyshop_simple_category_children() Writes a simple unordered list of all your categories. You can set the depth as well. This is similar to wp_list_categories() except that it uses the custom FoxyShop ordering so your category ordering is honored. The foxyshop_category_writer() function is part of this process as well. foxyshop_get_verification()

Creates the hashes and encryption on each form element to prevent link tampering. Will skip if the FOXYSHOP_SKIP_VERIFICATION cosntant is defined in your wp-config.php file. Disabling the verification is discouraged, though. You should have a good reason if you do this. foxyshop_breadcrumbs() This code wins second prize for most complicated. Hope you dont have to mess with it! Note that you can pass in a separator. By default it uses right angled double brackets: . Its also worth noting that if a product is in multiple categories it will search the page referrer for a parent category. If theres no match it simply show the breadcrumbs for the first matched category it finds. foxyshop_inventory_management() This function is used on the single product page to check the inventory levels of any product codes for which inventory has been set. You can pass in the specific wording you want to use and also set whether backordering should be allowed or whether the add to cart button should be disabled if there is no stock. foxyshop_check_inventory() Simple function to return whether the main product code is in stock, out of stock, or on stock alert. foxyshop_featured_category() This function writes out a list of products for any one category. Its used by the FoxyShop Category Widget or can be called independently if widgets arent really your thing (and if youve made it this far, Im betting theyre not). Parameters are the category name (slug), an option to show an Add To Cart Button, an option to show a More Details button, and a maximum number of entries to return which defaults to unlimited (-1). foxyshop_cart_link() This function writes out the formatted FoxyCart link to launch the shopping cart in a modal window. It accepts two arguments: link text and an option to hide the link if the cart is empty. Link text can be written with the variables %q% for quantity and %p% for price. These will be updated on the fly by FoxyCart which is pretty slick. foxyshop_related_products() This is called from the bottom of the main product page and returns a list that shows all of the products attached to the parent product when setting it up. Pass in the title of the section as well as the maximum number of products. The default maximum is 5 and will only be used when doing related products by tag. If you have manually attached 30 related products, theyll all show up. foxyshop_related_order() is used by this function.

foxyshop_sort_order_array() Returns an array with the sort order selections. This array can be merged into the query on applicable theme pages. foxyshop_sort_dropdown() Can be called on the single category template to allow the customer to order the products on the fly. foxyshop_include() This includes the store header and footer files. foxyshop_get_template() This function checks the stylesheet path, the template path, and finally the FoxyShop plugin themefiles path for theme files. This is what makes the custom theme files work. foxyshop_customer_order_history() Lets you easily display a customers order history. foxyshop_subscription_active() Is a subscription active? Looks for the current user and checks a product code to see if a subscription is active. Helpful for subscription management and quickly telling whether a user should have access to a particular area. foxyshop_get_pagination() This is a native pagination function written by Robert Basic. Huge props to him as it works amazingly well. foxyshop_currency() Taking care of all the currency conversion dirty work in one place. Note that Windows doesnt support money_format or localized currency symbols so the $ and are hardcoded in if you are using Windows. If you need more currencies, let me know.

Introduction
This page documents the API (Application Programming Interface) hooks available to WordPress plugin developers, and how to use them.

This article assumes you have already read Writing a Plugin, which gives an overview (and many details) of how to develop a plugin. This article is specifically about the API of "Hooks", also known as "Filters" and "Actions", that WordPress uses to set your plugin in motion. These hooks may also be used in themes, as described here. Note: This information applies to WordPress Versions 1.2 and higher. Before Version 1.2, modifications were called "hacks" and involved editing the source code of WordPress itself.

Hooks, Actions and Filters

Hooks are provided by WordPress to allow your plugin to 'hook into' the rest of WordPress; that is, to call functions in your plugin at specific times, and thereby set your plugin in motion. There are two kinds of hooks:
1. Actions: Actions are the hooks that the WordPress core launches at specific points during execution, or when specific events occur. Your plugin can specify that one or more of its PHP functions are executed at these points, using the Action API. 2. Filters: Filters are the hooks that WordPress launches to modify text of various types before adding it to the database or sending it to the browser screen. Your plugin can specify that one or more of its PHP functions is executed to modify specific types of text at these times, using the Filter API.

You can sometimes accomplish the same goal with either an action or a filter. For example, if you want your plugin to change the text of a post, you might add an action function to publish_post (so the post is modified as it is saved to the database), or a filter function to the_content (so the post is modified as it is displayed in the browser screen). For a thorough listing of all action and filter hooks in WP see Adam Brown's WP Hooks Database.

Function Reference
Filter Functions
has_filter() add_filter() apply_filters() current_filter() merge_filters() remove_filter() remove_all_filters()

Actions Functions
has_action() add_action() do_action() do_action_ref_array() did_action() remove_action() remove_all_actions()

Activation/Deactivation Functions

register_activation_hook()

register_deactivation_hook()

Actions
Actions are triggered by specific events that take place in WordPress, such as publishing a post, changing themes, or displaying a page of the admin panel. Your plugin can respond to the event by executing a PHP function, which might do one or more of the following:

Modify database data Send an email message Modify what is displayed in the browser screen (admin or end-user)

The basic steps to making this happen (described in more detail below) are:
1. Create the PHP function that should execute when the event occurs, in your plugin file. 2. Hook to the action in WordPress, by calling add_action() 3. Put your PHP function in a plugin file, and activate it. Create an Action Function

The first step in creating an action in your plugin is to create a PHP function with the action functionality of your plugin, and put it in your plugin file (your plugin file must go into the wpcontent/plugins directory). For example, if you want your friends to get an email message whenever you create a new post, you might define the following function:
function email_friends($post_ID) { $friends = 'bob@example.org,susie@example.org'; mail($friends, "sally's blog updated", 'I just put something on my blog: http://blog.example.com'); return $post_ID; }

For most actions, your function should accept a single parameter (usually the post or comment ID, depending on the action). Some actions take more than one parameter -- check the documentation for the action (if available) or the WordPress source code for more information. Besides the one parameter, you can also access the global variables of WordPress, and call other WordPress functions (or functions in your plugin file). Any text output by the function (e.g. with print) will appear in the page source at the location where the action was invoked. NOTE: Keep in mind that other plugins or the WordPress core may already be using the function name you have thought of. See the next section, Avoiding Function Name Collisions for more information.

Avoiding Function Name Collisions

It is possible that someone has created a plugin with a function named the same as one in your plugin! This is a problem because PHP does not allow multiple functions with the same name. If two plugins provide function with the same name, or a plugin provides a function with a name the same as a WordPress function, the blog could cease to function. There are two ways to avoid this problem. The first solution is to prefix every function in your plugin with a unique set of characters. If your name is John Q. Public, you might declare your functions as function jqp_output() {...}. The likelihood that someone with the same initials does the same thing with their plugin is possible, but low. The second - and possibly easier - solution is to enclose your plugin functions in a class and call the class methods statically. This sounds more complicated than it is. Consider this class, which expands on the examples provided above:
class emailer { function send($post_ID) { $friends = 'bob@example.org,susie@example.org'; mail($friends,"sally's blog updated",'I just put something on my blog: http://blog.example.com'); return $post_ID; } } add_action('publish_post', array('emailer', 'send'));

This class, called emailer has a method send that implements the plugin functionality. The add_action() function outside of the class adds the action to WordPress that tells it to call the send method when a post is published. The array used in the second parameter tells the plugin system to call the static method of the class 'emailer' named 'send'. The function send is protected from the global namespace by the class declaration. It is not possible to call send() directly, and so any other function named send will not collide with this one. If you did want to call send(), you would need to use a scope resolution operator, like this:
emailer::send()

The above example is for static methods. If you have an instance of a class then that won't work. To call a method of an instance you need to pass the instance as a variable. Consider the above example modified to take this into account:
class emailer { function send($post_ID) {

$friends = 'bob@example.org,susie@example.org'; mail($friends,"sally's blog updated",'I just put something on my blog: http://blog.example.com'); return $post_ID; } } $myEmailClass = new emailer(); add_action('publish_post', array($myEmailClass, 'send'));

Classes are a complicated subject. Read more about them in the PHP documentation on classes.
Hook to WordPress

After your function is defined, the next step is to "hook" or register it with WordPress. To do this, call add_action() in the global execution space of your plugin file:
add_action ( 'hook_name', 'your_function_name', [priority], [accepted_args] );

where:
hook_name

The name of an action hook provided by WordPress, that tells what event your function should be associated with.
your_function_name

The name of the function that you want to be executed following the event specified by hook_name. This can be a standard php function, a function present in the WordPress core, or a function defined by you in the plugin file (such as 'email_friends' defined above).
priority

An optional integer argument that can be used to specify the order in which the functions associated with a particular action are executed (default: 10). Lower numbers correspond with earlier execution, and functions with the same priority are executed in the order in which they were added to the action.
accepted_args

An optional integer argument defining how many arguments your function can accept (default 1), useful because some hooks can pass more than one argument to your function. This parameter is new in release 1.5.1.

In the example above, we would put the following line in the plugin file:
add_action ( 'publish_post', 'email_friends' );

Likewise, you can also Remove Actions from action hooks. See that section for details.
Install and Activate

The last step in getting your action hook to work is to install the file and activate the plugin. The PHP function you wrote and the add_action call must go into a PHP file together, and the PHP file must be installed in the wp-content/plugins directory. Once it is installed, you will need to visit the admin section of WordPress and activate your plugin; see Managing Plugins for more details.
Current Hooks For Actions

See Plugin API/Action Reference for a current list of action hooks in WordPress, and links to previous versions of WordPress.

Filters
Filters are functions that WordPress passes data through, at certain points in execution, just before taking some action with the data (such as adding it to the database or sending it to the browser screen). Filters sit between the database and the browser (when WordPress is generating pages), and between the browser and the database (when WordPress is adding new posts and comments to the database); most input and output in WordPress passes through at least one filter. WordPress does some filtering by default, and your plugin can add its own filtering. The basic steps to adding your own filters to WordPress (described in more detail below) are:
1. Create the PHP function that filters the data. 2. Hook to the filter in WordPress, by calling add_filter() 3. Put your PHP function in a plugin file, and activate it. Create a Filter Function

A filter function takes as input the unmodified data, and returns modified data (or in some cases, a null value to indicate the data should be deleted or disregarded). If the data is not modified by your filter, then the original data must be returned so that subsequent plugins can continue to modify the value if necessary. So, the first step in creating a filter in your plugin is to create a PHP function to do the filtering, and put it in your plugin file (your plugin file must go into the wp-content/plugins directory). For example, if you want to make sure that your posts and comments contain no profanity, you might define a variable with a list of forbidden words, and then create the following PHP function:
function filter_profanity($content) { $profanities = array('badword','alsobad','...'); $content=str_ireplace($profanities,'{censored}',$content); return $content; }

Why does this work without a loop? Because $profanities is an array, and str_ireplace loops through the array for you. The str_ireplace function is used instead of str_replace because str_ireplace is case insensitive. NOTE: Keep in mind that other plugins or the WordPress core may already be using the function name you have thought of. See the Plugin Development Suggestions for more information.
Hook in your Filter

After your function is defined, the next step is to "hook" or register it with WordPress. To do this, call add_filter() in the global execution space of your plugin file:
add_filter ( 'hook_name', 'your_filter', [priority], [accepted_args] );

where:
hook_name

The name of a filter hook provided by WordPress, which defines when your filter should be applied.
your_filter

The name of the function that you want to use for filtering. This can be a standard PHP function, a function present in the WordPress core, or a function defined by you in the plugin file.
priority

An optional integer argument that can be used to specify the order in which the functions associated with a particular filter are executed (default: 10). Lower numbers correspond with earlier execution, and functions with the same priority are executed in the order in which they were added to the filter.
accepted_args

An optional integer argument defining how many arguments your function can accept (default 1), useful because some hooks can pass more than one argument to your function.

In the example above, we would put the following in the main executing section of the plugin file, to tell WordPress to filter comments for profanity:
add_filter('comment_text','filter_profanity');

You can also remove filters from filter hooks using the remove_filter() function. See Removing Actions and Filters.
Install and Activate

The last step in getting your filter hook to work is to install the file and activate the plugin. The PHP function you wrote and the add_filter() call must go into a PHP file together, and the PHP file must be installed in the wp-content/plugins directory. Once it is installed, you will need to visit the admin section of WordPress and activate your plugin; see Managing Plugins for more details.
Current Hooks for Filters

See Plugin API/Filter Reference for a current list of filter hooks in WordPress, and links to previous versions of WordPress.
Example

This is an example, as described by Ozh on the wp-hackers email list, for a plugin to modify (or overwrite) the default bloginfo() function. This will require modifying a core function behavior.
add_filter('bloginfo', 'mybloginfo', 1, 2); add_filter('bloginfo_url', 'mybloginfo', 1, 2); function mybloginfo($result='', $show='') { switch ($show) { case 'wpurl': $result = SITE_URL; break; case 'template_directory': $result = TEMPL_DIR; break; default: } return $result; }

Removing Actions and Filters

In some cases, you may find that you want your plugin to disable one of the actions or filters built into WordPress, or added by another plugin. You can do that by calling remove_filter('filter_hook','filter_function') or remove_action('action_hook','action_function'). For example, remove_action('publish_post','generic_ping'); would prevent your weblog from sending pings whenever a new post is created.

Note that if a hook was registered using a priority other than the default of 10, then you must also specify the priority in the call to remove_action(). Also note that in general, you shouldn't remove anything unless you know what it does and why it does it -- check the WordPress or other plugin source code to be sure.

Pluggable Functions
Besides the hooks (actions and filters) described above, another way for a plugin to modify WordPress's behavior is to override WordPress functions. In fact, there is a small set of functions WordPress intends for plugins to redefine. These are called Pluggable Functions and they are defined in wp-includes/pluggable.php. WordPress loads these functions only if they are still undefined after all plugins have been loaded. For more details examine wp-settings.php file.

Activation/Deactivation
If your plugin has tasks to complete only at activation or deactivation time, it can use register_activation_hook and register_deactivation_hook. Many plugins do not need to use these, as the plugins only modify current behavior. However, if your plugin (for example) needs to change a default option on activation, it can use these functions. Creating Tables with Plugins has an example using the register_activation_hook function to make the database compatible with the current version of the plugin.

Hardening WordPress Contents

[hide]

1 2 3 4

What is Security? Security Themes Vulnerabilities on Your Computer Vulnerabilities in WordPress o 4.1 Updating WordPress o 4.2 Reporting Security Issues 5 Web Server Vulnerabilities 6 Network Vulnerabilities 7 Passwords 8 FTP 9 File Permissions o 9.1 Changing file permissions o 9.2 Regarding Automatic Updates 10 Database Security 11 Securing wp-admin 12 Securing wp-includes

13 Securing wp-config.php 14 SSL Encryption 15 Plugins o 15.1 Firewall Plugins o 15.2 Plugins that need write access o 15.3 Code execution plugins 16 Security through obscurity 17 Data Backups 18 Logging 19 Monitoring o 19.1 Monitoring your logs o 19.2 Monitoring your files for changes o 19.3 Monitoring your web server externally 20 Resources 21 See Also

Security in WordPress is taken very seriously, but as with any other system there are potential security issues that may arise if some basic security precautions aren't taken. This article will go through some common forms of vulnerabilities, and the things you can do to help keep your WordPress installation secure. This article is not the ultimate quick fix to your security concerns. If you have specific security concerns or doubts, you should discuss them with people whom you trust to have sufficient knowledge of computer security and WordPress.

What is Security?
Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain. A secure server protects the privacy, integrity, and availability of the resources under the server administrator's control. Qualities of a trusted web host might include:

Readily discusses your security concerns and which security features and processes they offer with their hosting. Provides the most recent stable versions of all server software. Provides reliable methods for backup and recovery.

Decide which security you need on your server by determining the software and data that needs to be secured. The rest of this guide will help you with this.

Security Themes
Keep in mind some general ideas while considering security for each aspect of your system:

Limiting access Making smart choices that reduce possible entry points available to a malicious person. Containment Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised. Preparation and knowledge Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.

Vulnerabilities on Your Computer

Make sure the computers you use are free of spyware, malware, and virus infections. No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer. Always keep your operating system and the software on it, especially your web browser, up to date to protect you from security vulnerabilities.

Vulnerabilities in WordPress
Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.
Updating WordPress

Main article: Updating WordPress. The latest version of WordPress is always available from the main WordPress website at http://wordpress.org. Official releases are not available from other sites -- never download or install WordPress from any website other than http://wordpress.org. Since version 2.7, WordPress has featured automatic updates. Use this functionality to ease the process of keeping up to date. You can also use the WordPress Dashboard to keep informed about updates. Read the entry in the Dashboard or the WordPress Developer Blog to determine what steps you must take to update and remain secure.

If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain. This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date. If you are an administrator in charge of more than one WordPress installation, consider using Subversion to make management easier.
Reporting Security Issues

If you think you have found a security flaw in WordPress, you can help by reporting the issue. See the Security FAQ for information on how to report security issues. If you think you have found a bug, report it. See Submitting Bugs for how to do this. You might have uncovered a vulnerability, or a bug that could lead to one.

Web Server Vulnerabilities

The web server running WordPress, and the software on it, can have vulnerabilities. Therefore, make sure you are running secure, stable versions of your web server and the software on it, or make sure you are using a trusted host that takes care of these things for you. If you're on a shared server (one that hosts other websites besides your own) and a website on the same server is compromised, your website can potentially be compromised too even if you follow everything in this guide. Be sure to ask your web host what security precautions they take.

Network Vulnerabilities
The network on both ends -- the WordPress server side and the client network side -- should be trusted. That means updating firewall rules on your home router and being careful about what networks you work from. An Internet cafe where you are sending passwords over an unencrypted connection, wireless or otherwise, is not a trusted network. Your web host should be making sure that their network is not compromised by attackers, and you should do the same. Network vulnerabilities can allow passwords and other sensitive information to be intercepted.

Passwords
Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this. The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords.

WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate. Things to avoid when choosing a password:

Any permutation of your own real name, username, company name, or name of your website. A word from a dictionary, in any language. A short password. Any numeric-only or alphabetic-only password (a mixture of both is best).

A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.

FTP
When connecting to your server you should use SFTP encryption if your web host provides it. If you are unsure if your web host provides SFTP or not, just ask them. Using SFTP is the same as FTP, except your password and other data is encrypted as it transmitted between your computer and your website. This means your password is never sent in the clear and cannot be intercepted by an attacker.

File Permissions
Some neat features of WordPress come from allowing various files to be writable by the web server. However, allowing write access to your files is potentially dangerous, particularly in a shared hosting environment. It is best to lock down your file permissions as much as possible and to loosen those restrictions on the occasions that you need to allow write access, or to create specific folders with less restrictions for the purpose of doing things like uploading files. Here is one possible permission scheme. All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be group-owned by the user account used by the web server.
/

The root WordPress directory: all files should be writable only by your user account, except .htaccess if you want WordPress to automatically generate rewrite rules for you.

/wp-admin/

The WordPress administration area: all files should be writable only by your user account.
/wp-includes/

The bulk of WordPress application logic: all files should be writable only by your user account.
/wp-content/

User-supplied content: intended to be completely writable by all users (owner/user, group, and public).

Within /wp-content/ you will find:

/wp-content/themes/

Theme files. If you want to use the built-in theme editor, all files need to be group writable. If you do not want to use the built-in theme editor, all files can be writable only by your user account.
/wp-content/plugins/

Plugin files: all files should be writable only by your user account.

Other directories that may be present with /wp-content/ should be documented by whichever plugin or theme requires them. Permissions may vary.
Changing file permissions

If you have shell access to your server, you can change file permissions recursively with the following command: For Directories:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;

For Files:
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

Regarding Automatic Updates

When you tell WordPress to perform an automatic update, all file operations are performed as the user that owns the files, not as the web server's user. All files are set to 0644 and all

directories are set to 0755, and writable by only the user and readable by everyone else, including the web server.

Database Security
If you run multiple blogs on the same server, it is wise to consider keeping them in separate databases each managed by a different user. This is best accomplished when performing the initial WordPress installation. This is a containment strategy: if an intruder successfully cracks one WordPress installation, this makes it that much harder to alter your other blogs. If you administer MySQL yourself, ensure that you understand your MySQL configuration and that unneeded features (such as accepting remote TCP connections) are disabled. See Secure MySQL Database Design for a nice introduction.

Securing wp-admin
Adding server-side password protection (such as BasicAuth) to /wp-admin/ adds a second layer of protection around your blog's admin area, the login screen, and your files. This forces an attacker or bot to attack this second layer of protection instead of your actual admin files. Many WordPress attacks are carried out autonomously by malicious software bots. Simply securing the wp-admin/ directory might also break some WordPress functionality, such as the AJAX handler at wp-admin/admin-ajax.php. See the Resources section for more documentation on how to password protect your wp-admin/ directory properly. The most common attacks against a WordPress blog usually fall into two categories.
1. Sending specially-crafted HTTP requests to your server with specific exploit payloads for specific vulnerabilities. These include old/outdated plugins and software. 2. Attempting to gain access to your blog by using "brute-force" password guessing.

The ultimate implementation of this "second layer" password protection is to require an HTTPS SSL encrypted connection for administration, so that all communication and sensitive data is encrypted. See Administration Over SSL.

Securing wp-includes
A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.
# Block the include-only files. RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule

^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/. +\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] # BEGIN WordPress

Securing wp-config.php
You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder. Note that wp-config.php can be stored ONE directory level above the WordPress (where wpincludes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).

SSL Encryption
Main article: Administration Over SSL.

Plugins
First of all, make sure your plugins are always updated. Also, if you are not using a specific plugin, delete it from the system.
Firewall Plugins

There are a few plugins that purport to screen out suspicious-looking requests based on rule databases and/or whitelists. BlogSecurity's WPIDS plugin installs PHPIDS, a generic security layer for PHP applications, while WordPress Firewall uses some WordPress-tuned preconfigured rules along with a whitelist to screen out attacks without much configuration.
Plugins that need write access

If a plugin wants write access to your WordPress files and directories, please read the code to make sure it is legit or check with someone you trust. Possible places to check are the Support Forums and IRC Channel.
Code execution plugins

As we said, part of the goal of hardening WordPress is containing the damage done if there is a successful attack. Plugins which allow arbitrary PHP or other code to execute from entries in a database effectively magnify the possibility of damage in the event of a successful attack. A way to avoid using such a plugin is to use custom page templates that call the function. Part of the security this affords is active only when you disallow file editing within WordPress.

Security through obscurity

Security through obscurity is generally an unsound primary strategy. However, there are areas in WordPress where obscuring information might help with security:
1. Rename the administrative account: On a new install you can simply create a new Administrative account and delete the default admin account. On an existing WordPress install you may rename the existing account in the MySQL command-line client with a command like UPDATE wp_users SET user_login = 'newuser' WHERE user_login = 'admin';, or by using a MySQL frontend like phpMyAdmin. 2. Change the table_prefix: Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this can block at least some SQL injection attacks.

Data Backups
Back up your data regularly, including your MySQL databases. See the main article: Backing Up Your Database). Data integrity is critical for trusted backups. Encrypting the backup, keeping an independent record of MD5 hashes for each backup file, and/or placing backups on read-only media increases your confidence that your data has not been tampered with. A sound backup strategy could include keeping a set of regularly-timed snapshots of your entire WordPress installation (including WordPress core files and your database) in a trusted location. Imagine a site that makes weekly snapshots. Such a strategy means that if a site is compromised on May 1st but the compromise is not detected until May 12th, the site owner will have precompromise backups that can help in rebuilding the site and possibly even post-compromise backups which will aid in determining how the site was compromised.

Logging
It is possible to log various requests sent to WordPress. Standard Apache logs do not offer much help with dealing with security forensics. See Mod_Security - Logs and Prevents using Apache.

Monitoring
Sometimes prevention is not enough and you may still be hacked. That's why intrusion detection/monitoring is very important. It will allow you to react faster, find out what happened and recover your site.

Monitoring your logs

If you are on a private server (where you have admin access), you have to watch your logs to detect password guessing attempts, web attacks, etc. A good open source solution to monitor your logs in real time and block the attacker is OSSEC.
Monitoring your files for changes

When an attack happens, it always leave traces. Either on the logs or on the file system (new files, modified files, etc). If you are using OSSEC for example, it will monitor your files and alert you when they change.
Monitoring your web server externally

If the attacker tries to deface your site or add malware, you can also detect these changes by using a web-based integrity monitor solution.

Resources

Brad Williams: Lock it Up (Video) Official docs on how to password protect directories with an .htaccess file A slightly less complex tutorial on how to password protect directories with an .htaccess file Whitelisting the admin-ajax.php handler in password protected directories with apache and lighttpd AskApache Password Protection plugin for wp-admin/ and other directories Caution: Installing the AskApache Password Protection plugin may lock you out of your WordPress Admin panel. See the comments under the author's plugin home page to read other users' experiences with this plugin.