WordPress 3: Creating and Editing Custom Themes
Illustration by John Hersey

Setting up security


WordPress 3: Creating and Editing Custom Themes

with Chris Coyier

Start your free trial now, and begin learning software, business and creative skills—anytime, anywhere—with video instruction from recognized industry experts.

Start Your Free Trial Now

Video: Setting up security

One thing that's going to be very important for us to talk about is WordPress security. We're working locally here so WordPress security isn't a big deal, but ultimately we're going to be moving this site live, out to the web, out in public, and security is a very big deal there. Because bad guys, basically they want into your site, they want to do nefarious things to it, they want to insert their links to it to help them out with SEO in some terrible way, or they want to redirect your site to their site, all kinds of nasty things.
Expand all | Collapse all
  1. 6m 44s
    1. Welcome
      1m 19s
    2. Using the exercise files
      5m 25s
  2. 40m 42s
    1. Reviewing the client spec and deciding on WordPress
      6m 50s
    2. Reviewing assets and resources and creating a mood board
      8m 41s
    3. Building a home page mockup
      11m 26s
    4. Finishing the home page
      12m 27s
    5. Planning the rest of the site
      1m 18s
  3. 1h 8m
    1. Starting with a base project
      3m 6s
    2. Writing HTML code for the home page
      12m 6s
    3. Starting the CSS: Creating the header and basic style structure
      11m 28s
    4. Styling the Navigation panel
      10m 59s
    5. Styling the sidebar
      7m 55s
    6. Styling the home page, pt. 1
      8m 20s
    7. Styling the home page, pt. 2
      8m 17s
    8. Finishing the CSS
      3m 14s
    9. Moving on: One page is enough
      2m 43s
  4. 1h 56m
    1. Setting up WordPress and MAMP on a Mac
      6m 7s
    2. Setting up WordPress and WAMP on a Windows computer
      5m 38s
    3. Modifying important settings
      6m 26s
    4. Starting with a blank theme template
      4m 35s
    5. Introducing template file structure
      4m 55s
    6. Breaking up the HTML
      9m 53s
    7. Building the sidebar
      3m 54s
    8. Building the navigation
      7m 20s
    9. Showing one recent post
      4m 1s
    10. Fetching external content
      8m 23s
    11. Creating a custom home page
      3m 30s
    12. Introducing custom fields
      5m 23s
    13. Creating custom product pages
      9m 52s
    14. Creating custom category pages
      15m 39s
    15. Creating the blog home page
      5m 39s
    16. Creating a single blog entry page
      4m 15s
    17. Implementing comments
      5m 57s
    18. Finishing the home page
      4m 45s
  5. 34m 17s
    1. Will this work with WordPress?
      3m 10s
    2. Using JavaScript in themes the right way
      8m 35s
    3. Implementing something fun with JavaScript
      7m 53s
    4. Introducing plug-ins
      6m 31s
    5. Setting up security
      8m 8s
  6. 2m 7s
    1. Goodbye
      2m 7s

please wait ...
Watch the Online Video Course WordPress 3: Creating and Editing Custom Themes
4h 28m Intermediate Nov 03, 2010

Viewers: in countries Watching now:

In WordPress 3: Creating and Editing Custom Themes, author Chris Coyier shows how to build a custom WordPress theme from scratch and satisfy common client requests. The course covers steps necessary to build a theme using a complete workflow with Photoshop, HTML, CSS, and WordPress 3.0. Also included are tutorials on enhancing a WordPress site with JavaScript, using plugins, and ensuring site security. Exercise files accompany the course.

Topics include:
  • Building a design in Photoshop
  • Converting Photoshop design to HTML and CSS
  • Setting up MAMP on Mac and WAMP on Windows
  • Moving HTML and CSS into a WordPress theme
  • Building navigation
  • Using custom fields
  • Creating a commenting system
  • Using JavaScript and plugins
Developer Web
Chris Coyier

Setting up security

One thing that's going to be very important for us to talk about is WordPress security. We're working locally here so WordPress security isn't a big deal, but ultimately we're going to be moving this site live, out to the web, out in public, and security is a very big deal there. Because bad guys, basically they want into your site, they want to do nefarious things to it, they want to insert their links to it to help them out with SEO in some terrible way, or they want to redirect your site to their site, all kinds of nasty things.

We're trying to fight against them and make sure that they can't get access to do those things. So WordPress, unfortunately, because it's basically the world's number one publishing platform, is a big target. Bad guys are always trying to break into WordPress and find exploits for it. It's a little bit akin to the Windows versus Mac kind of thing, in that Windows is such a bigger target that bad guys are always trying to work on viruses for Windows, because there are so many more Windows computers out there.

There's a lot of WordPress sites out there, so they have all the incentive they need to be working in hacks for that. So some of the most simple things you can deal with, and that are absolutely some of the most important things as well, is just picking strong passwords. Ultimately you're going to have FTP access to your site. Make sure that the password to FTP is very strong. That your database password is very strong and that literally your user, if we go under here, into our Dashboard, into our Admin area, into our User area, our password for our login to WordPress is very strong as well.

Now, maybe a year ago or so, mid-2009, there was an exploit found in WordPress that would be able to create a new admin user and that would have access to do everything to your account. Change things in the database of course, because they have access to back here, which is where we do that, and your theme as well, because literally you can edit your theme from the Appearance Editor and change theme files as well. So if somebody gets access to the backend here of the site, they can really trash it in a way.

So that's no good. Make sure your passwords are strong. Now, another important consideration is when we're going to be moving this site live to the web through an FTP Editor, all those files have certain file permissions. Like who is allowed to edit it, and the numbers that we're shooting fo -- now, if you're an FTP client and you like right-click on a file and Get Info, those files-- and the files I'm talking about here are the core WordPress files in our htdocs folder here.

Files have a permission of 644 and folders have a permission of 755. Those are the numbers that you're shooting for to keep things locked down. Now, there's a number of security precautions that we can take directly in this file, this wp-config file. I'm going to double-click that to open it in our code editor. Now, you remember at the top of this file, we had to edit it to add the database user, the database password and the database name. Now, we didn't do anything else in here and WordPress recommends that for one thing, we set up these authentication keys. This is just an easy quick step.

It gives you this URL that you can put into your browser and it's going to give you code to replace this with. I have that open here. We can just copy and paste that code and put it in there as an extra security measure. The thing below that is this thing called table_prefix. You can see its value is wp_. I'm going to go ahead and open up the database that we're using to run our WordPress site locally. It's this free software, Sequel Pro. I have it open here. I'm going to go ahead and connect to our local MySQL Server and choose the WordPress database that we set up when we installed WordPress.

Now it's all populated with the tables for all of our WordPress data. You can see that each one of these tables starts with wp_. So we could literally come in here and change that table_prefix on each one of these tables. If we do that, it's going to basically break our WordPress site, until we come in here and change it to what we changed the table_prefix to be. Now, the reason you would do that is that a bad guy might try and get access to your site and if they do get access, run a bunch of scripts to insert or delete stuff from your database, and that script probably depends on this default table_prefix.

So if you change yours, their scripts will break and you'll be safe, so it's kind of a security measure that way. Now, one of the most important things in regards to security is not only prevention but being able to roll back to a non-hacked site in case your site is hacked up. So I'm talking about backups. Now, when you're talking about backups in WordPress, we're talking about two different things. We're talking about the files, your theme, all that stuff that we've been working on, basically our theme file here and anything else that we've edited in the WordPress-land, but we're talking about the database as well.

So we need to back up both of those things. You can do it manually. You can login through an FTP site and just grab all these files and maybe drag them to your Desktop and burn them to a CD and mail it to your mom or anything like that. You can also do it manually. Now, to do it manually for the database, there's a great plug-in called the WP-DBManager. So if you go to wordpress.org, into their Plugin Directory, and look around for the WP-DBManager, it's at this URL, go ahead and download that, install it to your site, and activate it from the Plugins menu.

There're a few steps that you have to take, but it allows you to do on-demand backup of your database and you can literally even have it email you your database, like on a daily basis. So if all of a sudden you found out your site was hacked, there was a database problem, you would have a copy of your WordPress database from before the hack, so that's a great plugin for that. Now, another one that I really like is called WordPress File Monitor. It looks at all the different files from your installation, literally all of these files, and it will watch and see if they ever change.

If any file changes, you can have it notify you. So again, you just activate it as a plug-in and we'll add a new setting. Go under Settings there and you can give it an email address, where it will send those notifications to you. If you have specific files that you don't want to be notified about, you can put their paths here. Examples being if you upload new files or cache folders. You wouldn't want to be notified of those things changing, but anything else. So a bad guy gets into your site, changes the file, you get an email that's like wow, a file change, I wasn't in there doing anything, so you'd know that something is happening right away.

Now, there's one more thing that deals with both database backups and file backups combined into one. The makers of WordPress is a company called Automattic and they have another product here called VaultPress. Now, it's an online service. It's not free, but it's not too expensive either. I think it's $15 a month or $40 a month. But it's a plug-in you install on your WordPress site and it backs up to their servers securely your database and all the files from your site, so combined.

It does all of that, and then it looks through all those files for potential security problems and tells you about it. So it's a backup solution, an all-in-one backup solution, a cloud-based backup solution. So your data is safe up there. And a security monitoring tool. So if your site is important enough to have all this stuff, definitely consider VaultPress as a tool and definitely take security seriously on your site.

Find answers to the most frequently asked questions about WordPress 3: Creating and Editing Custom Themes .

Expand all | Collapse all
please wait ...
Q: What prerequisite skill do I need to be successful in this course?
A: This course is set at the intermediate/advanced level. You’ll do best if you have a good knowledge of Photoshop, plus a good grasp of PHPHTML, and CSS.

Q: The index.php file that the author is working with in Chapter 3 doesn't match mine after the "Building a sidebar" movie. It appears to change between the "Building a sidebar" and "Building the navigation" movies. What code am I missing?
A: The author makes some changes off screen between several movies in this title, simply because there is so much material to cover. These changes are provided in the exercise files.

However, if you are following along without the exercise files, you catch up to him by adding the following code to your index.php file, directly after the <?php get_header(); ?> line:

<div id="main-content">

Near the end of the file, just before  <?php get_sidebar(); ?>, add a closing div tag, </div>, to complete the div wrapper.

The resulting code will look like so. You may also copy and paste this into a new file and save it as index.php.

<?php get_header(); ?>

<div id='main-content'>

    <?php if (have_posts()) : while (have_posts()) : the_post(); ?>

        <div <?php post_class() ?> id="post-<?php the_ID(); ?>">

            <h2><a href="<?php the_permalink() ?>"><?php the_title(); ?></a></h2>

            <?php include (TEMPLATEPATH . '/inc/meta.php' ); ?>

            <div class="entry">
                <?php the_content(); ?>

            <div class="postmetadata">
                <?php the_tags('Tags: ', ', ', '<br />'); ?>
                Posted in <?php the_category(', ') ?> |
                <?php comments_popup_link('No Comments »', '1 Comment »', '% Comments »'); ?>


    <?php endwhile; ?>

    <?php include (TEMPLATEPATH . '/inc/nav.php' ); ?>

    <?php else : ?>

        <h2>Not Found</h2>

    <?php endif; ?>

<?php get_sidebar(); ?>

<?php get_footer(); ?>

Q: How do I load my custom theme once I have finished?
A: Copy the Custom theme folder to your new WordPress installation and put it in wp-content > themes. Then you can activate the new theme and work with it from there.
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.

Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ .

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

* Estimated file size

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.

Mark all as unwatched Cancel


You have completed WordPress 3: Creating and Editing Custom Themes.

Return to your organization's learning portal to continue training, or close this page.

Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member ?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferences from the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Learn more, save more. Upgrade today!

Get our Annual Premium Membership at our best savings yet.

Upgrade to our Annual Premium Membership today and get even more value from your lynda.com subscription:

“In a way, I feel like you are rooting for me. Like you are really invested in my experience, and want me to get as much out of these courses as possible this is the best place to start on your journey to learning new material.”— Nadine H.

Thanks for signing up.

We’ll send you a confirmation email shortly.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.