WordPress

101

Introduction to
WordPress

Released in 2003 by Matt Mullenweg and Mike Little

Powers more than 70 million websites
Most popular blogging platform, but also...
Powerful Content Management System(CMS)
Completely FREE
Open Source Project
Constantly evolving and improving
Thousands of plugins, widgets, and themes.

Footer

Reasons You Should

Use It
Open Source
Completely free for commercial or private use.
Hundreds of volunteers contributing to core.
Constantly evolving and improving.
User-Friendly
No need for expensive "webmasters".
Easily manage and update your own content.
No need to learn complicated HTML.
Flexible & Extensible
Thousands of plugins and themes available.
Easily change the look of your website.
Add new features in just a few clicks.

Footer

Reasons You Should

Use It (contd)
Support Options. (wordpress.org/support, wordpress.stackexchange.com,
www.wpquestions.com)
Online video tutorials.
Easy to find help from wordpress experts.
Get answers to your questions online...
SEO Friendly
Fully compliant with W3C standards.
Built in support for RSS.
Clean,search-engine friendly code.
Own your Content
Easily import and export your content

Footer

Requirements and
Installation
To run WordPress we recommend your host supports:
PHP Version 5.6 or greater
MySQL version 5.6 or greater
Host can be LAMP, WAMP or MAMP
Following 5 steps to install wordpress.
Download wordpress from wordpress.org
Upload the wordpress file to webserver.
Create a MYSQL database and user.
Configure Wordpress to connect to database.
Run the wordpress installation script.

Footer

Installation
Process

10

11

12

13

14

15

WordPress Themes
16

What are WordPress

Themes?
A WordPress Theme is a collection of files that work together to produce a
graphical interface design for a weblog.

17

What are WordPress

Themes?
A WordPress Theme is a collection of files that work together to produce a
graphical interface design for a weblog.
These files are called template files.

18

What are WordPress

Themes?
A WordPress Theme is a collection of files that work together to produce a
graphical interface design for a weblog.
These files are called template files.
Themes can provide much more control over the look and presentation of
the material on your website.

19

What are WordPress

Themes?
A WordPress Theme is a collection of files that work together to produce a
graphical interface design for a weblog.
These files are called template files.
Themes can provide much more control over the look and presentation of
the material on your website.
WordPress currently comes with three themes (version 4.4.2) :
The default Twenty Sixteen theme,
Previous defaults Twenty Fifteen theme and
Twenty Fourteen theme

20

Is WordPress MVC?
21

WordPress as MVC
Module
Custom post types (beyond the pages and posts, you can create your own types of
objects)
View
Wordpress Themes
HTML5
iOS app
Android app
Controllers (are made of)
Functions.php
Hooks
22
Views talk to the Controllers via AJAX/ WP Rest APIs
GenerateWP (to create custom post types, helps you extend wordpress
functionalities)
Post Type Generator (a Tool, just write name of post type with all properties it
should have)
https://wordpress.org/plugins/wp-mvc/

Theme Development
23

Theme Development
What makes a WordPress theme?
HTML,CSS, PHP, JS, Assets
Geneis framework
Stragzer
Clean box pro
How does WP theme work?
At least index.php and style.css
header.php, sidebar.php, functions.php, footer.php
Approaches
Starting from scratch
Editing an existing themes like twenty eleven to catch box
Parent and child
Theme framework
Starter theme

24

Theme Development
Starting from scratch:
Time consuming and difficult approach
Preferred by freelancers and web agencies
Not recommended for theme shops
why reinvent wheel?
e.g. simple catch pro, bossip (transient APIs, 109 million page views/ month)
Editing an existing themes like twenty eleven to catch box
Preferred by Freelancers and newbies
Fast turnaround and Fast editing
Learn standard codes
Only need time to search for the best theme
Update available: only edits are gone?
Be careful while editing an existing theme
Change text domain style.css
folder name/ theme slug to match the text domain

25

Theme Development
Parent and Child
Similar to editing existing theme but safer
Take any child theme ready theme
Child functions and files will overwrite parent
EDIN, Goran
Your design/functions are similar to the parent there
Secured and fast development
Always select the best parent
Theme framework
Similar to parent and child theme
Its more advanced and difficult to learn
Its code library and Can-do attitude theme
e.g. Genesis framework, Hybrid theme
Preferred by experienced and dev and a few theme shops
Might have issues, if framework theme releases major changes

26

Theme Development
Starter theme
Independent theme and not a parent theme
Toolbox for theme development
Savetime "A 1000 hour head start"
For Everyone
Used and recommended by lot of theme shops
Starter themes are evolving and its difficult to track
(Bones, Underscores)
Components
Its a booster starter theme
Forked form Underscores (developed by underscores)

27

Risks? Security!
28

OWASP TOP 10
Protection
A1 Injection
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is
sent to an interpreter as part of a command or query. The attackers hostile data
can trick the interpreter into executing unintended commands or accessing data
without proper authorization.
A2 Broken Authentication & Session Management
Application functions for authentication and session management not implemented
correctly
Allowing attackers to compromise passwords, keys, or session tokens, or to exploit
other implementation flaws to assume other users identities.
A3 Cross Site Scripting (XSS)
29
Application takes untrusted data and sends it to a browser without proper
validation or escaping.
Allows attackers to execute scripts in the browser which can hijack user sessions,
deface web sites, or redirect the user to malicious sites.
A4 Insecure Direct Object References
When a developer exposes a reference to an internal implementation object. file,
directory, or DB key.

OWASP TOP 10
Protection
A5 Security Misconfiguration
Requires having a secure configuration defined and deployed for the application,
frameworks, application server, web server, database server, and platform.
Secure settings should be defined, implemented, and maintained, as defaults are
often insecure.
Software should be kept up to date.
A6 Sensitive Data Exposure
Do not properly protect sensitive data, such as credit cards, tax IDs, and
authentication credentials.
Attackers may steal or modify such weakly protected data to conduct credit card
fraud, identity theft, or other crimes. Sensitive data deserves extra protection such
30
as encryption at rest or in transit, as well as special precautions when exchanged
with the browser.
A7 Missing Function Level Access Control
Most web applications verify function level access rights before making that
functionality visible in UI.
However, applications need to perform the same access control checks on the
server when each function is accessed.

OWASP TOP 10
Protection
A8 Cross Site Request Forgery (CSRF)
Forces a logged-on victims browser to send a forged HTTP request, including the
victims session cookie and any other automatically included authentication
information, to a vulnerable web application.
Attacker forces browser to generate requests the vulnerable application thinks are
legitimate requests from the victim.
A9 Using Known Vulnerable Components
Components, such as libraries, frameworks, and other software modules, almost
always run with full privileges. If a vulnerable component is exploited, such an
attack can facilitate serious data loss or server takeover. Applications using
components with known vulnerabilities may undermine application defenses and
31
enable a range of possible attacks and impacts.
A10 Unvalidated Redirects and Forwards
Web applications frequently redirect and forward users to other pages and
websites, and use untrusted data to determine the destination pages. Without
proper validation, attackers can redirect victims to phishing or malware sites, or
use forwards to access unauthorized pages.
CERT: Computer Emergency Response Team with the Concern of the Mass

About Codal
Codal is a UX design and development agency with a focus on
blending an Agile process with the latest emerging technologies.
Based in the heart of Chicago, we have a knack for bringing out the
best in every brand that we work with, worldwide. Our clientele has
ranged from small business to enterprise, but our philosophy has
always remained the same: to empower brand visibility and deliver
the most elegant web and mobile solutions possible.

32

Thank You!