WPMU DEV's Blog - Everything WordPressWordPress Tutorials - WPMU.org http://premium.wpmudev.org/blog The WPMU DEV WordPress blog provides tutorials, tips, resources and reviews to help out any WP user Wed, 23 Jul 2014 16:30:00 +0000 en-US hourly 1 http://wordpress.org/?v=3.9.1 WordPress Security: The Ultimate Guide http://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/ http://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/#comments Wed, 23 Jul 2014 12:00:45 +0000 http://premium.wpmudev.org/blog/?p=130779 Like most website owners, security was never top of my priorities. It was only when one of my websites was hacked that I realised how common it was for websites to be compromised by malicious parties.

As the most popular web publishing platform on the internet (by a large margin), WordPress is a popular target for hackers and spammers. WordPress is known for being one of the most user-friendly website platforms available online, but out of the box WordPress is terribly vulnerable to attacks.

According to WP White Security, more than 70% of WordPress installations are vulnerable to hacker attacks and the total number of hacked WordPress websites in 2012 was a whopping 170,000. This figure is growing every year.

You may be wondering why anyone would want to attack your website, particularly if you have a low traffic website; however the vast majority of hackers are not looking to steal your data or delete important files. What they want to do is use your server to send spam emails.

I experienced this myself last year. A friend of mine had built a small content website using WordPress and hosted it on my hosting plan. Unfortunately, my friend stopped updating the website, which meant that WordPress was outdated. This made it possible for hackers to upload a script that sent spam directly from my server.

Due to this, my server IP address was blacklisted by all major ISP’s and email services; therefore newsletters that I was sending from a website I owned were not being delivered. Thankfully, I was able to clean my IP address from blacklists by using the blacklist checker from MXToolBox, though the whole experience cost me a lot of time and money.

MXToolBox can check to see if your server has been blacklisted.

When it comes to website security, it pays to be proactive rather than reactive. Do not assume your website is secure because you have not been hacked in the past.

This article details what you need to do to make your WordPress website secure from threats. It has been divided into five main sections. Click of one the links below to skip ahead to the appropriate section:

I encourage you to bookmark this article for future reference as you will find it useful when you are securing other WordPress websites you develop :)


How Do Hackers Compromise Your Website?

It is important to understand how hackers gain entry into a WordPress website and have their wicked way. Although there are many different ways in which a hacker can break into a WordPress website, the main techniques can be grouped together into four categories. In an article last year, WP White Security reported the following statistics about hacked websites:

  • 41% were hacked through a security vulnerability on their hosting platform
  • 29% were hacked via a security issue in the WordPress Theme they were using
  • 22% were hacked via a security issue in the WordPress Plugins they were using
  • 8% were hacked because they had a weak password

As you can see, 41% of attacks are caused by security issues within your hosting platform. This covers a lot of techniques, such as using a URL parameter to process an SQL injection. This technique allows the hacker to add code to your database, which can allow them to change data (e.g. your password), retrieve data, or delete data (i.e. delete all your posts and pages).

A whopping 51% of attacks were made through a WordPress plugin or theme. Hackers can do things such as insert an eval base 64 decode code which allows them to run a PHP function from your website (e.g. to send spam). They may also leave a backdoor somewhere on your website. This is a technique they use to get access to your website in the future, even when you believe you have deleted all malicious files.

Last on the list is a weak password. Hackers continue to gain access in this way by using automated scripts that continually guess passwords until they gain entry; a technique that is known as brute force.


WordPress Security Best Practices

Hackers are not looking for a long battle to gain access to a website. They specifically go after WordPress websites that are vulnerable because of security holes. You can therefore effectively block 99.99% of attacks on your website by simply addressing these security issues.

In this section, I would like to walk through techniques that you can apply to your website in order to make it more secure. It should not take you more than 20 to 30 minutes to apply all of these techniques. All you have to do is modify a few key files such as .htaccess and wp-config.php. I will also speak about security best practices and recommend WordPress plugins that will help you make your website more secure.

Remember that prevention is better than the cure. If you follow the advice given in this section, a hacker will find it very difficult to gain access to your website in the first instance.

Host Your Website with a Good Hosting Company

With 41% of hacking attempts being caused by a security vulnerability on a hosting platform, it pays to host your website with a good quality hosting company. Look for a hosting company that places an emphasis on security. One that has:

  • Support for the latest versions of PHP and MySQL
  • Is optimized for running WordPress
  • Includes a WordPress optimized firewall
  • Has malware scanning and intrusive file detection
  • Trains their staff on important WordPress security issues

If you choose a shared hosting plan, make sure that your host provides account isolation. This ensures that one account cannot overload the server and cause problems for your website. Good hosting companies will also offer daily internal backups, but remember that you still need to backup externally regularly too (more on this later).

Choose a hosting company that places an emphasis on security, such as Pagely and their trademarked PRESSARMOR WordPress security system.

Important Installation Settings

WordPress Security Keys were first introduced in WordPress versions 2.5, 2.6, and 2.7. The keys improve encryption of the information that is stored in a visitor’s cookies. They will also make it harder to crack your password as it adds random elements to them. A salt key phrase is added to make it even more secure.

The keys can be changed in wp-config.php. This is an important configuration file that can be found in the root of your WordPress installation. If you have not added security keys to your wp-config.php file already, the code will look like this:

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

Eight keys and salts can be generated through the WordPress Salt Keys Generator. Once the code has been generated, you simply replace the code above with the unique generated phrases.

It will look something like this:

* Note that the above code is just an example. You should generate unique codes for your website.

WordPress applies a table prefix to all database tables. The default table prefix is wp_. For example, wp_posts, wp_terms etc. Changing the table prefix can help prevent SQL injection vulnerabilities as hackers will need to guess the prefix; which, in turn, will stop people from gaining control of your database.

You will find the table prefix in your wp-config.php file:

$table_prefix = 'wp_';

Simply change the table prefix to something obscure that no person or script could guess. For example:

$table_prefix = 'asdfadsfa894sdms_';

Changing the table prefix in your wp-config.php file will not automatically change the prefix of your WordPress tables if you have already installed WordPress. Therefore, if you are changing the table prefix on an existing website, you need to update your database too.

One of the quickest ways of doing this is to install the plugin iThemes Security. The plugin can automatically do all the necessary changes for you.

Alternatively, you can do this manually. This is a more time consuming way to change the table prefix, however it may be necessary for you to do this if you cannot do it automatically via a security plugin.

There are two methods available to you through PHPMyAdmin (the process will be almost identical with other database managers). The first method is to use an SQL query to rename each table. Below is an example of how this is done:

RENAME table `wp_links` TO `newprefix_links`;

Obviously, you would change the reference to newprefix in the above example to the prefix you have defined in wp-config.php.

You need to run the above query for each database table including all core tables and any additional tables added by plugins.

The other way to do it is to click on the name of a table and then click on the operations tab. This tab allows you to change important table settings such as the table name. This step needs to be completed for each table.

Rename Table Prefix
Table prefixes can be changed through the operations tab.

Next, you need to update the references to the table prefix in the usermeta and options tables. You can do this using the PHPMyAdmin interface, however it is much quicker to simply use an SQL query.

To update the usermeta table (formerly wp_usermeta), enter the following SQL query through the PHPMyAdmin SQL tab:

UPDATE `newprefix_usermeta` SET `meta_key` = REPLACE( `meta_key`, 'wp_', 'newprefix_' )

To update the options table (formerly wp_options), enter the following SQL query through the PHPMyAdmin SQL tab:

UPDATE `newprefix_options` SET `option_name` = 'newprefix_user_roles' WHERE `option_name` = 'wp_user_roles'

Again, in both examples above, be sure to change the references to newprefix to the prefix you have defined in wp-config.php.

To recap, to update your WordPress database tables with your new prefix, you need to:

  1. Rename each WordPress table
  2. Update the usermeta table
  3. Update the options table

I would still recommend changing the table prefix in your WordPress table using iThemes Security as it allows the above changes to be made at the click of a button. You will, however, find the guide for applying the changes useful if the plugin cannot apply the necessary changes automatically.

Keep WordPress Updated

Every version of WordPress addresses security holes that have been identified in previous versions. Therefore, if you are using an older version of WordPress, your website is more susceptible to attacks. That is why it is important you always update WordPress to the latest version.

Major versions of WordPress contain many new features and are released twice a year. They are easily recognised as the version number increments by 0.1 with each release e.g. 3.7, 3.8, 3.9, 4.0 etc. Following every major release, WordPress release a few minor updates. The release numbers for minor releases increment by 0.01 e.g. 3.9.1, 3.9.2 etc.

Whereas major releases of WordPress introduce new features to the platform, minor releases address important security bugs and errors that have been found in a major release. It is therefore essential you apply these minor updates to your website.

WordPress introduced a new feature in WordPress 3.7 that updates WordPress automatically in the background. Many WordPress users wrongly believe that this feature applies to all WordPress updates, but by default WordPress will only automatically apply minor updates to your website.

It is possible to apply major and minor updates to your website. This will remove the need for you to ever update WordPress manually again. You can do this by adding this piece of code to your wp-config.php file:

# Enable all core updates, including minor and major:
define( 'WP_AUTO_UPDATE_CORE', true );

Safeguards are put in place to ensure your website does not break when your website is automatically updated, however there is always a risk that your website breaks after a major update. This is more likely if you use WordPress plugins that are not actively updated so you should be aware of this if you do apply major updates to your website automatically.

If you would prefer to handle all updates yourself because you are concerned your website will break with an automatic update (major or minor), you can disable all core WordPress automatic updates by adding this code to your wp-config.php:

# Disable all core updates:
define( 'WP_AUTO_UPDATE_CORE', false );

Plugin developers can improve automatic updates better by utilizing the add_filter function. They can do this by adding the following code to your wp-config.php file after the add_filter() reference.

require_once( ABSPATH . 'wp-settings.php' );

Check out “The definitive guide to disabling auto updates in WordPress 3.7” by Andrew Nacin for more information on disabling automatic updates.

WordPress Plugins and Themes

Security holes in themes and plugins represent more than half of all successful WordPress hacks. You therefore need to pay attention to the plugins you activate on your website.

  • Be ruthless when it comes to plugins. If you can do without the functionality a plugin offers, deactivate it and remove it.
  • Be wary of plugins that have not been updated within the last two years as they may have security holes in them that have not been addressed. If possible, only use plugins that are updated regularly.
  • All plugins are not created equal. Be conscious of the fact that a poorly coded plugin could make it easier for a hacker to gain access to your website.

It is important that your WordPress theme is up to date and well-coded, too. You can check the quality of the code in your theme using a plugin such as Theme-Check and check the code in plugins using Plugin-Check.

You should also be careful of downloading free WordPress themes from unknown sources as they may contain malicious code. If in doubt, stick to the free WordPress designs available at WordPress.org.

Hackers could insert malicious code into premium plugins and themes. It is highly unlikely that the original developer of a premium WordPress product would insert malware into it, though you do need to be careful when downloading a premium product from other sources.

Therefore, I implore you to do the right thing and support WordPress developers by buying plugins and themes from them directly. Downloading a premium plugin or theme from a torrent website hurts their business and there is a chance the uploader has inserted malware into the product, placing your website at risk of being attacked. You are safer downloading plugins from a source such as WPMU DEV. Not only are our plugins free from bugs, they also come with 24/7 support.

The WordPress updater can be configured to automatically update plugins and themes. To automatically update WordPress plugins, add the following code to your wp-config.php file:

add_filter( 'auto_update_plugin', '__return_true' );

To automatically update your theme, add this code to wp-config.php:

add_filter( 'auto_update_theme', '__return_true' );

Note that your WordPress theme has to support automatic updates in order for the above code to work.

Remember that updating plugins automatically may cause a website error and could happen when you are away from the computer. I recommend upgrading plugins and themes manually to ensure that if any problems occur during upgrade, you can deactivate the plugin and reactivate it when the developer has fixed the error.

The WordPress plugin and theme editor allows authorised users to modify your theme and your installed plugins. If a hacker was able to gain access to your WordPress admin area, they could crash your website in a matter of seconds by simply changing code, or removing code. To avoid this occurring, you can disable the plugin and theme editor by adding the following code to your wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

You can also remove the option of updating and installing plugins and themes by adding the code below to your wp-config.php file. Applying this technique would stop an unauthorized party from being able to upload their own plugin to your website.

define( 'DISALLOW_FILE_MODS', true );

The above code will also deactivate the plugin and theme editor if it is added to your wp-config.php file.

Using Correct File Permissions

It is important that you configure your file permissions correctly. Setting a directory with permissions of 777 could allow a malicious party to upload a file or modify an existing file.

According to WordPress, you should use the following permissions on a WordPress website:

  • All directories should be 755 or 750
  • All files should be 644 or 640
  • wp-config.php should be 600

Check out the Changing File Permissions guide on WordPress.org for more information on how to change file permissions. If you are unsure as to whether you have set up your WordPress file permissions correctly, ask your host to check them for you.

Turn Off PHP Error Reporting

If a plugin or theme causes an error, the error message may display your server path. This information is useful to hackers, therefore it is better to disable error reporting altogether for a live website.

You can disable error reporting in WordPress by adding the following code to your wp-config.php file:

@ini_set(‘display_errors’, 0);

If the above code does not work, speak to your web hosting company and ask if they can disable error reporting on your behalf.

Protecting WordPress Using .htaccess

The .htaccess file is a powerful configuration file that change the way your server operates. It is used to redirect URLs and configure pretty permalinks. The file can also be used to harden WordPress security.

The techniques below will strengthen your WordPress website significantly. Please note that he code has to be placed outside of the # BEGIN WordPress and # END WordPress tags, as anything between those tags can be updated by WordPress (e.g. during updates and permalink changes). Be sure to click on the option to see hidden files in your FTP client or file manager too. Otherwise, the .htaccess file will not be visible in the file list.

The wp-config.php is an important file as it contains your database connection settings, table prefix, security keys, and other sensitive information. You can protect the file by adding the following code snippet to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all

You can also relocate the wp-config.php file above your installation folder; however there is some debate as to whether this is beneficial.

To restrict access to your WordPress admin area to a specific IP address, use the code below (be sure to change the IP address to your own). In order to do this, you need to create a separate .htaccess file and upload it to the /wp-admin/ directory. Be aware that in order to access your WordPress admin area via a different IP address, you will need to modify the .htaccess file.

order deny,allow
allow from
deny from all

Additional IP addresses can be allowed by adding additional lines. For example:

order deny,allow
allow from
allow from 123.456.7.8
deny from all

The wp-login.php file that is found in the root of your WordPress installation can also be restricted to a specific IP address. The wp-login page will ultimately redirect any logged in users to the /wp-admin/ directory, therefore if anyone did login through wp-login.php, they would be blocked at /wp-admin/. However, you may want to restrict access to wp-login.php too for added security.

An alternative to protecting your admin area by restricting it to certain IP addresses is to password protect the directory. I am not a fan of this technique as it can cause problems with Ajax in plugins and is apparently not full proof.

If you find a person is consistently trying to access your WordPress admin area, you can block them from your website using the code below. Like the restrict by IP technique, additional IP addresses can be blocked using this technique by defining them in additional lines.

order allow,deny
deny from 456.123.8.9
allow from all

The /wp-includes/ directory contains a lot of important files that are required to run WordPress. There is no need for any visitor to view the contents of this directory. To protect the /wp-includes/ directory, add the following snippet to .htaccess:

# Block the include-only files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

To prevent people from browsing the content of your directories, add the following code snippet to your .htaccess file :

Options All -Indexes

To protect the .htaccess file itself, add this to the file:

<Files .htaccess>
order allow,deny
deny from all

The /wp-content/ directory can be protected using .htaccess too. In order to do this, you need to create a separate .htaccess file and upload it to the /wp-content/ directory. Then add the following code to the file:

As you can see, the above technique will protect the /wp-content/ directory but allow XML, CSS, Javascript, and images, to be processed. Be aware that this code has been known to break some WordPress themes as it does not allow PHP to be executed; particularly themes that use timthumb.php. If the code causes any problems with your website, it is best to remove the .htaccess file from the /wp-content/ directory.

Disable XML-RPC

Since WordPRess 3.5, XML-RPC has been enabled by default. The feature allows you to remotely connect via blogging clients. It is also used for trackbacks and pingbacks. Unfortunately, hackers have been known to use the file for DDoS attacks.

You can use a plugin such as Disable XML-RPC Pingback and Disable XML-RPC and reduce the change of your website being attacked.

Stronger Login Information

Weak passwords allow hackers to gain access to your website easily using a brute force automated script. You should therefore:

Many years ago, WordPress used the username admin as the default username for the primary administrator account. They now allow you to choose any username you wish during the installation process, however many people still choose the username admin.

The problem is that hackers know that admin was the default administrator username for a long time. This means that they only need to work out the password for the administrator account. Due to this, most brute force scripts attempt to gain access to your website using the username admin.

You should therefore change your administrator username if you are using admin or another basic username. This will make it much more difficult for a hacker to gain access.

You can do this by entering the following SQL query in PHPMyAdmin (or whatever database manager you are using). Be sure to change newusername to the new username.

UPDATE wp_users SET user_login = 'newusername' WHERE user_login = 'admin';

You could also run the above command directly through your admin area using the WordPress plugin WP-DBManager, but be sure to uninstall the plugin after using it as you do not want to give anyone the opportunity of accessing your database directly through the admin area.

Alternatively, use the plugin Admin renamer extended to change the username directly through your WordPress admin area.

Limit Login Attempts

Hackers use brute force attacks to try and gain access to your WordPress admin area; continually trying new random usernames and passwords. One of the best ways to protect your website against this kind of attack is to install Login LockDown or Login Security Solution. The plugins allow you to limit the number of login attempts from a given IP range.

Once a user has failed a defined number of times, they will be logged out of your website for a defined period of time. The default period of lockout can be increased to a more significant period of time if you wish. You can manually unban any legitimate users that have been locked out, so you need not worry about frustrating your staff.

The great thing about these plugins is that they record the IP address of anyone who fails a login attempt. You can use this information to block those people from your website indefinitely using the .htaccess technique I discussed earlier.

Login Lockdown
Limiting the number of failed login attempts that are allowed makes it difficult to use brute force scripts on your website.

Two-Step Authentication Solutions

A two-step login authentication process will make it even more difficult for hackers to access your website through a brute force attack. It forces everyone to use an authorisation code in order to login to your website. For example, you may have to provide a code that can only be accessed via your mobile phone.

Here are some useful authentication WordPress plugins that are available to you free of charge:

  • Google Authenticator – Requires you to enter a secret key or QR code that is provided to you via a Google Authenticator smartphone application
  • Clef – Allows you to login using a passwordless two-factor authentication system using your mobile phone
  • Clockwork SMS – Sends a SMS to your mobile phone with a key that you need to enter to login
  • Duo Two-Factor Authentication – Offers multiple ways to access your website such as a mobile phone application, a SMS, or a phone call
  • OpenID – Allows you to login using the OpenID protocol, which supports every major social media service
  • Authy Two Factor Authentication – Requires you to enter an API key from a smartphone application
  • Stealth Login Page – Login to your website using a secret login authorizaiton code

You may find a two-step authorization login process frustrating, however it is one of the most effective ways of preventing unauthorized parties accessing your website.

Two Step Authorization Process
Introducing a two step authorization login process will strengthen your website security considerably.

Hide Your Login Page

Malicious parties can attack your login page because they know that a default installation of WordPress can be logged in at www.yourwebsite.com/wp-admin/ and at www.yourwebsite.com/wp-login.php. Moving the location of your login files makes it very difficult for hackers to perform a brute force attack.

There are good plugin solutions available that allow you to do this easily:

  • Rename wp-login.php – A multisite friendly plugin that allows you to change your login page. Once activated, the wp-admin directory and wp-login.php page will be inaccessible.
  • Hide Login+ – Allows you to change name of your login page, admin area, logout page, and forgotten password page.
  • Lockdown WP Admin – Another useful plugin that can conceal your admin area and login page.

If you forget the new location of your login page and admin area, you can reset everything by simply deactivating the plugin in question. You can do this by renaming the name of the plugin folder contained within /wp-content/plugins/. Alternatively, you could delete the plugin and reinstall it once you have logged back in to your website.

Hide Login
It is difficult for a hacker to login to your website if they do not know where to login.

Remove the WordPress Version Number

By default, WordPress will place a meta tag in your website code that states the version of WordPress you are using:

&lt;meta name="generator" content="WordPress 3.9.1"&gt;

Unfortunately, this information is useful to hackers, particularly if you are using an older version of WordPress that has a security hole.

WordPress developer Paul Underwood shared a useful code snippet that lets you easily remove the WordPress version number from your website. You can do this by adding the following code to the top of your theme functions.php file:

remove_action('wp_head', 'wp_generator');

Alternatively, you can remove the WordPress version number by installing the plugin Remove Version.

Use Common Sense

When it comes to making your website more secure, a bit of common sense goes a long way. You can reduce the chances of your website being compromised by taking precautionary measures.

  • Do not login to your website on unsecured networks
  • Make sure your computer does not have any viruses by installing antivirus software such as AVG, Avira, or Comodo
  • Install a firewall on your computer for extra protection, such as Comodo or Zone Alarm
  • Only upload files to your website using a Secure FTP (SFTP) client such as FileZilla
  • Do not access your website in an internet cafe PC as someone could track your login
  • Be careful that no one sees you entering your login details in public locations such as coffee shops and airports, incase someone is watching you enter your username and password
  • Be wary of allowing people to upload files to your website via a form as hackers can use it to upload a malicious script – Even if you only allow image uploads, sneaky files such as image.jpg.php have been known to slip through
  • Do not ever give admin access to people you do not know and trust
  • Do not ever make someone editor if you do not know them well
  • If you are ever concerned about logged in users (editors, authors) doing something malicious on your website, use a plugin such as Simple Login Log or track Audit Trail their activity
  • Do not give people you do not know FTP access or access to your website hosting area unless absolutely necessary

Backup Often

The old idiom states that you should hope for the best, but prepare for the worst. This is particularly true with websites. Even if your website security has been hardened, there is no guarantee that your website will not be compromised by hackers. That is why it is important to backup your website frequently.

Most hosting companies provide daily backups of your website, however if the host’s data centre is damaged, be it through a power surge or flooding, your main website and internal backups could both be lost. That is why you need to backup your website externally too.

VaultPress offers one click backups and restores from only $5 per month per website.

There are automated WordPress backup services that make the process of backing up and restoring your website painless. This includes Automattic’s VaultPress, the backup and monitoring service CodeGuard, and the backup and migration service BlogVault.

If you prefer a plugin backup solution, check out BackupBuddy, Backup Creator, UpdraftPlus Backup and Restoration for WordPress, and WordPress Backup to Dropbox.

You should also check out our very own backup solution Snapshot. It can backup your database, your theme files, and your uploaded media. It is one of the few backup solutions that lets you select what tables are backed up.

Backups can be backed up via secure FTP or to Amazon S3 or Dropbox. Everything can be restored at the click of a button, which ensures that you can get your website back online as quickly as possible.

Snapshop Backup Solution
Snapshot is a great backup solution that has native support for BuddyPress and WordPress Multisite

Do not become complacent about backups. If your website has been hacked, your content could be modified or deleted completely, and an external backup could be the only thing that saves your website from being lost. Therefore, you need to have a disaster recovery plan in place.


Scanning Your Website

A lot of people wrongly believe that when your website is hacked, your whole website will be broken. However, that is rarely the case, as the goal of the hacker is usually to use your server to send spam mail.

If you know your website has been compromised, you will contact your hosting company and start removing the files the hacker uploaded. If, however, you are unaware of the hacker using your server to send spam, they can continue to use your server to relay their email messages without your knowledge.

The most effective way of discovering malware and suspicious files on your website is to scan your theme files regularly. There are many plugins and services available that help you do this.

  • Theme Authenticity Checker – The plugin will scan all installed WordPress themes for signs of malicious code. It will then highlight this code to you by showing you the path to the theme file, the line number, and a small snippet of the suspect code.
  • Ultimate Security Checker – A plugin that scans your website for hundreds of known threats and gives you a security grade on what it finds.
  • AntiVirus – A great plugin that scans your theme files and database for malicious code injections. Email notifications can be provided on a daily basis after each scan so that you are aware of anything suspicious.
  • WP Antivirus Site Protection – A server side scanner that can detect backdoors, rootkits, trojan horses, worms, PHP mailers, fraudulent tools, adware, spyware, and more. It can be run automatically on a daily basis.
  • Sucuri Sitecheck – The Sucuri scanner can scan your website for malware, spam, and defacements. It will also advise if your website is on any known blacklists.
  • CodeGuard – The CodeGuard service is used to backup your website on a daily basis. If they detect any changes on your website, they will email you with a notification of what was added, modified, or deleted.

Another great plugin you should check out is WP Changes Tracker. The plugin will keep a log of every change in WordPress, in your themes, and in your plugins. It is not a malware scanner, however if you notice anything different on your website, it allows you to look at a change log and see exactly what has changed.

Scan Your Website
Scanning your website regularly will help you detect malicious activity on your website.


All-in-One Security Plugins

If you are not a technical person, you may want to consider protecting your website using an all-in-one security solution. These WordPress plugins can toughen your website at the click of a button by addressing common WordPress security issues. Some also add a firewall and scan your website on a daily basis for malicious files.

Let’s take a closer look at some great all-in-one security plugins.

BulletProof Security is a feature packed security plugin that offers .htaccess website security protection, file intrusion detection, login security, database backups, and daily monitoring. It also keeps a log of anything that is changed.

The plugin has many configuration options. If you don’t want to configure these options yourself, you can choose to harden your website with one click.

BulletProof Security
BulletProof Security can protect your website at the click of a button.

Acunetix WP Security is a security plugin that can check for vulnerabilities in passwords, theme files, and your admin area.

The plugin has many useful options such as removing the WordPress version, disabling PHP error reporting, removing update notifications, and more. A live traffic tool is also included.

Acunetix WP Security
Acunetix WP Security addresses common WordPress security holes.

Sucuri Security will scan your website and detect PHP mailers, injections, malicious redirects, phishing attempts, and more.

The plugin also includes one click hardening options such as protecting your uploads directory, removing the WordPress version number, disabling theme and plugin editors, and restricting access to the /wp-content/ and /wp-includes/ directories.

Sucuri Security
In addition scanning your website, Sucuri Security can also harden your website and make it more secure.

Formerly known as Better WP Security, iThemes Security is the most downloaded WordPress security plugin on WordPress.org.

The plugin addresses common WordPress security vulnerabilities such as renaming the admin account, changing the ID of the first user from 1, removing login error messages, and displaying a random WordPress version number to non administrative users. It also features a monitoring system that will detect bots and file changes.

iThemes Security
iThemes Security is one of the most effective way of securing a WordPress website using a plugin.

Wordfence Security features mobile phone two-factor authentication logins, a firewall to block common security threats, and a password strength checker.

The plugin can scan your website for backdoors, malware, and phishing attempts. It will also monitor your disk space usage to help detect DDoS attacks.

Wordfence Security
Wordfence Security protects your website from malware, bots, phishing attempts, and much more.

Final Thoughts

Securing your website is something you need to take seriously. If you don’t take any security precautions for your website, you run a high risk of being hacked. This could cause your website to be blacklisted because it sent out spam. In a worse case scenario, you could lose all of your data.

By just taking thirty minutes out of your day, you can make your WordPress website secure and make it less likely that a hacker will do something malicious on your website.

If you fail to prepare, prepare to fail.

In the event of your website being compromised, stay calm. The best thing to do is reset your password, scan your website for malicious content, and contact your host for help on putting everything back to normal. By backing up every day, you can avoid the risk of your website content being completely lost.

If you want to want to learn more about securing your website, check out our WordPress Security Essentials series of articles.

  1. WordPress Security Essentials: Say Goodbye to Hackers
  2. WordPress Security Essentials : Four Points Of Vulnerability
  3. WordPress Security Essentials: Password and Username Safety
  4. WordPress Security Essentials : Building A Layered Defense
  5. WordPress Security Essentials: Obscurity Tactics and Backups

Be sure to check out the Hardening WordPress guide at WordPress.org, too. It has a lot of useful information on how you can improve the security of your website.

Do you know of any other great security tips for WordPress? If so, please share them in the comments below.

Image credits: Moyan Brenn

http://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/feed/ 3
Simplify Your WordPress Theming With Twig And Timber http://premium.wpmudev.org/blog/simplify-your-wordpress-theming-with-twig-and-timber/ http://premium.wpmudev.org/blog/simplify-your-wordpress-theming-with-twig-and-timber/#comments Mon, 21 Jul 2014 13:55:45 +0000 http://premium.wpmudev.org/blog/?p=130871 In a recent article on future features that WordPress could consider, I included adding a templating language to the core.

One such language is Twig and an implementation already exists for WordPress via the Timber plugin.

So, what is a templating language, how does it work in a WordPress environment and is it worth the effort?

Twig logo
Templating languages can bring massive advantages to WordPress theme development

Twig, from SensioLabs, is a “flexible, fast, and secure template engine for PHP”.

In a nutshell, Twig provides a meta-language (it is compiled into PHP) specifically designed for turning data into formatted output. That output is generally HTML but it doesn’t have to be – it can quite happily be XML, JSON or any plain-text format.

The output is generated by providing the Twig engine with the requisite data (as a PHP object) and telling it which template to render. The engine takes care of the rest.

But why change? There are thousands of existing WordPress themes that seem to do okay (some more than okay) using PHP. What’s the big deal with templating languages.

Advantages Of Using A Templating Language

The Twig website lists 6 major advantages of using the Twig templating language:

  1. Concise – compared to PHP, Twig is very concise making it easier to write and maintain
  2. Template orientated – it is a language that is purpose-built for creating output, rather than being a multi-purpose language such as PHP
  3. Full-featured – Twig is powerful, with inheritance and blocks making modular design very easy.
  4. Easy to learn - you certainly don’t need to be a developer to get the hang of Twig
  5. Extensibility – developers can add plugins to ensure that Twig can cover any front-end requirement
  6. Fast – this advantage may depend on how you rate your PHP skills as Twig is compiled down to PHP. I think its highly likely that for me, at least, the resultant PHP will be better than what I can come up with.

Biggest Advantage Is Separation Of Data And Design

What I really like about Twig is that it completely separates data from design. Twig is a template engine: you provide it with data and tell it which template to render.

This means that the underlying application is now only concerned with collating that data, there’s no requirement for its own themes. For WordPress that also means that plugins become data focussed whilst front-end controls, such as sliders, become the domain of Twig.

What Does Twig Look Like?

Twig is designed to work with any PHP application and it’s very easy to bootstrap it for testing (another of its advantages). A simple PHP file to render a template might look like this:

And the actual Twig template:

All very straight-forward and a lot cleaner than the traditional PHP/HTML mix. In fact, there are several CMS, such as Pico, that use this kind of approach (or perhaps a little more sophisticated although it does describe itself as “stupidly simple”!) to generate sites.

Timber: Bringing Twig To WordPress

We are, of course, interested in Twig and WordPress and it’s the Timber plugin that brings the two together. For some reason, there are 2 plugins called Timber in the WordPress repository so make sure you get the right one!

The plugin is the impressive work of Boston editorial designers Upstatement and performs three main tasks:

  1. Integrates the Twig engine into WordPress
  2. Creates a foundation WordPress data set
  3. Handles the rendering of Twig templates

Whereas in a normal WordPress theme you are mixing the data collation and its subsequent formatting in the same PHP files (think The Loop), a Timber template splits the two functions. In its basic form, the template file is only concerned with collating the data and then using that data to render a template, or view if you like, that is held in a separate file.

An example will help greatly, so let’s walk through one.

Here’s the index.php file for the Bosco theme (I’ve picked this theme as it is fairly simple):

The theme contains the familiar WordPress Loop and uses the get_template_part function to generate the output for each post in the list. (For the example, we are going to assume that all posts are of the standard format.)

With Timber, though, the index.php is only concerned with collating the required data:

It uses pre-baked Timber methods to get the generic data and then renders the index.twig template:

Not much in this template as I’ve followed the same modular approach as the original (i.e. code that gets used in multiple locations is placed in its own file) but we can already see Twig’s concise nature and powerful features at work.

First, there’s the else on the for statement. It works like the else on an if statement and will execute if the posts variable is empty. No need to wrap the for in an additional if statement. It’s also possible to perform actions based on the index value of the loop, so outputting a header on the first iteration or a footer on the last iteration, for example.

Second, there’s the use of Twig inheritance. In this case, the index template is extending the base template and providing content for the content block.

Let’s have a look at the base template:

There’s an import statement at the top of the file which makes some custom macros available to all files. For the sake of brevity, I’ve kept the original get_header, get_sidebar and get_footer functions (but called using Timber) and so the only block is the content block.

So, let’s have a look at the content.twig template:

This is a bit more interesting.

This template is only concerned with outputting a single article element and it’s pretty easy to work out what’s going on, even without being familiar with the Twig language.

All the variables being checked in the if statements or being output in the {{ }} statements are assembled by the PHP file and are passed to the Twig template.

The Timber plugin not only collates most of the data itself it also provides a few WordPress-specific essentials. For example, a post’s content is accessible via post.post_content, however, this is the raw content and so Timber provides the post.content method which will return the content after applying all filters and running all shortcodes.

You’ll see at the bottom of this template that there’s a couple of calls to macros: to output the post meta and to output the posts categories and tags.

The macros are stored in a Twig file (I’ve called it macros.twig but it could be any name) which is imported in the base.twig template. They don’t automatically have access to the data, so this gets passed to the macros:

This is where the advantages of an extensible templating language start to shine. A macro could be anything from outputting post meta to elaborate menuing to a full-screen slider and rather than being added as a plugin, it simply gets added as a Twig macro. All that needs to happen on the PHP-side of things is to ensure that the macro has the data it needs.

OK, But PHP And Twig? Isn’t That Doubling-Up?

The general assumption is that a Timber theme will follow the general convention and create a PHP file for each template that a theme may require, using the WordPress Template Hierarchy as a guide.

As we know, the Template Hierarchy is a wonderful thing. It allows us to easily get very specific with our templates. If we want to output category post lists differently to the other archives, we create a category.php file and it automatically gets used. If we want to get even more specific and have our sport category post list displayed differently to other categories then we create a category-sport.php.

This allows for incredible flexibility without the need to do any reconfiguring – simply drop a template into the theme directory with the appropriate name and it will automatically take its place in the template pecking order.

With Timber and Twig because the PHP files are just collating data there tends to be quite a lot of repetition. It’s possible, therefore, to take advantage of the WordPress Template Hierarchy and create just a single index.php that can generate the data we need and then work out the correct Twig template to render:

Timber Deserves A Closer Look

This has been brief overview of what is a powerful and thought-provoking plugin and if it has whet your appetite then I strongly recommend installing the plugin, browsing the Timber and Twig documentation and either grabbing the Timber Starter Theme (part of the plugin package) or converting an existing theme to get a feel for how it all works.

I think what you make of Timber and Twig will probably depend on the type of theme you are trying to build. A sidebar heavy, widget laden theme is not the best choice and it’s interesting to note that Upstatement are very much focussed on news media organisations.

You might also find that you are short on data and you’ll need to either extend Timber or simply update the PHP components of your theme to ensure that all the required data (logged in user data, for example) is being provided to the Twig templates.

What I really like about the Timber and Twig combination is the separation of data and design which means that designing a theme for WordPress (or any other CMS that uses Twig, of course) doesn’t require any knowledge of PHP and perhaps not even that much knowledge of WordPress itself.

Agree on what data is going to be made available and developer and theme designer can truly work on a site simultaneously.

A Possible Addition To The WordPress Core?

The advantages of a templating language also make me think that it should be seriously considered as potential update to the WordPress core.

Much has been recently been written about the need for WordPress themes to return to being clean, design only and for functionality to be split out into plugins. If nothing else, Twig forces the theme developer down this path.

You can imagine that it would be relatively straight-forward to build the dataset and make it available to a templating engine such as Twig (perhaps the WP-API already provides much of this functionality?) although the huge library of existing themes and the massive install base might prove a massive hurdle.

However, that doesn’t mean that Twig and its ilk should be summarily dismissed. Templating languages bring big advantages to theme development, not the least of which is a level of simplicity that is often missing from the traditional WordPress theme.

For that reason alone, Twig via the Timber plugin is worth investigating.

Do you have experience with using a templating language either on WordPress or another CMS?

http://premium.wpmudev.org/blog/simplify-your-wordpress-theming-with-twig-and-timber/feed/ 3
How to Inform Your Users When Comments Are Closing http://premium.wpmudev.org/blog/how-to-inform-your-users-when-comments-are-closing/ http://premium.wpmudev.org/blog/how-to-inform-your-users-when-comments-are-closing/#comments Sat, 19 Jul 2014 12:00:00 +0000 http://premium.wpmudev.org/blog/?p=130298 WordPress allows you to close comments after a certain number of days, but if you have visitors actively taking part in a discussion in the comments of a post, it might be a shock to them when they discover they can no longer comment.

In today’s Weekend WordPress Project, I’ll show you how to add a warning message to the bottom of your posts to alert visitors when comments are due to close.

Feature image
Let your visitors know when comments are closing on your posts.

Adding “Comments Are Closing” Message

Before we get started, we need to set comments to close. In WordPress go to Settings > Discussion and in the “Other comment settings” section, tick “Automatically close comments on articles older than” and enter the number of days you want to keep comments open for.

Set your comments to close automatically.

WordPress has a handy built-in function – human_time_diff() – for displaying relative time in a human-readable format, just like Twitter and Facebook.

For example, instead of your posts displaying, “Posted on January 23 at 10.30am,” you could display, “Posted 5 hours ago.”

We can take advantage of the human_time_diff() function to display a human-readable time in our alert message.

To add “Comments on this post will automatically close in XX”, just add the following snippet to your theme’s functions.php file:

add_action( 'comment_form_top', 'topic_closes_in' );

function topic_closes_in() {
global $post;
if ($post->comment_status == 'open') {
$close_comments_days_old = get_option( 'close_comments_days_old' );
$expires = strtotime( "{$post->post_date_gmt} GMT" ) + $close_comments_days_old * DAY_IN_SECONDS;
printf( __( '(Comments on this post will automatically close in %s. )', 'domain' ), human_time_diff( $expires ));

You posts will now display a message in the comments section that provides a countdown alerting visitors when comments will close.

Comments message
The alert message will display in the comments section of your posts.

If you would like to display a different message, simply edit line 8 in the code and add in your own message.

http://premium.wpmudev.org/blog/how-to-inform-your-users-when-comments-are-closing/feed/ 3
6 Steps To Optimizing Your WordPress Site For Mobile Devices http://premium.wpmudev.org/blog/6-steps-to-optimizing-your-wordpress-site-for-mobile-devices/ http://premium.wpmudev.org/blog/6-steps-to-optimizing-your-wordpress-site-for-mobile-devices/#comments Fri, 18 Jul 2014 12:00:00 +0000 http://premium.wpmudev.org/blog/?p=130724 It’s tempting to think that catering for your mobile audience is as simple as installing a responsive theme.

Even if your theme does look good on a mobile device (and there’s plenty that do), there’s still plenty more you can, in fact, should, do to optimize your mobile visitors’ experience.

Here’s 6 steps to delivering the perfect mobile WordPress experience.

WordPress logo in an iPhone in landscape and an iPhone in portrait
Optimizing the mobile experience is more than just the right theme

Mobile web browsing may not match the dizzying heights of mobile app usage but it’s not a trend that can be ignored.

More significantly for those of you that publish regular email newsletters is that according to Pew Research’s latest Mobile Technology Fact Sheet, 52% of US smartphone owners read email on their device. You work hard to get those precious clickthrus, don’t let them be undermined by content and design that doesn’t work on the device.

Whilst the right theme is obviously a critical step in the delivering the optimal mobile experience, it isn’t the only one.

You also need to look at:

  • mobile-specific menus – desktop menus rarely translate well to mobile, either because they are simply too large or contain links to content that is a low priority or even irrelevant for mobile users.
  • adaptive content - it’s virtually impossible to create post titles and excerpts that work well on expansive desktops and constrained mobiles, so don’t try, instead create versions for both
  • adaptive images - smaller screens work perfectly with smaller images so save your visitors’ time and bandwidth by sending them mobile-optimized images
  • theme switchers – if you opt for a mobile-specific theme rather than sticking with your current theme you are also going to have to look at a theme switcher to ensure that your mobile visitors get the correct theme
  • testing the mobile experience – no matter which approach you take you are going to need to test how your mobile site looks and behaves

In fact, we are going to start with the last on that list, testing the mobile experience.

Step 1: Set-up A Testing Environment

Screen shot of the iOS Simulator and Android Emulator running on OS X
Installing the iOS and Android simulators can be fiddly but is worth the effort

There’s no point going through all these steps if you can’t properly test the end result, especially if you want to build and test on a local machine.

Whilst you can do fairly extensive testing using browser plugins and simply changing the screen size it’s far better to actually test on a mobile device itself or if you don’t have access to the real device, a simulator.

Before you move on to Step 2, read this post on setting up a mobile test environment. You don’t have to install all the simulators listed: I usually just work with the iOS simulator that will provide both tablet (iPad) and mobile (iPhone) testing capability.

Step 2: Choosing The Theme

Add themes
Now you need to add mobile experience to your criteria when evaluating a theme

As any site owner knows, picking a theme is difficult, not least because the choice is so enormous.

Regardless of whether you already have an existing theme (responsive or otherwise) or are trialling new themes (mobile or desktop) you need to test them to ensure they are going to provide the sort of experience that you are comfortable with.

Many responsive themes make choices that you need to make sure that you are comfortable with and therefore extensive testing is imperative.

Hopefully, you’ve installed the iOS simulator, so fire it up, change the hardware to the iPhone and browse to your site to assess the theme’s performance using this small checklist:

1. Does it fit?

The issue of “fit” is not just about whether the content stays within the confines of the screen but also covers the amount of content your visitors will be able to see. Remember that the more visual clues there on a screen, the less your visitors have to guess or scroll:

  1. Are there any scrollbars, particularly horizontal scrollbars?
  2. Do all images sit within the screen?
  3. Is text (titles, headings, body) appropriately sized?
  4. Can you see at least the title of the first post on the home page?

If you have an existing site then this will be relatively easy to test. If you don’t then set up a test site and import the test content from wptest.io.

2. Do the menus work?

They come in all shapes and sizes so check that the menu works how you would like it to:

  1. Is accessing the menu obvious?
  2. Can you immediately see all the important menu options?
  3. Is it easy to scroll the menu?

3. How are sidebars handled?

If your theme has sidebars then the decisions that responsive themes make in dealing with them is hugely important – and my chief bugbear.

Themes generally have three options: hide the sidebar; move it to below the content as sort of additional footer; or turn it into a slide out element.

You need to pay particular attention to:

  1. Does essential content become hard or impossible to locate?
  2. If the sidebar is moved beneath the content does this create an ugly doubling up of footers?

It’s often the case that the best responsive themes are those that don’t use sidebars at all.

If Your Current Theme Isn’t Up To Scratch

So, you’ve played with your current (or preferred) theme on a mobile and you’re not entirely happy with it. What are your options?

  • Just live with it – perhaps justified if your mobile traffic is low but this is really just parking the problem
  • Change your theme – go the whole hog and switch to a new theme that handles mobile more to your liking
  • Use a mobile theme – use a theme specifically designed for mobile devices (requires a theme switcher plugin also). You will likely need to go premium to get a decent theme.
  • Use Jetpack’s Mobile Theme Feature – Automattic’s multi-faceted plugin Jetpack includes a feature to use its own mobile theme
  • Use WPtouch – one of the most popular WordPress plugins (5 million plus downloads), WPtouch is like Jetpack but better. Available in both free and premium versions, the free version will allow you to create a pretty decent mobile experience very quickly
  • Custom-build a mobile theme – if you’ve got the time and a modicum of HTML and CSS skills then you can build your own theme.

Step 3: Add Mobile-specific Menus

Being able to display menus specifically created for a mobile device is an essential component in the overall experience.

Navigation is a key component on any site and the chances are that the menu you designed for your desktop site is not going to work anywhere near as well on a mobile site simply due to the available screen real estate.

A potentially more important, and often overlooked consideration, is whether your mobile visitors have the same content priorities as your desktop users. For example, a Contact Us page with a location map might be a high priority, whilst a link to archives may not.

How do you create mobile-specific menus?

If you go down the WPtouch path then it’s built into both the free and premium version of the plugin.

Otherwise, you will have to “roll-your-own” but its not that difficult – here’s a tutorial that shows you how to create your own adaptive menus.

Step 4: Make Content Adaptive

Photo of publication in various formats
There’s a lot to learn about content and mobiles

(Find this excellent book at A Book Apart)

Just like menus, not all your content will scale down appropriately to a mobile device particularly:

  • Long titles and excerpts
  • Infographics and images that contain text or numbers
  • Multi-page content

We need to make content that is going to look good on a mobile but how do we do that without compromising how it looks on a desktop? By making it adaptive.

Adaptive content allows for content to be targeted at a particular platform either by creating alternatives (such as a short title custom field to replace title on mobiles) or by controlling whether content is visible at all (via shortcodes).

The controlling visibility is important. Some content, particularly infographics, may be unintelligible on a mobile simply due to the screen size; in such cases it’s better to not deliver the content at all.

Implementing some simple adaptive content techniques will help enormously in optimizing your mobile site compelling whether you use a responsive or mobile-specific theme.

Step 5: Add Adaptive Images Capability

A significant issue when delivering images to mobile devices is that the file that is delivered to the device is far larger than is required.

This is where adaptive images comes in. Basically what happens is that a request for an image file is analyzed to determine the type of device making the request. An image file is then dynamically delivered that is optimized for that platform.

This means that you don’t have to worry about explicitly creating images for each platform, it’s all taken care of for you.

Implementing adaptive images will have a noticeable impact on page download speeds and is highly recommended.

Step 6: Install A Theme-Switcher

If you are not using a plugin such as Jetpack or WPtouch to provide your mobile theme, then you will need to install a theme-switcher: a plugin that detects the device making the request and makes WordPress use a predefined theme when building the response.

The level of control varies from plugin to plugin so you need to pick one that will allow you to cover the platforms and devices that you are targeting. The Any Mobile Theme plugin is certainly worth looking at, allowing individual assignment across a wide range of mobile devices, including some tablets.

Screenshot of the plugin's settings page
Switch themes by device and operating system

Now You Have A Mobile Site

It may have taken a fair amount of work but if you’ve followed the 6 steps you’ll now have a mobile site that will be delivering an optimal experience and won’t look and feel like an afterthought.

And even if you go for using Jetpack or WPtouch (particularly the free version) then the steps covering menus, adaptive content and adaptive images are still relevant.

Your mobile traffic may not be significant at the moment but it will grow as the inevitable shift to access the web on mobile devices continues and you will need to address it at some point.

Better to do it now and be 6 steps ahead of your competition.

http://premium.wpmudev.org/blog/6-steps-to-optimizing-your-wordpress-site-for-mobile-devices/feed/ 0
How To Make Your WordPress Site Mobile-Friendly In 15 Minutes http://premium.wpmudev.org/blog/how-to-make-your-wordpress-site-mobile-friendly-in-15-minutes/ http://premium.wpmudev.org/blog/how-to-make-your-wordpress-site-mobile-friendly-in-15-minutes/#comments Sun, 13 Jul 2014 14:00:00 +0000 http://premium.wpmudev.org/blog/?p=130651 Have you checked how your WordPress site looks on smaller screens, particularly mobile phones?

Even if you are using a responsive theme, you and your visitors may well still be better off with a dedicated mobile theme.

In this Weekend WordPress Project, we’ll take a look at giving your WordPress site a free mobile makeover with the WPtouch plugin.

Feature image
A mobile-friendly version of your WordPress site is quick and easy with WPtouch

The Basics Of Being Mobile-Friendly

Whilst having a design that is designed for mobile screens is obviously an integral component of being “mobile-friendly”, it’s not the sole consideration.

Mobile Menus – being able to use a separate menu on a mobile is a must, not just so that it is easier to use but also because you might want to expose a modified body of content.

Platform Specific Plugins - The ability to switch plugins on and off according the visitor’s device is also incredibly useful. Why make WordPress go to all the effort of loading a plugin if it’s functionality is not required?

Mobile Specific Content - Even content can (perhaps should?) change between platforms. On mobiles you might want shorter titles and excerpts that fit better on the smaller screen, even shorter bodies.

The 80/20 Approach

You’ve probably heard of the 80/20 rule, also known as the Pareto Principle after its creator, Italian economist Vilfredo Pareto.

Making your site completely mobile friendly with a custom theme that ties in with your desktop theme, menus and plugins that are platform sensitive and content that adapts to the device is a considerable effort. Certainly more than Weekend WordPress Project’s worth.

Using a plugin will achieve 80% of what we want for only 20% (or less) of the effort required for the full custom approach. Perfect for a Weekend WordPress Project.

WPtouch, The Plugin Of Choice

If a plugin has been downloaded more than 5 million times then it’s probably a safe bet that it’s pretty good at its job.

But you know us, we like to make sure before we recommend something and having played with a number of the options available, WPtouch is, indeed, a sound choice for a quick and easy approach to making your site mobile-friendly, and is highly configurable even in the free version.

It’s important to note that WPtouch only gets activated for mobile phones and not tablets.

So, let’s quickly walk through a barebones, essentials-only, install and configuration of the WPtouch plugin.

1. Download and Install

Go to Plugins > Add New in your WordPress dashboard and search for WPtouch. When the result comes up click on Install, and then on Activate Plugin.

Alternatively, you can download it from the WordPress plugin repository.

You’ll see a new option added to your admin menu, WPtouch, which is, not surprisingly where your configure how your mobile theme behaves and looks.

There are 4 pages of options (some with multiple tabs) and it can be a lot to initially get your head around, so we we’ll take it in logical steps.

2. Test It Works

Before you do any configuration, let’s test that it works. The free version only has one default theme, so it should all work on activation.

Before you do that though, if you only want to test WPtouch and not show your mobile work-in-progress to the world then jump into WPtouch > Core Settings and set the Display Mode to Preview.

Browse your site on a mobile device (or simulator) and make sure you are seeing the mobile theme.

3 iPhone screenshots of the home page and a post detail page using the Bauhaus theme
German art school or 80s punk band? Either way, the default Bauhaus theme is actually very good

3. Set Up A Mobile Menu

The free version of WPtouch provides the essential option of specifying a menu for use on mobile devices and I would urge you to do so (after having first thought about what content is most important for your mobile visitors, of course!).

Create a new menu in the usual WordPress way (Appearance > Menus). Give it an obvious name, such as Mobile Menu and then in the WPtouch Menus settings page, select the mobile menu from the drop down list and check Menu Options as appropriate (check it if you are unsure).

Screengrab of the WPtouch menu options allowing the selection of a WP menu
Creating a menu specifically for your mobile theme is well worth the effort

Go back to your site, refresh, and click on the hamburger icon to check that your mobile specific menu is being displayed.

4. Add Bookmark Icons

When a visitor bookmarks your website, it potentially adds an icon to their home screen. If you don’t provide an icon the device will either use a default icon or take a screengrab neither of which is going to make your site’s icon easy to find or help with your branding.

Create two icons, one for Android (96×96 pixels) and one for iOS (120×120 pixels) both in the png format and upload them on the WPtouch > Theme Settings > Bookmark Icons options page. You can also override the site title here if you want to (perhaps if it is overly long).

Screengrab of the WPtouch Bookmark Icons options page allowing for the uploading of Android and iOS icons
Adding bookmark icons will vastly improve the visibility of your site on a mobile home screen

Back to your site, refresh, and test the bookmarking.

5. Now You Can Tweak

Now that you’ve got all the essentials done, you can further refine how your mobile site looks and behaves via the Core Settings and Theme Settings.

Core Settings

On this page you can override the site title, select a specific language, display the mobile theme only to administrators (useful for testing), select a mobile specific landing page (home page) and add custom HTML, CSS or javascript.

Theme Settings

The Theme Settings are pretty extensive but liberally sprinkled with Pro only features.

The default (and only) theme available with the free version is Bauhaus. Presumably named after the famous German art school rather than the slightly less-famous 80′s British Punk Band, this theme is actually okay. The design is clean and easy to use and includes a slider and a dropdown menu attached to the now ubiquitous “hamburger” icon.

The Theme Settings page has 5 tabs:

  • General – these allow you to tinker with the output including the number of posts in the listings pages, excluding posts from certain categories and tags, where to show featured images, post metadata, comments, the slider and how the login form works (if you need it).
  • Branding – You have a few options here with color selection, site logo, custom footer content (including HTML), fonts and which sharing links to show on single posts.
  • Bookmark Icons – As already discussed this will determine the icon displayed on your visitor’s home screen when they bookmark your site.
  • Web-App Mode / Advertising – All useful stuff but all restricted to the Pro version. Presumably included so you can see what you are missing out on.

Going Pro: Great Features, Appalling Pricing Model

As you go through the settings pages for WPtouch you’ll notice that plenty of the options are restricted to the Pro version and are very attractive: more choice of themes, mobile only content, responsive images and caching to name a few.

Unfortunately, annoyingly, the pricing model for WPtouch is hardly customer-friendly.

You might think that buying a single licence for $49 might get you all the Pro features for 1 site but you’d be wrong. There’s no caching in a single site licence, for that you need the 5 Pack licence at $99 and if you want responsive images then you’ll need to fork out for an Agency licence (30 sites) that will set you back $199, even if you only want to use it on 1 site.

The WPtouch pricing table
To get access to all features inexplicably requires a multi-site licence.

Why this melding of 2 pricing models? Why doesn’t Pro you get all the features and then you simply pay according to how many sites you want to use the plugin on?

This does smack of WPtouch wanting to have its cake and eat it and the model, which basically makes caching and responsive images premium-premium features, leans dangerously close to price gouging.

That said, the free version is certainly good enough to provide you with a very decent mobile site for less than 15 minutes effort. Difficult to complain about that.

http://premium.wpmudev.org/blog/how-to-make-your-wordpress-site-mobile-friendly-in-15-minutes/feed/ 4
How to Remove the WordPress Admin Toolbar From Your Site http://premium.wpmudev.org/blog/remove-the-wordpress-admin-toolbar/ http://premium.wpmudev.org/blog/remove-the-wordpress-admin-toolbar/#comments Sat, 12 Jul 2014 15:30:00 +0000 http://premium.wpmudev.org/blog/?p=130295 WordPress automatically displays a toolbar at the top of the page when you’re logged in. Whether you’re viewing the WordPress dashboard or the front page of your site, it’s still there – and for many people it’s an annoyance.

For developers, the toolbar can slightly throw off a theme’s design, especially if you have some CSS styling that may not be visible if the admin bar is displayed. For others, the toolbar is just distracting.

Either way, it’s easy to disable the toolbar. In this Weekend WordPress Project I’ll show you a couple of ways to remove it from your site’s front-end – in WordPress settings and also with code.

Admin toolbar
Disable the WordPress admin toolbar in today’s Weekend WordPress Project.

Turn Off the Admin Toolbar in Settings

Toolbar option
Disable the admin toolbar in your profile settings.

To remove the toolbar from your site, go to Users > Your Profile. Scroll down to “Toolbar” and check “Show Toolbar when viewing site.”

And that’s all you need to do. The Toolbar will no longer appear on your site.

While the toolbar will stop displaying on the front-end of your site, it will continue to show on the backend of your site. It’s best to leave the backend toolbar as it is – it does contain important information about your site, after all.

Remove the Admin Toolbar with Code

If you would rather remove the toolbar with code, just drop the following snippet into your functions.php file:

add_filter('show_admin_bar', '__return_false’);

This code will stop the toolbar from displaying on the front-end of your site.

http://premium.wpmudev.org/blog/remove-the-wordpress-admin-toolbar/feed/ 7
WordPress.org vs WordPress.com: A Definitive Guide For 2014 http://premium.wpmudev.org/blog/wordpress-org-vs-wordpress-com-a-definitive-guide-for-2014/ http://premium.wpmudev.org/blog/wordpress-org-vs-wordpress-com-a-definitive-guide-for-2014/#comments Thu, 10 Jul 2014 11:00:00 +0000 http://premium.wpmudev.org/blog/?p=130330 WordPress.org or WordPress.com? If you’re new to WordPress, it’s a common question and often one that needs a little explanation since the two get confused.

In this post we’ll compare the two and look at their pros and cons. We’ll explore:

  • The differences between WordPress.org and WordPress.com
  • Compare each of their:
    • Costs
    • Freedoms and limitations
    • Maintenance and development
  • How to decide between WordPress.org and WordPress.com

What is WordPress.org?

The WordPress.org website.

WordPress is open source blogging/CMS software that powers 22 per cent of the web, including this one.

The software is a community-driven project and WordPress.org is where you can download the WordPress installation files, and search for and download free themes and plugins.

The site also contains WordPress news, documentation and community support forums. It’s also the place to go if you want to get involved in the WordPress and contribute to the core code, mobile apps, translation and accessibility.

What is WordPress.com?

The WordPress.com website.
The WordPress.com website.

WordPress.com is a commercial website where you can host a free site with some limitations or pay a yearly fee to remove the restrictions.

The site runs on the WordPress software offered at WordPress.org

Matt Mullenweg, who co-created the WordPress software, also founded Automattic, the company that operates WordPress.com.

Since WordPress.com is a hosted service, it means you don’t have to worry about finding a web host or downloading and installing the WordPress software. The service does all that for you.

Comparing WordPress.org and WordPress.com

Now let’s compare three of the most important considerations when deciding between WordPress.org and WordPress.com: cost, freedoms and limitations, and maintenance and development.

Cost Comparison


If you’re new to WordPress, it’s important to note that even though WordPress is free, open source software, hosting your own WordPress is not free.

You will hosting and a domain to run WordPress. Hosting with popular web hosts like Go Daddy and Bluehost is pretty cheap (as outlined in the image below). Domains usually cost around $10+ a year.

Once you’ve got your site set up, then you need to think about themes and plugins. There are many free themes available at WordPress.org, but these usually lack the advanced features and functionality need for, say, an online store or a business/corporate site. There are many premium theme stores around, like Elegant Themes or WooThemes, and the Themeforest marketplace offers more choice than you can poke a stick up.


On the other hand, WordPress.com offers plans and upgrades.

The plans include:

  • Basic – Free – Includes free blog, WordPress.com address, basic customization, no premium themes included, no eCommerce, no video storage, 3 GB of space, may show ads, community support.
  • Premium – $99 – free blog, a custom domain, advanced customization, no premium themes included, no eCommerce, store dozens of videos, 13 GB of space, no ads, direct email support.
  • Business – $299 – free blog, a custom domain, advanced customization, 50+ premium themes included, eCommerce, store unlimited videos, unlimited space, no ads, live chat support.

Here’s a quick visual breakdown comparing costs for WordPress.org and WordPress.com:

WordPress cost comparison

There are some other WordPress.com upgrades, too:

  • Custom design – $30 per blog, per year
  • Guided transfer to a self-hosted WordPress.org site – $129 per blog
  • Premium themes – One-off $20 fee, or $120 per year for unlimited themes
  • Site redirect – $13 per blog, per year
  • VideoPress – $60 per blog, per year

A free Basic WordPress.com plan is the least expensive option, particularly if you don’t want a custom domain name and don’t mind using their free themes with no modifications.

If you want a fully-featured site with your own domain name, unlimited storage for your videos and images, and no advertising, WordPress.com can become quite expensive.

If cost is your most important consideration, then downloading WordPress from WordPress.org will be your most affordable option.

Freedoms and Limitations


Limitations or no limitations?

When you set up a site using WordPress on your own server, you have the freedom to do whatever you want with it.

You can:

  • Use any free or premium plugin
  • Use any free or premium theme
  • Add and edit files via FTP, cPanel or whatever method your web host allows
  • Tweak WordPress files and server settings to improve performance
  • Full control of your content – no ads


In comparison, WordPress.com comes with limitations. The folks at WordPress.com are running a business. They provide the convenience of a WordPress environment all ready for you to use. They maintain the software so that you never have to touch code or worry about security or other such concerns.

In return, you must pay for any upgrades, from simply removing advertising to activating a different theme.

Limitations include:

  • Limited to WordPress.com themes – you can’t upload your own
  • No custom plugins
  • Limited storage space
  • Limited control of your content, i.e. you must pay to remove ads
  • No FTP access to your files

It’s also important to note that with WordPress.com you can’t use third-party advertising solutions, such as Google AdSense. You also can’t track your stats with Google Analytics.

If having freedom and full control over your WordPress site is an important factor for you, consider setting up your own site with software from WordPress.org

Maintenance and Development


Having full control over your site also comes with great responsibility. You will need to be prepared to regularly maintain and update your site. You will also need to make sure your site is secure and less vulnerable to hacking. Spam is also a likely problem you will need to deal with.

On top of that, if you have any problems with your server you will need to sort it our yourself with your web host.

There are managed hosting services such as Pagely and WP Engine that can take care of the maintenance of your site for you.

Maintaining a site can take up a lot of your site unless you want to hire someone else to take care of it for you.

You may want to consider using a managed WordPress hosting solution, such as Pagely or WP Engine. These services look after all the backend maintenance for you, but, of course, it comes with an increased cost.


The folks at WordPress will take care of all maintenance and development for you. You won’t have to worry about plugins breaking after an upgrade or your site suddenly going down because of a problem with your host.

You won’t have to keep up-to-date with WordPress news and upgrade your site each time a major version of the software is released.

The decision on whether or not to maintain and develop your site yourself depends entirely on your skills ability, and also how much time and effort you want to put into looking after your site.

If you would rather not deal with anything technical and don’t have the time to commit to ongoing maintenance and development, then WordPress.com would be the best option for you.

So… WordPress.org or WordPress.com?

Choosing between the two comes down to choosing the best option that will support the type of site you want to create.

If you are a casual blogger, don’t want to worry about maintenance and security, and don’t want or need a custom domain, then WordPress.com is ideal for you.

Howevever, if you want full control over your site, want to upload themes and plugins, or want to create an eCommerce or business site, then you may want to go with WordPress.org

WordPress comparison

If you’re still not sure, check out this handy video we created comparing WordPress.org and WordPress.com

This video offers a quick overview of everything you will want to consider when deciding between the two options:

Our Recommendation: WordPress.org

When it comes down to cost, freedoms and limitations, and maintenance and development considerations, WordPress.org wins hands down.

It may take more time and effort to set up a WordPress site, but you will have full control over the look and feel of your site. You will be able to use custom themes and customize their look, and also upload custom plugins to add more functionality to your site.

If you plan to grow your site and increase traffic, then downloading WordPress from WordPress.org is our recommendation.

What is your experience of using WordPress.org and WordPress.com? Let us know in the comments below.

http://premium.wpmudev.org/blog/wordpress-org-vs-wordpress-com-a-definitive-guide-for-2014/feed/ 7
Add Masonry, Grid Layouts To Your WordPress Site With Just CSS http://premium.wpmudev.org/blog/add-masonry-grid-layouts-to-your-wordpress-site-with-just-css/ http://premium.wpmudev.org/blog/add-masonry-grid-layouts-to-your-wordpress-site-with-just-css/#comments Wed, 09 Jul 2014 12:00:00 +0000 http://premium.wpmudev.org/blog/?p=130496 Ever wanted to jazz up how your posts are displayed on your WordPress home page and archives?

What if you could display your posts using the masonry (Pinterest) approach or maybe a grid layout, all just by adding a snippet of CSS?

No plugins, shortcodes, template changes, assigning pages as the home page. Just pure CSS.

Masonry image next to CSS for column-counts
Masonry and grid layouts are all possible with pure CSS, no markup changes

Before We Start…

These solutions are based purely on CSS and so, not surprisingly, they rely heavily on the HTML mark-up on your site to work without modification.

The CSS used has been designed (and tested) with the default themes. This means that the CSS has a couple of expectations:

  1. Classes exist on the body element that describe the type of page (e.g. home, blog, archive, search)
  2. Post lists are collections of article elements, complete with header wrapped in a div with the id of content

If you use a default theme then you will be able to use the CSS without modification. Even if you don’t, you might find that your theme uses similar enough markup that you can still use the CSS as is. For example, the Eighties theme uses virtually the same markup as the default themes.

If your theme doesn’t use the same markup – the easiest way to tell is to check the page source for the classes and ids referenced in the CSS – then you can still use the CSS, you’ll just have to change the classes and the ids to match your markup.

Choosing Where To Apply The Styling

You may decide that you only want to apply your chosen styling to certain pages.

WordPress makes this really easy as it applies page-specific classes to the body element such as blog, home, archive and search, so you simply need to code your CSS for each of the relevant classes.

For example, if you want to apply the styling to just the home page then your CSS will look something like:

body.blog article { styles go here... }

To apply the styling to the home page and the archive (category) pages:

body.blog article, body.archive article { styles go here... }

To apply the styling to just the search results:

body.blog search { styles go here... }

Again, this does depend on your theme following WordPress’ theming recommendations.

Browser Compatibility

Being CSS3, these techniques are not going to work across all platforms and browsers.

I have tested and confirm that they work on the latest versions of Chrome and Safari (both on OS X) and on iOS (5+). The various CSS websites also suggest that IE10 will also have no problems.

Outside of these browsers (including IE9), your mileage will vary but it’s worth remembering that the fallback is your current styling, so visitors using older browsers will simply not notice any difference.

If you find the styles work successfully on a platform not mentioned (particularly Windows), then let us know in the comments.

Enough of the disclaimers, then, let’s look at how to spruce up your post listings.

Giving Your Posts The Pinterest Masonry Look

Screenshot of post listing with masonry CSS applied
Popularized by Pinterest, masonry works great with posts of differing heights

There are plenty of WordPress themes and a handful of plugins that display posts in a Pinterest-style masonry format. But with CSS3, you can simply add some additional styles to your WordPress site and get the same effect.

This solution, inspired by Rahul Arora’s post on W3Bits, is based on CSS3′s support for the column property. This property will split content across the defined number of columns and whilst its creation was likely inspired more by the idea of flowing text across columns newspaper-style, it’s just as useful for a masonry layout.

/* Masonry Custom CSS  */

/* Masonry container */
body.blog div#content, body.archive div#content {
-moz-column-count: 4;
-webkit-column-count: 4;
column-count: 4;
-moz-column-gap: 1em;
-webkit-column-gap: 1em;
column-gap: 1em;

/* Masonry bricks or child elements */

body.blog article, body.archive article {
background-color: #eee;
display: inline-block;
margin: 0 0 1em;
padding: 1em;
width: 100%;

body.archive .archive-header, body.blog .paging-navigation, body.archive .paging-navigation {
background-color: #ffffff;
-webkit-column-span: all;
column-span: all;

In the default layouts, posts are output as article elements wrapped in a div with a id of content.

The CSS:

1. Sets the number of columns on the #content wrapper using the column-count property – in this case 4. It also sets the column-gap. You’ll notice the use of -moz- and -webkit- for Firefox and Safari.

2. Turns the article elements into the bricks, using inline-block and setting a width to 100%.

3. Ensures that the page header and the navigation sits in its own “row” by specifying that these elements span all columns

Just to keep things tidy you might also consider adding the following:

/* Some ad hoc CSS useful for many themes */
body.archive .site-content,
body.blog .site-content {
margin: 1em;

h1, h2, h3, h4, h5, h6, a {
-ms-word-wrap: break-word;
word-wrap: break-word;

This just puts a margin around the content and ensures that long words in titles don’t throw out the formatting (useful for any theme, not just here).

Making It Responsive

One disadvantage with a column approach is that it quickly degrades as the screen size gets smaller.

What we want to do is to manipulate the number of columns so that the article elements get a sensible amount of screen real estate to maintain the bricks’ integrity and visual appeal. So, let’s add some media queries to change the number of columns based on the screen size:

@media only screen and (max-width : 1024px) {

body.blog div#content, body.archive div#content { /* Masonry container */
-moz-column-count: 3;
-webkit-column-count: 3;
column-count: 3;

@media only screen and (max-device-width : 1024px) and (orientation : portrait) {

body.blog div#content, body.archive div#content { /* Masonry container */
-moz-column-count: 2;
-webkit-column-count: 2;
column-count: 2;

@media only screen and (max-width : 768px) {

body.blog div#content, body.archive div#content { /* Masonry container */
-moz-column-count: 2;
-webkit-column-count: 2;
column-count: 2;

@media only screen and (max-width : 480px) {

body.blog div#content, body.archive div#content { /* Masonry container */
-moz-column-count: 1;
-webkit-column-count: 1;
column-count: 1;

As you can see, we only need to change the column-count property (and its derivatives) for each query.

These 4 breakpoints, 3 of which will work across all platforms (simply resize your browser window to see them take affect) and 1 which is specifically for a tablet in portrait mode.

Here’s the masonry styling on an iPad and iPhone:

Screen shots of masonry layout on an iPhone (1 column) and iPad in portrait mode (2 columns)
Making the number of columns respond to screen size is easy

You can (and should), of course, go further and add more style to the bricks to improve the visual appeal but just 3 CSS statements to turn your post listings into a masonry wall is pretty impressive!

Laying Out Posts In A Grid

Screenshot of post listings using grid styling
Grids bring order and uniformity to your post lists

If you like more uniformity and order than masonry provides, then you might be interested in laying out your posts in a grid.

Grids are very, very easy to implement but definitely work best when the featured images are all the same size, otherwise you can end up with plenty of whitespace padding out the shorter “cells”.

This time the CSS is even shorter, simply relying on styling the article elements:

/* Grid Layout Custom CSS */
body.blog article, body.archive article {
width: 32.5%;
display: inline-block;
vertical-align: top;
text-align: left;
margin-bottom: 10px;
position: relative;

That’s all that’s absolutely necessary. Again, we are making use of inline-block and ensuring that the article content (title, featured image, excerpt) are vertically aligned.

The important property is the width as this determines the number of “columns”. I’ve used 32.5% as the initial value (using 33% can lead to premature wrapping) which will provide for 3 columns. Obviously, if you wanted 4 columns then you’d use 24.5%, 5 columns 19.5%, etc.

Adding Responsive-ness

Just like our masonry styling, grids are going to need to be responsive if they are to maintain their effectiveness.

As it is the width property that determines the number of columns then that’s the property that will be changed in the various media queries.

@media only screen and (max-device-width : 1024px) and (orientation : portrait) {

body.blog article, body.archive article {
width: 49%;

@media only screen and (max-width : 768px) {

body.blog article, body.archive article {
width: 49%;

@media only screen and (max-width : 480px) {

body.blog article, body.archive article {
width: 100%;

Just 3 queries this time as I only started with 3 columns. If you decide to start with more columns then you may well want to add a breakpoint of max-width: 1024px to set the width to 32.5% (3 columns).

This will result in:

  1. 2 columns on a tablet in portrait mode
  2. 2 columns when the screen size is a maximum width of 768px
  3. 1 column when the screen size is a maximum width of 480px

These breakpoints will cover both tablets and smartphones and resizing of the browser window.

Here’s the grid layout on an iPad and iPhone:


Grid layout on an iPad in both portrait and landscape
Just a couple of media queries ensures that the grid responds to changing screen size

Grids, a bit more orderly than masonry but really do require consistency and rigour when it comes to featured image size to be at their most effective.

How To Get The Custom CSS Into Your Site

There are a number of options when it comes to injecting your chosen custom CSS into your WordPress site. If your theme doesn’t include the ability to add custom CSS, then your choices are:

  • Child Theme – create a child theme and add the CSS to the stylesheet
  • Plugin – add your chosen styling to a new CSS file and create a plugin that uses the wp-enqueue-style function, perhaps conditionally based on the page being generated, to enqueue the new file
  • Edit the current theme’s stylesheet – don’t, really, just don’t
  • Use a custom CSS plugin – there are a number of plugins that will allow you to add custom CSS to your site via the WordPress admin interface (the aptly named Simple Custom CSS plugin is one such plugin)

I like using the Custom CSS plugin. It’s quick and easy to set up, makes testing a breeze and is equally quick and easy to remove the CSS from your WordPress site (clear the editor or uninstall the plugin).

CSS, The Pathway To WordPress Zen

The wonderful CSS Zen Garden has been proving for many years that the look and feel of a site can be substantially altered without a single change to the markup but by changing the CSS.

Whilst not anywhere near the same level, these two techniques prove that changing the look and feel of your WordPress site is also entirely possible without needing to alter templates, using shortcodes or developing child themes.

Just a little bit of CSS.

Do you have a favorite CSS snippet that you’ve used on your WordPress site? Share it in the comments below.


http://premium.wpmudev.org/blog/add-masonry-grid-layouts-to-your-wordpress-site-with-just-css/feed/ 4
How to Add Subtitles to WordPress Posts http://premium.wpmudev.org/blog/add-subtitles-wordpress-posts/ http://premium.wpmudev.org/blog/add-subtitles-wordpress-posts/#comments Sun, 06 Jul 2014 14:00:00 +0000 http://premium.wpmudev.org/blog/?p=130327 Titles, of course, attract a lot of attention. If you feel you need a little extra time for your title, you might try using subtitles. If styled appropriately, they just might grab some more of your visitor’s “title attention time.”

While you could add subtitles to WordPress in a very manual way, as usual, there’s a plugin for you that will make the job easier.

Secondary Title Plugin

A plugin you can use for this job is called Secondary Title.

Once activated, you will see a new box in your write/edit screen to insert  your subtitle into.


The plugin comes with a number of settings in the backend that will let you determine where subtitles appear.

For example, you can automatically insert the subtitle box for post, pages, custom post types, certain categories, or specific posts. The plugin also gives you tips on styling the subtitle to your liking.

If, however, you want even more control over where your title appears, you can insert a line of code into your theme’s template files.

Here’s a look at a sample subtitle that I placed below my main title in my theme’s template file.


And that’s it.

Trying some subtitles out on your site might just be the trick that helps you convince potential readers to read on.

http://premium.wpmudev.org/blog/add-subtitles-wordpress-posts/feed/ 0
How To Build A Mobile WordPress Theme, And Why You Should http://premium.wpmudev.org/blog/how-to-build-a-mobile-wordpress-theme-and-why-you-should/ http://premium.wpmudev.org/blog/how-to-build-a-mobile-wordpress-theme-and-why-you-should/#comments Thu, 03 Jul 2014 12:00:00 +0000 http://premium.wpmudev.org/blog/?p=130428 There are 5 reasons why you need to build a theme specifically for visitors to your WordPress site. And already having a responsive theme is one of them.

Truth is that most responsive themes provide a second-rate mobile experience and as mobile becomes the dominant device for accessing the web, your traffic is going to suffer.

Whilst you can get plugins that will help you create a mobile theme, let me show you how to take complete control of your visitor’s mobile experience by building your very own custom mobile theme.

Four screenshots of the mobile theme running on an iPhone
Why build a mobile-specific theme? Because most responsive themes are terrible on a mobile

5 Reasons Why You Need A Specific Theme For Mobile?

Your current theme is not responsive

Seems blindingly obvious but if your current theme is not responsive then it’s likely a nightmare to use on a mobile device. Creating a specific theme is going to be cheaper, quicker and easier than building a brand new responsive theme.

Your current theme is responsive but the mobile experience sucks

Even if your current theme is responsive it might still be a pain to use as too many responsive themes provide a terrible experience on a mobile. Even the current WordPress default, Twenty Fourteen, has plenty of issues.

You want to optimize the experience for each platform

Truth is that unless your theme contains effectively 3 virtual themes (one for desktop, one for tablet and one for mobile) then it’s had to compromise somewhere: you are using a jack-of-all-trades and a master-of-none.

To truly optimize the experience for each platform you need to build a theme for each platform.

You want to build a mobile app

If you use the right tools then a mobile theme can be an excellent stepping stone to a mobile app allowing you to get all your trials and testing done in the much more forgiving web environment.

And it just so happens, that this article will introduce you to the tool that the developers of the Twitter for iPhone app used for their prototyping.

You want to target the mobile market

Perhaps you’ve decided that you are going to create a unique product for mobile users that you want to deliver local news targeted at commuters or you want to deliver fitness content to gym junkies or live match stats to sports event attendees.

If you’ve targeted mobile then you need a mobile theme.

Introducing Ratchet

Screenshot of the Ratchet home page
Part of the Bootstrap family

We are going to build a mobile theme based around Ratchet, an HTML, CSS and javascript framework that came out of the project that created the Twitter for iPhone app.

Initially released in November 2012, it’s proven popular as a prototyping tool for mobile apps with its platform-specific CSS files, its own icon set, and a swag of ui components. It’s also now officially part of the Bootstrap family.

Building the user interface is, as you’ll see, very quick and easy. It’s also easy to get your head around Ratchet’s model.

Based around the typical one-page app paradigm, you designate a header and a content area. All local links are converted to ajax and Ratchet simply checks the server response and updates the header (if it has changed) and the content area as necessary.

What this means is that you have complete control over the look and feel of the app from WordPress itself. No big deal, perhaps, when dealing with a web app but fairly significant when it comes to mobile apps.

Using Ratchet To Build A Mobile Theme

Ratchet’s model is perfect for delivering WordPress content to a mobile device and effectively we will be building a Ratchet app into our mobile theme.

Our example theme is a very simple version of the excellent Quartz website:

iPhone screenshots of the home page and a single post
Our example mobile theme is a simple version of the excellent Quartz website

Now, that is a certain irony in this choice, given that Quartz is a responsive theme that caters extremely well for mobile but Quartz seems to be the exception rather than the norm.

Delivering the Ratchet App

Ratchet is based around a single page that looks something like this:

We can translate this to a WordPress theme as follows:


The header.php file handles all the code from the <!DOCTYPE html> declaration to the opening of the <div class=”content”> element.

Things to notice:

  1. We don’t include any reference to the Ratchet stylesheet or the Ratchet javascript file. These are added to the <head> via the wp_enqueue_style and wp_enqueue_script functions in conjunction with wp_head.
  2. link tags are added to images for web-clipping
  3. A “home” icon is added to the header if the page being viewed is not the home page
  4. Two “popovers” are created, one for categories and one for tags.

The popovers are unordered lists that are built using a common function, ratchet_popover_table, located in the functions.php file.

Screengrabs showing the two popovers in action
Popovers are a Ratchet component so simple to implement

Remember that Ratchet only looks for changes in the header rather than replacing as it does with the content.


The footer.php does little more than generate the closing tags for the content div, body and html elements and calling wp_footer.

This just helps make the theme extendable via plugins.


The functions.php is also fairly straight-forward:

  1. Adds theme support for post thumbnails (featured images)
  2. Enqueue’s the Ratchet javascript file and the Ratchet stylesheet
  3. Adds a function to retrieve the caption for a featured image. This is a really useful bit of code (thanks to thanks to Ben Byrne via bobz.co) as getting the caption for a WordPress image is unnecessarily difficult.
  4. Adds a function to build a popover list for a given term type


The major file in any theme (in fact, the theme won’t work without it) is, of course, style.css.

I won’t go through this file, suffice to say that it’s mostly sitting alongside ratchet.css to style the content, set colors for headings, etc.

Screengrab showing the pointer
The pointer is a neat CSS-only visual enhancement

There is just one technique that I want to highlight, though, as this was new to me and may be of interest to you, and that’s adding the pointer that sits on top of the first headline and points “into” the image.

This effect is achieved by making use of the :before CSS selector to add content, the pointer, before an element:

#post-list:before {
position: absolute;
top: -15px;
left: 10%;
width: 0;
height: 0;
margin-left: -15px;
content: '';
border-right: 15px solid transparent;
border-bottom: 15px solid #ffffff;
border-left: 15px solid transparent;

Be aware that the element itself (in this case #post-list) must have its position set to relative: it won’t work if you leave it with the default of static.

Index.php, Single.php, Archive.php

All these files are very simple and are there really just to provide the content.

Index.php, which is used for the home page, and archive.php are virtually identical. They generate a list of posts, outputting the featured image, if one exists, for the first post in the list.

The list is marked-up as a Ratchet table component but I tweaked it a little to remove the chevrons to free up  space for the post titles and excerpts.

Single.php generates the output for a single post using the formatting from Quartz.

Just be careful with the content that you are trying to deliver in the single template, particularly keeping in mind the potential limitations of Ratchet’s ajax approach. Javascript and even styles delivered as part of the content will not be executed: you have to ensure that all these assets are delivered in the initial page set-up.

Finishing Off

So we’ve built the theme but there’s still a couple of ‘I’s to dot and ‘T’s to cross.

Responsive Images With The Pco Media Plugin

I would recommend installing the Pco Media plugin as this will make working with images a lot easier. By removing all the width and height attributes this plugin makes sure your images will be scaled correctly on a mobile screen and will save you considerable time and frustration.

Automatic Theme Switching Using Any Mobile Theme

If you are not in mobile-only scenario (or using a mobile domain such as m.domain.com) then you have to ensure that you deliver your new mobile theme to mobile users only.

The Any Mobile Theme plugin allows you to select the theme for a range of devices via its simple, easy-to-follow settings page.

Screenshot of the plugin's settings page
Select the theme by device – here we only use Ratchet for mobiles not tablets

Icons For Web-Clipping

iPhone screen showing custom icon on home screen
Providing icons makes a web
clip far more effective

And lastly, you’ll be hoping that your mobile visitors add your site to their home page, so called web clipping, so you’ll want to provide great looking icons are easy to recognize in that sea of icons.

Start by designing your icon 1024×1024 and then head to makeappicon to generate all the sizes that you need. Simply drop these into the icons folder in your theme.

Extending The Theme

This is just a quick and simple introduction to building a mobile theme with Ratchet and we’ve done little more than scratch the surface of the framework’s capabilities.

Even so, we can see how building a mobile-specific theme is both quick and easy using the framework and provides a much better app like experience for your visitors.

And as WordPress is still at the heart of the solution, adding login, forms, even premium content and services should all be possible.

Perhaps it’s time to seriously consider delivering a better experience for your mobile users rather than just relying on a responsive theme to do the job for you?

http://premium.wpmudev.org/blog/how-to-build-a-mobile-wordpress-theme-and-why-you-should/feed/ 0