book

Building Web Apps with WordPress

by Brian Messenlehner, Jason Coleman

April 2014

Intermediate to advanced

462 pages

10h 48m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who This Book Is ForWho This Book Is Not ForWhat You’ll LearnAbout the CodeConventions Used in This BookUsing Code ExamplesSafari® Books OnlineHow to Contact UsAcknowledgments
Foreword
1. Building Web Apps with WordPress
What Is a Website?What Is an App?What Is a Web App?Features of a Web AppWhy Use WordPress?You Are Already Using WordPressContent Management Is Easy with WordPressUser Management Is Easy and Secure with WordPressPluginsFlexibility Is ImportantFrequent Security UpdatesCost.NET AppWordPress AppResponses to Some Common Criticisms of WordPressWhen Not to Use WordPressYou Plan to License or Sell Your Site’s TechnologyThere Is Another Platform That Will Get You “There” FasterFlexibility Is NOT Important to YouYour App Needs to Be Highly Real TimeWordPress as an Application FrameworkWordPress Versus MVC FrameworksMVC plugins for WordPressModels = pluginsViews = themesControllers = template loaderAnatomy of a WordPress AppWhat Is SchoolPress?SchoolPress Runs on a WordPress Multisite NetworkThe SchoolPress Business ModelMembership Levels and User RolesClasses Are BuddyPress GroupsAssignments Are a Custom Post TypeSubmissions Are a (Sub)CPT for AssignmentsSemesters Are a Taxonomy on the Class CPTDepartments Are a Taxonomy on the Class CPTSchoolPress Has One Main Custom PluginSchoolPress Uses a Few Other Custom PluginsSchoolPress Uses the StartBox Theme Framework
2. WordPress Basics
WordPress Directory StructureRoot Directory/wp-admin/wp-includes/wp-content/wp-content/plugins/wp-content/themes/wp-content/uploads/wp-content/mu-pluginsWordPress Database Structurewp_optionsFunctions Found in /wp-includes/option.phpadd_option( $option, $value = ', $deprecated = ', $autoload = yes )update_option( $option, $newvalue )get_option( $option, $default = false )delete_option( $option )wp_usersFunctions Found in /wp-includes/…wp_insert_user( $userdata )wp_create_user( $username, $password, $email )wp_update_user( $userdata )get_user_by( $field, $value )get_userdata( $userid )wp_delete_user( $id, $reassign = novalue )wp_usermetaget_user_meta( $user_id, $key = '', $single = false )update_user_meta( $user_id, $meta_key, $meta_value, $prev_value = '' )add_user_meta($user_id, $meta_key, $meta_value, $unique = false)delete_user_meta($user_id, $meta_key, $meta_value = '')wp_postsFunctions found in /wp-includes/post.phpwp_insert_post($postarr, $wp_error = false)wp_update_post( $postarr = array(), $wp_error = false )get_post( $post = null, $output = OBJECT, $filter = raw )get_posts($args = null)wp_delete_post( $postid = 0, $force_delete = false )wp_postmetaFunctions Found in /wp-includes/post.phpget_post_meta($post_id, $key = '', $single = false)update_post_meta($post_id, $meta_key, $meta_value, $prev_value = '')add_post_meta($post_id, $meta_key, $meta_value, $unique = false)delete_post_meta($post_id, $meta_key, $meta_value = '')wp_commentsFunctions Found in /wp-includes/comment.phpget_comment( $comment, $output = OBJECT )get_comments( $args = '' )wp_insert_comment( $commentdata )wp_update_comment( $commentarr )wp_delete_comment( $comment_id, $force_delete = false )wp_commentsmetaFunctions Found in /wp-includes/comment.phpget_comment_meta($comment_id, $key = '', $single = false)add_comment_meta($comment_id, $meta_key, $meta_value, $unique = false)update_comment_meta($comment_id, $meta_key, $meta_value, $prev_value = '')delete_comment_meta($comment_id, $meta_key, $meta_value = '')wp_linkswp_termsFunctions Found in /wp-includes/taxonomy.phpget_terms( $taxonomies, $args = '' )get_term( $term, $taxonomy, $output = OBJECT, $filter = raw )wp_insert_term( $term, $taxonomy, $args = array() )wp_update_term( $term_id, $taxonomy, $args = array() )wp_delete_term( $term, $taxonomy, $args = array() )wp_term_taxonomy/wp-includes/taxonomy.phpget_taxonomies( $args = array(), $output = names, $operator = and )get_taxonomy( $taxonomy )register_taxonomy( $taxonomy, $object_type, $args = array() )wp_term_relationshipsget_object_taxonomies( $object, $output = names )wp_get_object_terms( $object_ids, $taxonomies, $args = array() )wp_set_object_terms( $object_id, $terms, $taxonomy, $append = false )Extending WordPress
3. Leveraging WordPress Plugins
The GPLv2 LicenseInstalling WordPress PluginsBuilding Your Own PluginFile Structure for an App Plugin/adminpages//classes//css//js//images//includes//includes/lib//pages//services//scheduled//schoolpress.phpAdd-Ons to Existing PluginsUse Cases and ExamplesThe WordPress LoopWordPress Global Variables$wpdbUsing custom DB tablesRunning queriesEscaping in DB queriesSELECT queries with $wpdbInsert, replace, and updateAction HooksFiltersFree PluginsAll in One SEO PackBadgeOSCustom Post Type UIPosts 2 PostsMembersW3 Total CachePremium PluginsGravity FormsBackup BuddyWP All ImportCommunity PluginsBuddyPressDatabase tablesComponentsPagesSettingsProfile fieldsBuddyPress plugins
4. Themes
Themes Versus PluginsWhen Developing AppsWhen Developing PluginsWhen Developing ThemesThe Template HierarchyPage TemplatesSample Page TemplateUsing Hooks to Copy TemplatesWhen to Use a Theme TemplateTheme-Related WP FunctionsUsing locate_template in Your PluginsStyle.cssVersioning Your Theme’s CSS FilesFunctions.phpThemes and Custom Post TypesPopular Theme FrameworksWP Theme Frameworks_s (Underscores)StartBoxGenesisNon-WP Theme FrameworksCreating a Child Theme for StartBoxIncluding Bootstrap in Your App’s ThemeMenusNav MenusDynamic MenusResponsive DesignDevice and Display Detection in CSSDevice and Feature Detection in JavaScriptDetecting the screen and window size with JavaScript and jQueryFeature detection in JavaScriptDevice Detection in PHPBrowser detection in WordPress coreBrowser detection with PHP’s get_browser()Final Note on Browser DetectionVersioning CSS and JS Files
5. Custom Post Types, Post Metadata, and Taxonomies
Default Post Types and Custom Post TypesPagePostAttachmentRevisionsNav Menu ItemDefining and Registering Custom Post Typesregister_post_type( $post_type, $args );labellabelsmenu_namedescriptionpublicly_queryableexclude_from_searchcapability_typecapabilitiesmap_meta_caphierarchicalpublicrewritehas_archivequery_varsupportsregister_meta_box_cbpermalink_epmasktaxonomiesshow_uimenu_positionmenu_iconcan_exportshow_in_nav_menusshow_in_menushow_in_admin_bardelete_with_user_builtin_edit_linkWhat Is a Taxonomy and How Should I Use It?Taxonomies Versus Post MetaCreating Custom Taxonomiesregister_taxonomy( $taxonomy, $object_type, $args )labellabelshierarchicalupdate_count_callbackrewritequery_varpublicshow_uishow_in_nav_menusshow_tagcloudshow_admin_columncapabilitiesregister_taxonomy_for_object_type( $taxonomy, $object_type )Using Custom Post Types and Taxonomies in Your Themes and PluginsThe Theme Archive and Single Template FilesGood Old WP_Query and get_posts()Metadata with CPTsadd_meta_box( $id, $title, $callback, $screen, $context, $priority, $callback_args )Custom Wrapper Classes for CPTsExtending WP_Post Versus Wrapping ItWhy Use Wrapper Classes?Keep Your CPTs and Taxonomies TogetherKeep It in the Wrapper ClassWrapper Classes Read Better
6. Users, Roles, and Capabilities
Getting User DataAdd, Update, and Delete UsersHooks and FiltersWhat Are Roles and Capabilities?Checking a User’s Role and CapabilitiesCreating Custom Roles and CapabilitiesExtending the WP_User ClassAdding Registration and Profile FieldsCustomizing the Users Table in the DashboardPluginsTheme My LoginHide Admin Bar from Non-AdminsPaid Memberships ProPMPro Register HelperMembers
7. Other WordPress APIs, Objects, and Helper Functions
Shortcode APIShortcode AttributesNested ShortcodesRemoving ShortcodesOther Useful Shortcode-Related FunctionsWidgets APIBefore You Add Your Own WidgetAdding WidgetsDefining a Widget AreaEmbedding a Widget Outside of a Dynamic SidebarDashboard Widgets APIRemoving Dashboard WidgetsAdding Your Own Dashboard WidgetSettings APIDo You Really Need a Settings Page?Could You Use a Hook or Filter Instead?Use Standards When Adding SettingsIgnore Standards When Adding SettingsRewrite APIAdding Rewrite RulesFlushing Rewrite RulesOther Rewrite FunctionsWP-CronAdding Custom IntervalsScheduling Single EventsKicking Off Cron Jobs from the ServerUsing Server Crons OnlyWP MailSending Nicer Emails with WordPressFile Header APIAdding File Headers to Your Own FilesAdding New Headers to Plugins and Themes
8. Secure WordPress
Why It’s ImportantSecurity BasicsUpdate FrequentlyDon’t Use the Username “admin”Use a Strong PasswordExamples of Bad PasswordsExamples of Good PasswordsHardening Your WordPress InstallDon’t Allow Admins to Edit Plugins or ThemesChange Default Database Tables PrefixMove wp-config.phpHide Login Error MessagesHide Your WordPress VersionDon’t Allow Logins via wp-login.phpAdd Custom .htaccess Rules for Locking Down wp-adminBackup Everything!Scan Scan Scan!Useful Security PluginsSpam-Blocking PluginsAkismetBad BehaviorBackup PluginsBackup BuddyVaultPressScanner PluginsWP Security ScanExploit ScannerBBQAntivirus-OnceLogin and Password-Protection PluginsLimit Login AttemptsAsk Apache Password ProtectWriting Secure CodeCheck User Capabilitiesuser_can( $user, $capability )current_user_can( $capability )current_user_can_for_blog( $blog_id, $capability )Custom SQL StatementsData Validation, Sanitization, and Escapingesc_url( $url, $protocols = null, $_context = display )esc_url_raw( $url, $protocols = null )esc_html( $text )esc_js( $text )esc_attr( $text )esc_textarea( $text )sanitize_option( $option, $value )sanitize_text_field($str)sanitize_user( $username, $strict = false )sanitize_title( $title, $fallback_title = '' )sanitize_email( $email )sanitize_file_name( $filename )wp_kses( $string, $allowed_html, $allowed_protocols = array () )Nonceswp_create_nonce( $action = -1 )wp_verify_nonce($nonce, $action = -1)check_admin_referer($action = -1, $query_arg = _wpnonce)wp_nonce_url( $actionurl, $action = -1 )wp_nonce_field( $action = -1, $name = “_wpnonce”, $referer = true , $echo = true )check_ajax_referer( $action = -1, $query_arg = false, $die = true )

9. JavaScript, jQuery, and AJAX
What Is AJAX?What Is JSON?jQuery and WordPressEnqueuing Other JavaScript LibrariesWhere to Put Your Custom JavaScriptAJAX Calls with WordPress and jQueryManaging Multiple AJAX RequestsHeartbeat APIInitializationClient-side JavaScriptServer-side PHPInitializationClient-side JavaScriptServer-side PHPWordPress Limitations with Asynchronous ProcessingBackbone.js
10. XML-RPC
wp.getUsersBlogswp.getPostswp.getPostwp.newPostwp.editPostwp.deletePostwp.getTermswp.getTermwp.newTermwp.editTermwp.deleteTermwp.getTaxonomieswp.getTaxonomywp.getUserswp.getUserwp.getProfilewp.editProfilewp.getCommentCountwp.getPageTemplateswp.getOptionswp.setOptionswp.getCommentwp.getCommentswp.deleteCommentwp.editCommentwp.newCommentwp.getMediaLibrarywp.getMediaItemwp.uploadFilewp.getPostFormatswp.getPostTypewp.getPostTypes
11. Mobile Apps with WordPress
App WrapperiOS ApplicationsEnrolling as an Apple DeveloperBuilding Your App with XcodeStoryboardView controlleriOS simulatorApp DistributioniOS ResourcesAndroid ApplicationsAndroidManifest.xmlactivity_main.xmlMainActivity.javaCreating an APK fileGetting Your App on Google PlayAndroid ResourcesExtend Your AppAppPresserMobile App Use Cases
12. PHP Libraries, External APIs, and Web Services
ImagickMaxMind GeoIPGoogle Maps JavaScript API v3DirectionsDistance MatrixElevationGeocodingStreet View ServicePractical AppGoogle TranslateGoogle+PeopleActivitiesCommentsMomentsAmazon Product Advertising APIRequest ParametersOperationsResponse GroupsTwitter REST API v1.1Set Up Your App on Twitter.comLeverage a PHP LibraryFacebookPicturesSearchPermissionsBuilding an ApplicationLeverage What’s Out ThereTwilioMicrosoft SharepointWe Missed a Few
13. Building WordPress Multisite Networks
Why Multisite?Setting Up a Multisite NetworkManaging a Multisite NetworkDashboardSitesUsersThemesPluginsSettingsOperational SettingsRegistration SettingsNew Site SettingsUpload SettingsMenu SettingsUpdatesMultisite Database StructureNetwork-Wide Tableswp_blogswp_blog_versionswp_registration_logwp_signupswp_sitewp_sitemetaIndividual Site TablesShared Site TablesMultisite PluginsWordPress MU Domain MappingBlog CopierMore Privacy OptionsMultisite Global SearchMultisite Robots.txt ManagerBasic Multisite Functionality$blog_idis_multisite()get_current_blog_id()switch_to_blog( $new_blog )restore_current_blog()get_blog_details( $fields = null, $get_all = true )update_blog_details( $blog_id, $details = array() )get_blog_status( $id, $pref )update_blog_status( $blog_id, $pref, $value )get_blog_option( $id, $option, $default = false )update_blog_option( $id, $option, $value )delete_blog_option( $id, $option )get_blog_post( $blog_id, $post_id )add_user_to_blog( $blog_id, $user_id, $role )create_empty_blog( $domain, $path, $weblog_title, $site_id = 1 )Functions We Didn’t Mention
14. Localizing WordPress Apps
Do You Even Need to Localize Your App?How Localization Is Done in WordPressDefining Your Locale in WordPressPrepping Your Strings with Translation Functions__($text, $domain = “default”)_e($text, $domain = “default”)_x($text, $context, $domain = “default”)_ex($title, $context, $domain = “default”)Escaping and Translating at the Same TimeCreating and Loading Translation FilesOur File Structure for LocalizationGenerating a .pot FileCreating a .po FileCreating a .mo FileLoading the TextdomainLocalizing Nonstring Assets
15. Ecommerce
Choosing a PluginShopping Cart PluginsOur favorite: JigoshopNotable runner-up: WooCommerceMembership PluginsOur favorite: Paid Memberships ProDigital DownloadsOur favorite: Easy Digital DownloadsPayment GatewaysMerchant AccountsSSL Certificates and HTTPSInstalling an SSL Certificate on Your ServerSSL with Paid Memberships ProSSL with JigoshopWordPress Login and WordPress Admin over SSLWordPress Frontend over SSLSSL on Select PagesAvoiding SSL Errors with the “Nuclear Option”Setting Up Software as a Service (SaaS) with Paid Memberships ProThe Software as a Service ModelStep 0: Figure Out How You Want to Charge for Your AppStep 1: Installing and Activating Paid Memberships ProStep 2: Setting Up the LevelStep 3: Setting Up PagesStep 4: Payment SettingsStep 5: Email SettingsStep 6: Advanced SettingsStep 7: Locking Down PagesLock down a specific pageLock down a page by URLLock down a portion of a page by shortcodeLock down a portion of a page by PHP code using the pmpro_hasMembershipLevel() functionStep 8: Customizing Paid Memberships ProRestricting nonmembers to the homepageLocking down filesChange user roles based on membership levelsInternational and long-form addressesUpgrade/downgrade pricing
16. WordPress Optimization and Scaling
TermsOrigin Versus EdgeTestingWhat to TestChrome Debug BarApache BenchInstalling Apache BenchRunning Apache BenchTesting with Apache BenchGraphing Apache Bench results with gnuplotSiegeBlitz.ioW3 Total CachePage Cache SettingsMinifyDatabase CachingObject CacheCDNsGZIP CompressionHostingWordPress-Specific HostsRolling Your Own ServerApache server setupNginx server setupNginx in front of ApacheMySQL optimizationadvanced-cache.php and object-cache.phpAlternative PHP Cache (APC)MemcachedRedisVarnishBatcacheSelective CachingThe Transient APIMultisite TransientsUsing JavaScript to Increase PerformanceCustom TablesBypassing WordPress
Index
Colophon
Copyright

Content preview from Building Web Apps with WordPress

Chapter 8. Secure WordPress

Hackers beware! This chapter is packed full of tips and advice on how to make WordPress sites more secure and hopefully prevent them from falling prey to any malicious intent.

Why It’s Important

No matter what size website you are running, security is something that you do not want to overlook. Any size site can fall victim to hackers or malware. Being knowledgeable and proactive about WordPress security will help you be less vulnerable and hopefully avoid any attacks.

One of the most popular types of attacks is called a brute-force attack in which a bot or script of code tries to gain access to your site by guessing the correct username and password combination. It may not sound that dangerous, but keep in mind that these bots are huge networks of computers making hundreds or even thousands of guesses every second! Even if these bots don’t gain access to your WordPress admin, they will often take your site down anyway through the sheer amount of resources it takes your server to respond to the malicious requests. This is called a denial of service (or DoS) attack, and can be caused by a targeted attack or by automated spammers and brute-force hacks.

A standard WordPress install comes with some built-in security features that we will discuss in this chapter along with other tips that you can easily follow to make your site more secure. There are also some plugins we will highlight that can help with other issues such as spam.

Some very bad things that can ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Wordpress Web Application Development - Third Edition

Publisher Resources

ISBN: 9781449364779Errata

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Building Web Apps with WordPress

by Brian Messenlehner, Jason Coleman

Chapter 8. Secure WordPress

Why It’s Important

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.