book

Building Web Apps with WordPress, 2nd Edition

by Brian Messenlehner, Jason Coleman

December 2019

Intermediate to advanced

543 pages

12h 52m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Who This Book Is ForWho This Book Is Not ForWhat You’ll LearnAbout the CodeConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
What Is a Website?What Is an App?What Is a Web App?Features of a Web AppMobile AppsProgressive Web AppsWhy Use WordPress?You Are Already Using WordPressContent Management Is Easy with WordPressUser Management Is Easy and Secure with WordPressPluginsFlexibility Is ImportantFrequent Security UpdatesCostResponses to Some Common Criticisms of WordPressWhen Not to Use WordPressYou Plan to License or Sell Your Site’s TechnologyAnother Platform Will Get You “There” FasterFlexibility Is Not Important to YouYour App Needs to Be Highly Real TimeWordPress as an Application FrameworkWordPress Versus Model-View-Controller FrameworksAnatomy of a WordPress AppWhat Is SchoolPress?SchoolPress Runs on a WordPress Multisite NetworkThe SchoolPress Business ModelMembership Levels and User RolesClasses Are BuddyPress GroupsAssignments Are a CPTSubmissions Are a (Sub)CPT for AssignmentsSemesters Are a Taxonomy on the Class CPTDepartments Are a Taxonomy on the Class CPTSchoolPress Has One Main Custom PluginSchoolPress Uses a Few Other Custom PluginsSchoolPress Uses the Memberlite Theme
WordPress Directory StructureRoot Directory/wp-admin/wp-includes/wp-contentWordPress Database Structurewp_optionsFunctions Found in /wp-includes/option.phpwp_usersFunctions Found in /wp-includes/…wp_usermetawp_postsFunctions Found in /wp-includes/post.phpwp_postmetaFunctions Found in /wp-includes/post.phpwp_commentsFunctions Found in /wp-includes/comment.phpwp_commentsmetaFunctions Found in /wp-includes/comment.phpwp_termsFunctions Found in /wp-includes/taxonomy.phpwp_termmetawp_term_taxonomy/wp-includes/taxonomy.phpwp_term_relationshipsHooks: Actions and FiltersActionsFiltersDevelopment and Hosting EnvironmentsWorking LocallyChoosing a Web HostDevelopment, Staging, and Production EnvironmentsExtending WordPress
The General Public License, Version 2, LicenseInstalling WordPress PluginsBuilding Your Own PluginFile Structure for an App Plugin/adminpages//classes//css//js//images//includes//includes/lib//pages//services//scheduled//schoolpress.phpAdd-Ons to Existing PluginsUse Cases and ExamplesThe WordPress LoopWordPress Global VariablesFree PluginsAdmin ColumnsAdvanced Custom FieldsBadgeOSPosts 2 PostsMembersW3 Total CacheYoast SEOPremium PluginsGravity FormsBackupBuddyWP All ImportCommunity PluginsBuddyPress
Themes Versus PluginsWhere to Place Code When Developing AppsWhen Developing PluginsWhere to Place Code When Developing ThemesThe Template HierarchyPage TemplatesSample Page TemplateUsing Hooks to Copy TemplatesWhen Should You Use a Theme Template?Theme-Related WordPress FunctionsUsing locate_template in Your PluginsStyle.cssVersioning Your Theme’s CSS Filesfunctions.phpThemes and CPTsPopular Theme FrameworksWordPress Theme FrameworksNon-WordPress Theme FrameworksCreating a Child Theme for MemberliteIncluding Bootstrap in Your App’s ThemeMenusNavigation MenusDynamic MenusResponsive DesignDevice and Display Detection in CSSDevice and Feature Detection in JavaScriptDevice Detection in PHPFinal Note on Browser Detection
Default Post Types and CPTsPagePostAttachmentRevisionsNavigation Menu ItemCustom CSSChangesetsoEmbed CacheUser RequestsReusable BlocksDefining and Registering CPTsregister_post_type( $post_type, $args );What Is a Taxonomy and How Should I Use It?Taxonomies Versus Post MetaCreating Custom Taxonomiesregister_taxonomy( $taxonomy, $object_type, $args )register_taxonomy_for_object_type( $taxonomy, $object_type )Using CPTs and Taxonomies in Your Themes and PluginsThe Theme Archive and Single Template FilesGood Old WP_Query and get_posts()Metadata with CPTsadd_meta_box( $id, $title, $callback, $screen, $context, $priority, $callback_args )Using Meta Boxes with the Block EditorCustom Wrapper Classes for CPTsExtending WP_Post Versus Wrapping ItWhy Use Wrapper Classes?Keep Your CPTs and Taxonomies TogetherKeep It in the Wrapper ClassWrapper Classes Read Better
Getting User DataAdd, Update, and Delete UsersHooks and FiltersWhat Are Roles and Capabilities?Checking a User’s Role and CapabilitiesCreating Custom Roles and CapabilitiesExtending the WP_User ClassAdding Registration and Profile FieldsCustomizing the Users Table in the DashboardPluginsTheme My LoginHide the Admin Bar from NonadministratorsPaid Memberships ProPMPro Register HelperMembersWP User Fields
Shortcode APIShortcode AttributesNested ShortcodesRemoving ShortcodesOther Useful Shortcode-Related FunctionsWidgets APIBefore You Add Your Own WidgetAdding WidgetsDefining a Widget AreaEmbedding a Widget Outside of a Dynamic SidebarDashboard Widgets APIRemoving Dashboard WidgetsAdding Your Own Dashboard WidgetSettings APIDo You Really Need a Settings Page?Could You Use a Hook or Filter Instead?Use Standards When Adding SettingsIgnore Standards When Adding SettingsRewrite APIAdding Rewrite RulesFlushing Rewrite RulesOther Rewrite FunctionsWP-CronAdding Custom IntervalsScheduling Single EventsKicking Off Cron Jobs from the ServerUsing Server Crons OnlyWP MailSending Nicer Emails with WordPressFile Header APIAdding File Headers to Your Own FilesAdding New Headers to Plugins and ThemesHeartbeat API
Why It’s ImportantSecurity BasicsUpdate FrequentlyDon’t Use the Username “admin”Use a Strong PasswordExamples of Bad PasswordsExamples of Good PasswordsHardening WordPressDon’t Allow Admins to Edit Plugins or ThemesChange Default Database Tables PrefixMove wp-config.phpHide Login Error MessagesHide Your WordPress VersionDon’t Allow Logins via wp-login.phpAdd Custom .htaccess Rules for Locking Down wp-adminSSL Certificates and HTTPSInstalling an SSL Certificate on Your ServerWordPress Login and WordPress Administrator over SSLDebugging HTTPS IssuesAvoiding SSL Errors with the “Nuclear Option”Back Up Everything!Scan, Scan, Scan!Useful Security PluginsSpam-Blocking PluginsBackup PluginsFirewall/Scanner PluginsLogin and Password-Protection PluginsWriting Secure CodeCheck User CapabilitiesCustom SQL StatementsData Validation, Sanitization, and EscapingNonces

What Is ECMAScript?What Is ES6?What Is ES9?What Is ESNext?What Is Ajax?What Is JSON?jQuery and WordPressEnqueuing Other JavaScript LibrariesWhere to Put Your Custom JavaScriptAjax Calls with WordPress and jQueryManaging Multiple Ajax RequestsHeartbeat APIWordPress Limitations with Asynchronous ProcessingJavaScript FrameworksBackbone.jsReact
What Is a REST API?APIRESTJSONHTTPWhy Use the WordPress REST API?Using the WordPress REST API V2DiscoveryAuthenticationRoutes and EndpointsRequestsResponsesAdding Your Own Routes and Endpointsregister_rest_route( $namespace, $route, $args, $override );Setting Up the WordPress Single Sign-On PluginAdding the /wp-sso/v1/check RouteBundling Basic Authentication with Our PluginUsing the Endpoint We Set Up to Check User CredentialsPopular Plugins Using the WordPress REST APIWooCommerceBuddyPressPaid Memberships Pro
The WordPress EditorThe Classic Editor PluginUsing Blocks for Content and DesignUsing Blocks for FunctionalityCreating Your Own BlocksMinimal Block ExampleUsing Custom Blocks to Build App ExperiencesEnabling the Block Editor in Your CPTsBlock CategoriesThe Homework BlocksLimiting Blocks to Specific CPTsLimiting CPTs to Specific BlocksBlock TemplatesSaving Block Data to Post MetaTipsEnable WP_SCRIPT_DEBUGUse filemtime() for the Script VersionMore TipsLearn JavaScript, Node.js, and React More Deeply
Why Multisite?Why Not Multisite?Multisite AlternativesMultiple Authors or Categories on the Same WordPress SiteCustom Post TypesTotally Separate SitesUse a WordPress Maintenance ServiceMultitenancySetting Up a Multisite NetworkManaging a Multisite NetworkDashboardSitesUsersThemesPluginsSettingsUpdatesMultisite Database StructureNetworkwide TablesIndividual Site TablesShared Site TablesDomain MappingRandom Useful Multisite PluginsGravity Forms User Registration Add-OnMember Network Sites Add-On for Paid Memberships ProMore Privacy OptionsMultisite Global MediaMultisite Plugin ManagerMultisite Global SearchMultisite Robots.txt ManagerNS Cloner: Site CopierWP Multi NetworkBasic Multisite Functionality$blog_idis_multisite()get_current_blog_id()switch_to_blog( $new_blog )restore_current_blog()get_blog_details( $fields = null, $get_all = true )update_blog_details( $blog_id, $details = array() )get_blog_status( $id, $pref )update_blog_status( $blog_id, $pref, $value )get_blog_option( $id, $option, $default = false )update_blog_option( $id, $option, $value )delete_blog_option( $id, $option )get_blog_post( $blog_id, $post_id )add_user_to_blog( $blog_id, $user_id, $role )wpmu_delete_user( $user_id )create_empty_blog( $domain, $path, $weblog_title, $site_id = 1 )Functions We Didn’t Mention
Do You Even Need to Localize Your App?How Localization Is Done in WordPressDefining Your Locale in WordPressText DomainsSetting the Text DomainPrepping Your Strings with Translation Functions__( $text, $domain = “default” )_e( $text, $domain = “default” )_x( $text, $context, $domain = “default” )_ex( $title, $context, $domain = “default” )Escaping and Translating at the Same TimeCreating and Loading Translation FilesOur File Structure for LocalizationGenerating a .pot FileCreating a .po FileCreating a .mo FileGlotPressUsing GlotPress for Your WordPress.org Plugins and ThemesCreating Your Own GlotPress Server
TermsOrigin Versus EdgeTestingWhat to TestChrome Debug BarThe WordPress Site Health ToolApache BenchSiegeW3 Total CachePage Cache SettingsMinifyDatabase CachingObject CacheCDNsGZIP CompressionHostingWordPress-Specific HostsRolling Your Own ServerSelective CachingThe Transient APIMultisite TransientsUsing JavaScript to Increase PerformanceCustom TablesBypassing WordPress
Choosing a PluginWooCommercePaid Memberships ProEasy Digital DownloadsPayment GatewaysMerchant AccountsSetting Up SaaS with Paid Memberships ProThe SaaS ModelStep 0: Establishing How You Want to Charge for Your AppStep 1: Installing and Activating Paid Memberships ProStep 2: Setting Up the LevelStep 3: Setting Up PagesStep 4: Choosing Payment SettingsStep 5: Choosing Email SettingsStep 6: Choosing Advanced SettingsStep 7: Locking Down PagesStep 8: Customizing Paid Memberships Pro
Mobile App Use CasesNative and Hybrid Mobile AppsWhat Is a Native Mobile App?What Is a Hybrid Mobile App?Why Hybrid over Native?CordovaIonic FrameworkApp WrapperAppPresser
PHP LibrariesImage Generation and ManipulationPDF GenerationGeolocation and GeotargetingFile Compression and ArchivingDeveloper ToolsExternal APIs and Web ServicesElasticsearchElasticPress by 10upGoogle VisionGoogle MapsGoogle TranslateTwilioOther Popular APIsMigrationsHost MigrationsPlatform MigrationsCreate a Data Mapping Guide
Where We’ve BeenThe REST APIWordPress Plugins Will Focus More on APIsHeadless WordPressGraphQLGutenbergThe Administrator Interface Will Move to React/GutenbergGutenberg Will Power a Frontend Editing Experience for WordPressBlock Templates Will Replace ThemesBlocks Will Replace PluginsWordPress Market Share Will Increase and DecreaseWordPress Will Become a More Popular Platform for Mobile DevelopmentWordPress Will Continue to Be Useful for Developing Apps of All Kinds

Content preview from Building Web Apps with WordPress, 2nd Edition

Chapter 8. Secure WordPress

Hackers beware! This chapter is packed full of tips and advice on how to make WordPress sites more secure and hopefully prevent them from falling prey to any malicious intent.

Why It’s Important

No matter what size website you are running, security is something that you do not want to overlook. Any size site can fall victim to hackers or malware. Being knowledgeable and proactive about WordPress security will help you be less vulnerable and hopefully avoid any attacks.

One of the most popular types of attacks is called a brute-force attack, in which a bot or script of code tries to gain access to your site by guessing the correct username and password combination. It may not sound that dangerous, but keep in mind that these bots are huge networks of computers making hundreds or even thousands of guesses every second! Even if these bots don’t gain access to your WordPress administrator, they will often take your site down anyway through the sheer amount of resources it takes your server to respond to the malicious requests. This is called a denial of service (DoS) attack, and can be caused by a targeted attack or by automated spammers and brute-force hacks.

In this chapter, we discuss the standard WordPress installation’s built-in security features, in addition to other tips that you can easily follow to make your site more secure. We’ll also highlight some plugins that can help with other issues, such as spam.

Some very bad things that can happen to ...