WordPress is a free and open-source content management system (CMS) that was originally released in 2003. It powers over 70 million websites and is used as both a blogging platform and CMS. WordPress is constantly evolving and improving, with thousands of plugins, widgets, and themes available. It is easy to use, flexible, extensible, and has strong support and SEO optimization features. To install WordPress, the minimum requirements are PHP version 5.6 or greater and MySQL version 5.6 or greater. The installation process involves downloading WordPress, uploading files to a web server, creating a database, configuring WordPress, and running the installation script.
2. Footer
2
Introduction to WordPress
➢ Released in 2003 by Matt Mullenweg and Mike Little
➢ Powers more than 70 million websites
➢ Most popular blogging platform, but also...
➢ Powerful Content Management System(CMS)
➢ Completely FREE
➢ Open Source Project
➢ Constantly evolving and improving
➢ Thousands of plugins, widgets, and themes.
3. Footer
3
Reasons You Should Use It
➢ Open Source
○ Completely free for commercial or private use.
○ Hundreds of volunteers contributing to core.
○ Constantly evolving and improving.
➢ User-Friendly
○ No need for expensive "webmasters".
○ Easily manage and update your own content.
○ No need to learn complicated HTML.
➢ Flexible & Extensible
○ Thousands of plugins and themes available.
○ Easily change the look of your website.
○ Add new features in just a few clicks.
4. Footer
4
Reasons You Should Use It
(cont’d)
➢ Support Options. (wordpress.org/support, wordpress.stackexchange.com,
www.wpquestions.com)
○ Online video tutorials.
○ Easy to find help from wordpress experts.
○ Get answers to your questions online...
➢ SEO Friendly
○ Fully compliant with W3C standards.
○ Built in support for RSS.
○ Clean,search-engine friendly code.
➢ Own your Content
○ Easily import and export your content
5. Footer
5
Requirements and Installation
To run WordPress we recommend your host supports:
➢ PHP Version 5.6 or greater
➢ MySQL version 5.6 or greater
Host can be LAMP, WAMP or MAMP
Following 5 steps to install wordpress.
➢ Download wordpress from wordpress.org
➢ Upload the wordpress file to webserver.
➢ Create a MYSQL database and user.
➢ Configure Wordpress to connect to database.
➢ Run the wordpress installation script.
17. 17
What are WordPress Themes?
➢ A WordPress Theme is a collection of files that work together to produce a graphical
interface design for a weblog.
18. 18
What are WordPress Themes?
➢ A WordPress Theme is a collection of files that work together to produce a graphical
interface design for a weblog.
➢ These files are called template files.
19. 19
What are WordPress Themes?
➢ A WordPress Theme is a collection of files that work together to produce a graphical
interface design for a weblog.
➢ These files are called template files.
➢ Themes can provide much more control over the look and presentation of the material on
your website.
20. 20
What are WordPress Themes?
➢ A WordPress Theme is a collection of files that work together to produce a graphical
interface design for a weblog.
➢ These files are called template files.
➢ Themes can provide much more control over the look and presentation of the material on
your website.
➢ WordPress currently comes with three themes (version 4.4.2) :
○ The default Twenty Sixteen theme,
○ Previous defaults Twenty Fifteen theme and
○ Twenty Fourteen theme
22. 22
WordPress as MVC
➢ Module
○ Custom post types (beyond the pages and posts, you can create your own types of objects)
➢ View
○ Wordpress Themes
○ HTML5
○ iOS app
○ Android app
➢ Controllers (are made of)
○ Functions.php
○ Hooks
➢ Views talk to the Controllers via AJAX/ WP Rest APIs
○ GenerateWP (to create custom post types, helps you extend wordpress functionalities)
○ Post Type Generator (a Tool, just write name of post type with all properties it should have)
https://wordpress.org/plugins/wp-mvc/
24. 24
Theme Development
➢ What makes a WordPress theme?
HTML,CSS, PHP, JS, Assets
Geneis framework
Stragzer
Clean box pro
➢ How does WP theme work?
At least index.php and style.css
header.php, sidebar.php, functions.php, footer.php
➢ Approaches
○ Starting from scratch
○ Editing an existing themes like twenty eleven to catch box
○ Parent and child
○ Theme framework
○ Starter theme
25. 25
Theme Development
➢ Starting from scratch:
○ Time consuming and difficult approach
○ Preferred by freelancers and web agencies
○ Not recommended for theme shops
○ why reinvent wheel?
○ e.g. simple catch pro, bossip (transient APIs, 109 million page views/ month)
➢ Editing an existing themes like twenty eleven to catch box
○ Preferred by Freelancers and newbies
○ Fast turnaround and Fast editing
○ Learn standard codes
○ Only need time to search for the best theme
○ Update available: only edits are gone?
○ Be careful while editing an existing theme
■ Change text domain style.css
■ folder name/ theme slug to match the text domain
26. 26
Theme Development
➢ Parent and Child
○ Similar to editing existing theme but safer
○ Take any child theme ready theme
○ Child functions and files will overwrite parent
○ EDIN, Goran
○ Your design/functions are similar to the parent there
○ Secured and fast development
○ Always select the best parent
➢ Theme framework
○ Similar to parent and child theme
○ Its more advanced and difficult to learn
○ Its code library and Can-do attitude theme
○ e.g. Genesis framework, Hybrid theme
○ Preferred by experienced and dev and a few theme shops
○ Might have issues, if framework theme releases major changes
27. 27
Theme Development
➢ Starter theme
○ Independent theme and not a parent theme
○ Toolbox for theme development
○ Savetime "A 1000 hour head start"
○ For Everyone
○ Used and recommended by lot of theme shops
○ Starter themes are evolving and it’s difficult to track
○ (Bones, Underscores)
➢ Components
○ It’s a booster starter theme
○ Forked form Underscores (developed by underscores)
29. 29
OWASP TOP 10 Protection
➢ A1 Injection
○ Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter
as part of a command or query. The attacker’s hostile data can trick the interpreter into executing
unintended commands or accessing data without proper authorization.
➢ A2 Broken Authentication & Session Management
○ Application functions for authentication and session management not implemented correctly
○ Allowing attackers to compromise passwords, keys, or session tokens, or to exploit other
implementation flaws to assume other users’ identities.
➢ A3 Cross Site Scripting (XSS)
○ Application takes untrusted data and sends it to a browser without proper validation or escaping.
○ Allows attackers to execute scripts in the browser which can hijack user sessions, deface web sites, or
redirect the user to malicious sites.
➢ A4 Insecure Direct Object References
○ When a developer exposes a reference to an internal implementation object. file, directory, or DB key.
○ Without an access control check or protection, attackers can manipulate these references to access
unauthorized data.
30. 30
OWASP TOP 10 Protection
➢ A5 Security Misconfiguration
○ Requires having a secure configuration defined and deployed for the application, frameworks,
application server, web server, database server, and platform.
○ Secure settings should be defined, implemented, and maintained, as defaults are often insecure.
○ Software should be kept up to date.
➢ A6 Sensitive Data Exposure
○ Do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials.
○ Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft,
or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well
as special precautions when exchanged with the browser.
➢ A7 Missing Function Level Access Control
○ Most web applications verify function level access rights before making that functionality visible in UI.
○ However, applications need to perform the same access control checks on the server when each
function is accessed.
○ If requests are not verified, attackers will be able to forge requests in order to access functionality
without proper authorization.
31. 31
OWASP TOP 10 Protection
➢ A8 Cross Site Request Forgery (CSRF)
○ Forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session
cookie and any other automatically included authentication information, to a vulnerable web
application.
○ Attacker forces browser to generate requests the vulnerable application thinks are legitimate requests
from the victim.
➢ A9 Using Known Vulnerable Components
○ Components, such as libraries, frameworks, and other software modules, almost always run with full
privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or
server takeover. Applications using components with known vulnerabilities may undermine application
defenses and enable a range of possible attacks and impacts.
➢ A10 Unvalidated Redirects and Forwards
○ Web applications frequently redirect and forward users to other pages and websites, and use untrusted
data to determine the destination pages. Without proper validation, attackers can redirect victims to
phishing or malware sites, or use forwards to access unauthorized pages.
➢ CERT: Computer Emergency Response Team with the Concern of the Mass
○ http://www.cert-in.org.in/
32. 32
About Codal
Codal is a UX design and development agency with a focus on blending an Agile
process with the latest emerging technologies. Based in the heart of Chicago, we
have a knack for bringing out the best in every brand that we work with, worldwide.
Our clientele has ranged from small business to enterprise, but our philosophy has
always remained the same: to empower brand visibility and deliver the most elegant
web and mobile solutions possible.