Follow Digging Into WordPress | Take your WordPress skills to the next level. on Feedspot

Continue with Google
Continue with Facebook


Announcing my latest WordPress security plugin, Banhammer! It makes monitoring site traffic and banning unwanted guests waay too much fun. Navigate logged requests via slick Ajax UI, and enable sound effects for banning and warning bad users and bots. Check out the video on YouTube and download Banhammer from the WP Plugin Directory.

Direct link to article | View post at DigWP.com

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

There has been lots of discussion about the new WordPress "Gutenberg" project. Some people love it, some hate it, and most WP users probably have no idea about it. And that's too bad, because it means many changes will be required for thousands of WordPress plugins and themes. We're talking about MANY collective work hours to make it happen, even in a best-case rollout scenario.

The debate

Anyone who is in any of the Facebook WordPress groups knows about the debate over Gutenberg. Also on Twitter and other social media channels. For those who may be unfamiliar with the drama, you can get a good idea by browsing through the Plugin Reviews for Gutenberg. Currently, it looks like Gutenberg fans are outnumbered by about 2 to 1:

Should this plugin be added to the WP core? Do plugin ratings mean anything?
My take

So this post is to ask what your thoughts are, and to share my own opinion, which can be summed up quite succinctly:

Leave Gutenberg as a plugin.

Why? Because there is no real need to add Gutenberg to core. But there are many good reasons for NOT adding to core and leaving Gutenberg as a plugin:

  • There are better content-building plugins available
  • Lets users decide if a visual content builder is necessary
  • Lets users decide which content builder is best for their needs
  • Doesn't break thousands of WordPress sites, plugins, and themes
  • Doesn't push countless hours of needless work onto developers & users
  • Enables Gutenberg fans to use the functionality without forcing it on everyone else (win-win)

Basically, Gutenberg should take advantage of WP's great extensibility and let users decide for themselves. That's exactly what plugins are for; in fact, thanks to the extensibility of WordPress, users already enjoy a wide variety of incredible content-building plugins. Leaving Gutenberg as a plugin means that everyone wins :)

My advice

IF they absolutely are dead set on forcing Gutenberg into core no matter what the cost, then I recommend the following four golden rules:

  1. Make Gutenberg optional
  2. Don't remove metaboxes
  3. Don't remove custom fields
  4. Don't remove the plain-text editor

Basically, replace the RTE if you think it needs it; but don't mess with existing functionality. Waaay too much is built on it. Don't force more needless work on millions of WordPress developers and users. No feature is worth such massive potential disruption for so many people. Talking high stakes here, folks.

Your thoughts?

What do YOU think about Gutenberg? Do you think it should be added into the WP core, or left as a plugin? Or abandoned altogether in favor of something better? Share your thoughts (but be nice!) in the comments below.


It looks like they're dead set on forcing Gutenberg into core. They recently sent out a lengthy "4.9 update" email trying to explain and justify their plans, for example:

The first iteration of Gutenberg introduces a new editor design featuring content blocks that can be directly manipulated. Even though the initial version aims to replace only the writing screen, future iterations planned for next year go into page templates and, ultimately, full site customization.

LOL! As if all of that hasn't been possible for years now, using one of the many great drag-n-drop, content-building plugins. Like installing a plugin is too much to ask of WP users? It takes like what, a few clicks..?


Despite what the Gutenberg devs and others have been saying, it sounds like they DO plan on removing custom fields, meta boxes, and shortcodes entirely, as suggested by this statement (also from the 4.9-update email):

[Gutenberg is] a big change, and various paths will support existing WordPress functionality (such as shortcodes or meta-boxes) to help their transition.

I don't know about you, but to me, that sounds like they are saying that shortcodes and meta boxes eventually will be removed. Which is the opposite of what many of us have been told by team Gutenberg. The ol’ bait & switch..

Even more telling is the fact that the 4.9 update email does not link to the Gutenberg plugin page (you know, the one with mostly bad reviews).. instead they link to the new Gutenberg documentation, so it's all good. You can marvel at the "greatness" of it all:


As if the entire community is pulling together to make it happen. It feels more like WordPress is being hijacked by a few overzealous developers, for whom 25% market share just isn't "enough". Gotta completely reinvent the wheel and "fix" something that works perfectly fine for millions of users.

More to come..

I'll continue to update this post with more news as it becomes available. Currently it sounds a lot like shenanigans and crafty maneuvering, especially with the apparent back-peddling on promises made regarding meta boxes, custom fields, shortcodes, which thousands upon thousands of WordPress plugins make use of.

And if you think it's not happening, or won't affect you, here is another gem from the 4.9 update email:

When will Gutenberg be in core? The plan is to release Gutenberg in WordPress 5.0 early next year, so now is a great time to test and get ready for it.

This ominous warning is then followed by an invitation to help, along with a link to the Gutenberg Github page.

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

On certain server setups, WordPress is vulnerable to an email interception attack. Basically WP uses the $_SERVER['SERVER_NAME'] variable for the "From" header in email notifications. On certain systems this can be exploited by an attacker to gain access to your site. This issue has been known about since WP 2.3, but nothing has been done about it. So I decided to write a plugin to fix it up.

Direct link to article | View post at DigWP.com

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

With each passing day, strong security becomes more important. This article explains some ways to keep WordPress secure while improving the overall security of your WordPress-powered site. Most of the tips provided here are practice-based security steps that require no plugins or hacks. The idea here is that you don't need to make changes to any code, or modify WordPress in any way in order to maintain strong security. These are security steps that most any WordPress user can use to help protect their site and keep WordPress safe and secure.

Table of Contents Introduction

The motivation for this article is the idea that WordPress itself is secure. When vulnerabilities are discovered, the WordPress team fixes them up and pushes out a new version asap. In my experience, most security issues are introduced by external factors, such as user inexperience, insecure servers, and badly coded 3rd-party plugins and themes. Much of the advice given in this article is aimed at reducing risk by controlling these and other external factors.

Keep in mind that security is not a set-it-and-forget it kind of thing. There is no such thing as a perfectly secured site. If your site is online, there is risk. Thus, good security is not about trying to eliminate risk, but rather results from reducing risk as much as possible. As stated in the WordPress Codex1:

Fundamentally, security is not about perfectly secure systems. Such a thing might well be impractical, or impossible to find and/or maintain.

Risk elimination is not a one-size-fits-all, click-a-button-and-done type of affair. Rather, risk reduction happens in layers. Everything counts. From server software to form validation and everything in between, every layer of protection works together toward a site's overall level of security.

So with that in mind, here are some tips that will help you to keep your WordPress-powered site as secure as possible. And for even more security tips, check out the security guide over at makeawebsitehub.com.

Do Nothing

If you're running WordPress on a well-secured server, and you are 100% sure about any themes and plugins that you're using, then you're pretty much good to go security-wise. I have sites hosted on VPS servers for which I take zero additional security steps outside of common best practices.

But good security also depends on how you're using WordPress, which is what most of this article is about.

Use SFTP not FTP

If you're still using regular ’ol FTP, you should switch to SFTP as soon as possible. In a nutshell, FTP sends your credentials and data in clear text, which means your password and connection information is not encrypted2. If you are transferring your files via FTP, anyone listening on the network can grab your data and use it to exploit your site. Using SFTP is just like using FTP, but with SFTP all of your credentials and data are encrypted, which protects them from would-be attackers.

Ask your web host if you are unsure about SFTP support — they should be more than happy to help. Likewise with your current FTP setup, check the documentation to see how to change things over to use SFTP as your file-transfer protocol.


This is the same basic idea as using SFTP instead of FTP. If your site is using the HTTP protocol, all transmitted information is sent without encryption. So all comments, logins, purchases, and other transactions are sent and received unencrypted over the network.

This means that an attacker could intercept passwords and other sensitive data in order to exploit your site and its users. This is one reason why Google and other big players are pushing hard for everyone to switch over to HTTPS. With HTTPS, all transmitted data is encrypted, which helps to protect against interception and exploitation.

Of course, switching from HTTP to HTTPS requires more effort than switching from FTP to SFTP. To set up HTTPS for your site, you need an SSL certificate, which must be implemented properly on your server (which can be easier said than done). If you do decide to upgrade to SSL/HTTPS, make sure to do so for all pages on your site, otherwise known as "always-on" SSL.

For help making the transition, check out Chris Coyier's write up over at CSS-Tricks. After implementing SSL, test your pages for proper functionality and security using an online SSL checker.

Secure Hosting

Perhaps the most important of all security tips is to host your sites on a secure server. The server is the foundation of your website, so make sure that your web host is reputable and provides stable, secure servers.

Especially with web hosting, you get what you pay for, so avoid "cheap" hosting at all costs. If you can afford it, get anything better than "shared" hosting. Shared hosting means that you are sharing the server space with other users. So if another site on the server is hacked, then all sites on the server may be compromised. Like living in a bad part of town.

Contrast that scenario with dedicated hosting, where the entire server is dedicated to your sites. That enables you to be as secure as you want to be, without worrying about what your neighbors are doing (or not doing). Likewise with VPS hosting, the security of your sites is not dependent on the security of your neighbors.

Some things to look for in a good web host:

  • Solid reputation as secure, reliable, supportive, responsive, etc.
  • Provides a properly configured server
  • Provides current versions of software (Apache/Nginx, PHP, MySQL, etc.)
  • Provides reliable methods for backing up and restoring your data
  • Happy to discuss all details regarding service, security, features, et al

Unfortunately finding a good web host these days is easier said than done, but it is of critical importance nonetheless. Taking the time to do your own research and find the best possible web host is one of the best security investments that you can make for your site.

Strong Passwords

Everyone on the Web should be using strong passwords. Unfortunately, there are many folks who have yet discover the joys of getting hacked. Seriously, people. Tell your friends. Spread the word. Strong passwords are mission-critical. You've got to use strong passwords and change them regularly.

One of my pastimes is watching network traffic. One thing I see more of every day is brute-force hacking attempts. And 99% of it is aimed right at your site's login page. They want in. They want to exploit your site. Fortunately it's trivial to deny them access: use ultra-strong passwords for everything. That includes not only your WordPress password, but also credentials for things like email, database connections, SFTP, and anything else that requires authentication. As stated in the WP Codex1:

Hackers thrive on predictability. They predict that many peoples passwords are in fact ‘password’, or that their username is probably their real name or some default value such as ‘admin’. Be unpredictable.

As a complete bonus, WordPress now features a built-in password-strength meter on every user's Profile screen. This makes strong passwords a no-brainer for all of your users. Here are some additional tips for rocking strong passwords:

  • Keep it long, random, and alphanumeric
  • Never share your password with anyone
  • If you do let others use your passwords for tech support or whatever, change the passwords afterward
  • Use an online password generator to generate strong passwords

And if you want to super-secure the WordPress login page, you can implement two-factor authentication.

Stay Current

This also should be drilled into everyone's skull at this point: stay current with the latest version of WordPress. Doing so is made dead-simple, with features like one-click and auto-updates — there really is no excuse for lagging behind on the updates. This goes not only for the WordPress core files, but also for all plugins and themes that are installed on your site (whether active or not, it's always best practice to keep ’em updated).

In addition to keeping all of the software up-to-date, it's wise to keep an eye on the latest WP development news for important heads up on general security, zero-day threats, and other breaking issues.

Clean Up Rogue Files

Good security involves limiting liability as much as possible. Keeping loose, unused files on your server unnecessarily increases the liability of your site. Take a few moments to examine your directory structure and remove any files that are not required. To give you a better idea, you should remove things like:

  • Development-only files (like for testing, version control, etc.)
  • Unused (inactive) themes
  • Unused (inactive) plugins
  • Unused PHP scripts
  • Unused JavaScript files
  • Sensitive information and/or notes
  • Any other loose files that are not required

If you must keep such files on the server, you should protect them against unwanted access. Here are two alternate .htaccess techniques for securing any file on the server:

via mod_rewrite

RewriteRule /filename\.ext - [F,L]

via mod_alias

RedirectMatch 403 /filename\.ext

To use either of these techniques, change the filename to match the name of your file, and ext to match the file extension. Then add to your site's root .htaccess file and upload to your server. Test by requesting the file in your browser. Using either method should return a “403 - Forbidden” error.

Keep Good Backups

This is another no-brainer for most people, but there are some who have yet to suffer catastrophic data-loss and learn the lesson on their own. Keeping good backups of your site is essential to avoid losing critical data and getting back up to speed if and when something bad happens. And there is a lot of bad that can happen these days. Having a current set of tested, working backups enables you to get back on track without losing any precious data. And always keep multiple copies of your backup files. Remember, good backups are:

  • Kept secure
  • Well-tested
  • Current

Further, understand that you need to back up not just your database, but your files as well. Basically you need to keep backups that will enable you to reconstruct your entire site to its current state at a moments notice. If that sounds like you, then you're good to go in this department. If not, then you may want to check out some of the useful backup plugins available in the WordPress Plugin Directory.

Stick with Trusted Sources

This one’s easy. Install only reputable themes and plugins from trusted sources, and stay away from "shared" or "pirated" versions of themes and plugins. It's just too easy for evildoers to slip bad code into their pirated warez. Sure, on the surface everything may look fine, and the plugin or theme may otherwise function normally. But beneath the hood, malicious code can do bad things without your knowledge. Don't be a victim. Always get your plugins, themes, and scripts from trusted sources.

Use Quality Plugins

As discussed in our recent poll, it's not so much the number of plugins as it is the quality of plugins that you run on your site. When looking for plugins, look for signs of quality, such as:

  • Current with latest WordPress
  • Positive ratings and feedback
  • Signs of active support
  • Number of other users
  • Updated recently

And so forth. Keeping an eye out for signals of quality and reliability will help you choose the best possible themes and plugins for your site. And that will help keep your site secure.

Know what You're Doing

This goes not just for using WordPress, but for any online work in general. There's a lot involved, a lot of moving parts, a lot that can happen. It's important to educate yourself as much as possible to gain an understanding about how things work, what they do and so forth.

Likewise with WordPress, it's key to understand how to use and get the most out of the software. Doing so will help you make educated decisions and get the most out of WordPress with the least amount of effort. And of course, understanding is a precursor to good security.

Know where You're Doing It

I am amazed at how cavalier some people are about working online via any wi-fi connection they can find. They just walk into any shop, connect to the local free wi-fi and get to work. Why is this a bad idea? Because you never know who is lurking on the same unencrypted network looking for victims.

Never log in, make purchases, or do anything other than browse when working off an unknown or insecure wi-fi signal. Otherwise it's just too easy for attackers to hijack the signal and steal your information. And you would have no idea until it was too late. Unless you've taken explicit steps to secure your connection, stick to trusted networks for all work and business related activity.

Don't Hack the Core

Plain and simple: do not hack any WordPress core files. Doing so on production sites is a recipe for disaster. Same is true for plugins and themes — do not modify their core files. Instead, if you want to change default functionality, do so via prescribed channels, such as:

  • Modify or customize core functionality via plugin
  • Modify or customize theme appearance or functionality via child theme
  • Make changes to your theme via functions.php

Also important to good security: when making changes via any of these methods make sure to use the WP API whenever possible.

Ensure Proper File Permissions

If your server is configured correctly, all WordPress files and folders should be created with proper permissions. The general rule is that the permission level of files should be set at 644 and folders set at 755. Of course, it's not always that simple, various configurations are possible3. If upon examination you discover that file and folder permissions are not correct (or don't look quite right), consult the WP Codex and ask your web host for help.

Disable Error Display

During development, displaying errors on the front-end of your site is perectly fine. But during production, when your site is live online, displaying information about errors is a bad idea. Doing so could reveal sensitive information about your server configuration, PHP setup, and any potential vulnerabilities. Broadcasting that kind of information for the entire world to see is just not a good move. Why risk it?

Instead, once development is complete and you're ready to go live, take a moment to disable error display on your site. WordPress errors are easy to disable by opening wp-config.php and adding the following line:

define('WP_DEBUG', false);

If a similar line already exists with a value of true, just change it to false and you're good to go. Likewise you want to make sure that display of PHP-generated errors is disabled. Here are some articles that explain how to do so:

If in doubt about PHP errors, ask your developer or web host for more infos.

Keep Spammers at Bay

One thing you don't want is a bunch of spammers leaving comments on your posts. Spam comments send a signal that your site may be of poor quality, neglected, and possibly insecure. SEO implications aside, such signals tend to repel legitimate visitors and attract malicious behavior. To help control spam, you can install a plugin (there are many), or just use WordPress’ built-in spam-control features. Eliminating spam helps improve your site's reputation, ranking, value, and security.

Run a Clean Machine

Another critical security step is to make sure that your local machine and devices are free of spyware, viruses, and any other malware. Even if your server and site are squeaky clean and super secure, it's all for nothing if you're working from an infected machine. As stated at the WordPress Codex1:

No amount of security in WordPress or on your web server will make the slightest difference if there is a keylogger on your computer.

A complete discussion on this topic is beyond the scope of this article, but there is much information available online. Hopefully you already are familiar with the importance of running a clean machine; if not, take the time to read up and protect your computers and devices from security vulnerabilities. This includes doing things such as:

  • Connecting to the Web via secure router
  • Running behind a trusted, reliable firewall
  • Staying current with all software and updates
  • Don't allow access to untrusted networks or devices
  • Stay aways from shady sites, pirated warez and so forth

Of course, there is much more to the art of securing your personal work environment (computer and devices). Unless you're already savvy, do the research and take proper steps to secure your work setup.

Monitoring and Logging

Logging and monitoring are your best friends when it comes to troubleshooting errors and investigating security issues. Most servers record detailed access and error logs that contain a wealth of information about every request and error, including valuable data such as date/time, IP address, requested URI, response codes, and much more. Examining access and error logs may be a little overwhelming for the uninitiated, but once you're familiar with the basic syntax of your log files, you can use them to help resolve all sorts of issues. If you're not sure how to access these files, ask your web host.

Going further

Up to this point, we've covered steps that most anyone can do to help keep WordPress secure. Most of the techniques we've seen so far require little to no modification to any files or code. Going much further with security typically requires making changes to your site, its files, code, and so forth.

For security techniques that require making changes to your site, it is important to consider the return on investment. A good example is the practice of protecting the /wp-admin/ directory with .htaccess. Sure it sounds like a good idea, and may even provide some extra bit of security, but the potential for problems with plugins and themes makes it something that you may want to avoid. The headaches just aren't worth it, IMO.

There are many examples like this, where the promised security benefit simply is not worth the potential risk. So my best advice is to stick with techniques that:

  • Are easy to implement
  • Are not overly invasive
  • Introduce no additional risk

With these things in mind, here are some additional security techniques that are aimed at providing additional layers of security with minimal risk, minimal effort, and minimal amount of changes required to your site.

Authentication Keys

Inside of the WordPress wp-config.php file, make sure to add some strong, random security keys to the section, "Authentication Unique Keys and Salts". Adding these authentication keys helps to improve the security of WordPress login routines and is highly recommended.

Note that you can add, change, or edit these keys at any time with no harm done other than invalidating any existing cookies. So basically the worst that can happen if/when you change the keys is that any logged-in users will have to log in again. No biggie.

To generate a strong, random set of salts, visit the official page at https://api.wordpress.org/secret-key/1.1/salt/. Then copy and paste into your configuration file, upload to the server, and done.

Disable Directory Views

Directory views are what happen when..

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

After months of hard work, I am excited to announce the launch of my new video course on developing WordPress plugins. It covers the entire process of building, securing, and optimizing your own plugins, including 50+ ready-to-go demo files, examples, and plugins. The course is focused on developing plugins using the WP API and Standards. Covers basics and gets into advanced topics like HTTP API, REST API, and WP Cron. Truly packed with practical examples and techniques to help you create your own awesome plugins. Check it out at Lynda.com »

Direct link to article | View post at DigWP.com

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

In my recent post, DIY WordPress Popular Posts, I share a simple, two-step technique for tracking and displaying popular posts on your WordPress-powered site. That post describes everything needed to fully implement DIY popular posts, but some folks wanted an easier (more convenient) way to display the list of popular posts on the front-end (instead of using template code).

And as a bonus, make it possible to specify the category and number of posts. So in this quick follow-up tutorial, I share a sweet little shortcode that does exactly that: displays a customizable list of popular posts.

Hello, Shortcode

The Popular Posts Shortcode is entirely plug-&-play with no configuration or editing required. Simply add the following code to your theme's functions.php file and you're ready to go. Note that this shortcode requires that DIY Popular Posts is implemented on your site. Here's the secret sauce:

// shortcode: display diy popular posts: [diy_pop_posts num="10" cat="1,2,3"]
function shapeSpace_display_popular_posts($atts) {
		'num' => 10,
		'cat' => '',
	), $atts)); 
	$temps = explode(',', $cat);
	$array = array();
	foreach ($temps as $temp) $array[] = trim($temp);
	$cats = !empty($cat) ? $array : '';
	<h3>Popular Posts</h3>
		<?php $popular = new WP_Query(array('posts_per_page' => $num, 'meta_key' => 'popular_posts', 'orderby' => 'meta_value_num', 'order' => 'DESC', 'category__in' => $cats));
		while ($popular->have_posts()) : $popular->the_post(); ?>
		<li><a href="<?php the_permalink(); ?>"><?php the_title(); ?></a></li>
		<?php endwhile; wp_reset_postdata(); ?>
<?php }
add_shortcode('diy_pop_posts', 'shapeSpace_display_popular_posts');

This code snippet uses the WP API to create a shortcode called [diy_pop_posts] that can be used on any WordPress Post or Page (or CPT). The function uses WP_Query to grab and display a simple unordered list <ul> of all matching popular posts. Bada bing, bada boom.

Shortcode Usage

Once the DIY technique and shortcode are in place, you can display a list of the most popular posts on your site. Here are some examples of shortcode usage:

[diy_pop_posts]                      // displays top 10 popular posts from all categories
[diy_pop_posts num="100"]            // displays top 100 popular posts from all categories
[diy_pop_posts num="5" cat="1,2,3"]  // displays top 5 from categories 1, 2, and 3
[diy_pop_posts cat="1,5"]            // displays top 10 from categories 1 and 5

So it's all pretty straightforward. If you have any questions or suggestions feel free to share in the comments section below, or send via email.

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Pleased to announce the Pro version of my WordPress security plugin, Blackhole for Bad Bots — now available from Plugin Planet. Blackhole Pro stops bad bots, spammers, scrapers, and other automated threats. Trap bad bots in a virtual Blackhole and save precious server resources for your legit visitors.

Direct link to article | View post at DigWP.com

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

After rocking our site's previous design for nearly four years, it was time for a refresh. Actually complete overhaul is more like it, a top-to-bottom restructuring and streamlining of DigWP.com.

Going into the redesign, the goal was twofold: 1) visually keep things as focused and clean as possible, and 2) under the hood, unify everything and simplify down to an absolute minimum. As with any eight-year-old website with over 400 posts and integrated e-commerce system, there was an enormous amount of work required to get the job done.

DigWP.com design version 4.0
File cleanup

Under the hood, the site had accumulated all sorts of one-off directories, project assets, and other loose files that really needed to be cleaned up, removed, or integrated in a more uniform fashion with the rest of the site. I mean, we're talking about an eight-year-old multi-author blog and ecommerce site that had already been through three (or four?) complete redesigns. So there was a lot of disparity and general chaos that needed reigned in and dealt with.

For example, the Theme Clubhouse began as a whole separate subdomain WP-install, and then eventually moved to its own subdirectory, and now after streamlining everything, is an actual WP Custom Page template. So the loose /clubhouse/ directory has been removed (simplifying the root directory) and the clubhouse design is now identical to other DigWP pages.

Likewise with other things like tutorial demos, code downloads, and so forth. There were a lot of things just sort of "floating around" that needed to be brought in, cleaned up, and integrated with the core site. So now instead of a site that feels piecemealed together over the course of eight years, under the hood everything is part of a complete, unified website.

Database cleanup

Behind the scenes, in addition to the files is the site's database. Here is a list of things that were cleaned up:

  • All 404 and redirect links were fixed or removed
  • All weird characters were replaced or removed
  • Post comments were pruned for quality, relevance, etc.
  • Unused database tables were removed (greatly reducing DB size)
  • Old/unused post meta data was removed
  • Removed expired transients, post revisions, and other cruft

After this exercise the database size went from over 50MB to around 35MB, which is a huge improvement. Smaller databases are easier to backup, easier to manage, and easier to restore. So this was a big part of the site overhaul.

Post content

One thing that really bothered me about the previous site designs is that there was no consistency in terms of custom-post styles. Each of the first three themes had their own set of CSS styles, for things like captions, popout boxes, images, and so forth. Then we also used an art-direction plugin for awhile, so some of the posts had that going on as well.

Basically the intra-post styles were a mess, but now have been cleaned up and simplified to a tight, uniform set of CSS classes that can be used anywhere in the site. For example, if I want to add a caption, I can wrap the text with .post-caption class and done. Likewise for .post-popout, post-update, and so forth. Seems like such a simple thing but until now the site was miles away from it.

Some examples of post classes that I use frequently:

Hey I'm a popout box!
Hey I'm an update box!
Hey I'm a highlight box!
Hey I'm a caption!

Also while going through post content, a lot of other changes were made, for example:

  • Updated code/techniques where necessary
  • Improved content semantics and structure
  • Added new links to related information
  • Added new update and popout information

A LOT of time was spent going through the post content. Probably too much, but the result is a much more complete and unified set of blog posts.

Plugin cleanup

Another thing that kept bothering me about the site were the myriad PHP Notices and Warnings (and occasional Errors) that kept popping up. So a redesign is the perfect time to drill down, investigate, and resolve as many of those nuisances as possible.

In some cases, this meant tweaking some essential theme functions. In other cases, it meant finding replacements for weak plugins, and in a couple of cases, it meant just dropping the "noticy" plugins altogether.

For example, the Subscribe to Comments plugin we were using had been a part of the site for many years. And for the past who knows how many years has been triggering a PHP Warning (or Notice, I can't remember) about some object method or whatever. Finally asked myself whether or not the plugin was even necessary anymore.. turns out that it's not, so I replaced the "subscribe-to" checkbox with a simple link to the comments feed for the post. PHP error log got a lot cleaner and users can still stay current with comments.

End result: the site is down to only 12 plugins, and zero recurring PHP errors/warnings/notices. Incidentally, four of the 12 plugins are for disabling unused core stuff like Embeds, Emojis, Responsive Images, and the whole REST API thing. Moving on..


Speaking of comments.. these days social media has pretty much obliviated any need for an in-house comments facility (IMDb anyone?). So I probably could have saved myself several hours of work fiddling with the comments section by simply wiping them out and just closing comments on everything.

The site, however, has a LOT of great feedback and comments, so I wanted to keep those available as a reference to any souls out there who may benefit from the information. Probably next design though, will be whacking the comments, depending on how things go in the meantime.

DigWP.com version 3.0 (previous design for past 4 years)
Theme design

Last but not least, the DigWP theme was completely refactored and redesigned. As you can see by comparing with previous designs, the new theme stays true to the thematic trajectory and overall "look and feel" of the site. So familiar visitors will not be shell-shocked with something completely different, and new visitors will enjoy the many features of the new design.

Keywords for the new design: uniform, bold, clear, tight, clean, focused.

As mentioned, the main thing that I wanted to do with the new redesign was streamline and integrate everything into a complete, solid site. For the actual design, I was going for consistency across pages with a strong focus on content. The previous blue/orange design was close to what I wanted, but some aspects just needed a little more tweaking.

To make a long post a little shorter, here are some highlights of the new theme:

  • Very clean and minimal theme template structure
  • Minimal redundancy, reuses code, images, assets, etc.
  • Limited palette of styles (colors, fonts, shadows, @media, etc.)
  • Eliminated a lot of extraneous bells and whistles
  • Removed the polls functionality
  • One stylesheet only (plus some various inline styles)
  • Minimal amount of JavaScript/jQuery
  • Improved navigation around site
  • Added popular posts and related posts
  • Revamped Members Area
  • Kept the Aside/Link posts :)
  • Line highlights for code snippets
  • Minimal social-media stuff
  • Simplified header and footer areas
  • Fully responsive and cross-browser compatible
  • Only uses about 30 lines of @media styles
  • Dropped Google Analytics

For the theme's custom fonts I went with Raleway for the headings, and Overpass for most everything else. I think these fonts are great and well-suited for the site's content. The only real gripe might be that the Overpass vertical bars seem just waaay too long: | (wtf?)

Also completely redesigned the Book Area, so it's more like an actual sales page and not just a bunch of information all thrown together. LOL.

To-do list

Overall, I feel that I accomplished everything that I set out to do.. and then some. Even so, there remain a few things that I want to make note of so I can maybe continue working on them for the next design:

  • Continue replacing images with responsive (higher rez) versions
  • Streamline/consolidate images (uploads, images, and theme directories)
  • Figure out why wptexturize is not auto-replacing straight quotes with smart/fancy quotes
  • Remove FeedBurner

As with most things, a site design (and everything that goes with it) is a work in progress. You can pour yourself into it, but at the end of the day, there's always something else to work on. So at some point, you just have to call it "done" and move on to the next big adventure.

That's a wrap

So that's basically how I spent the last four-ish weeks of my life. Time will tell if it was worth it. Of course, I love this line of work so I could literally talk/type about this stuff for hours and hours, but I'll leave it here for now. Hopefully this post gives you a better idea of the ins and outs behind the scenes of our latest redesign. Definitely not as easy as going out and buying a new theme and calling it a day. Waaay more complex than that.

If I had to boil it all down into a single goal for the site: I wanted something that inspired me to write and post more content. This new design definitely does that. So take a moment to look around and check it out. And if you notice anything weird or whatever about the design, please let me know in the comments. As always thanks for your generous attention :)

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Quick post to announce updates for all DigWP themes, free and exclusive. All of our themes are current with the latest version of WordPress, and include lots of new features, bug fixes, and enhancements. 100% ready for action :)

The free themes are all free and open-source for everyone, and the exclusive themes are included with purchase of Digging Into WordPress. If you own the book, you can log in and download the updated themes in the DigWP Members Area, at your convenience. Now let's check ’em out..

Free Themes

Updates now available for all FREE DigWP themes!


The BLANK Theme is Chris Coyier's free starter theme. As Chris puts it, "It is a WordPress theme with all the functionality of a typical WordPress theme but almost none of the styling. The idea is that when starting a new theme, it is far easier to use this as a base then a theme that is already finished and styled." Check out the launch post to learn more about the BLANK Theme.

H5 Theme Template

The H5 theme is a bare-bones theme template built with HTML5. It includes just enough CSS to target key elements, provide some structure, and make it "look" like a basic theme. As a template theme, H5 is designed with easy customization and personalization in mind, serving as a solid starting point for your next HTML-5-based theme. You can learn more about the H5 theme.


WP Typo is an free theme by Chris Coyier. It is 100% typographic, with no images used anywhere in the theme. It includes the original PSD design file so you can make your own modifications and customize the graphics to suit your needs. And best of all, WP Typo is all free and open source with no attribution required. Learn more about WP Typo.


shapeSpace shapeSpace is a WordPress "starter" theme that combines a robust set of theme functions with a lightweight set of template files. It’s a "premium" theme template that's clean, current, and 100% free and open source (via GPL License). It's a solid yet bare-bones foundation with plenty of included functions and an optimal amount of modular patterns and code. You can learn more about shapeSpace at Perishable Press and at shapespace.io.

How to get the free themes

All free themes are GPL-licensed and 100% free for everyone. You can download and use these free themes right now from the DigWP Theme Clubhouse. Note that the shapeSpace theme is available directly via shapeSpace.io. Downloads ahoy! :)

Exclusive Themes

All DigWP exclusive themes are available as free downloads for all members.


The All AJAX theme is an exclusive DigWP theme by Chris Coyier. It's awesome because it loads all posts, pages, and other page views directly via Ajax, without reloading the current page. So your visitors can browse your content faster and more "app-like" than traditional WordPress themes. All AJAX definitely is one of our more popular themes, and it's available as a FREE download to everyone who owns the book. You can check out All AJAX in the Theme Clubhouse and learn more in the update posts.

Lines and Boxes + Child theme

Lines & Boxes is another cool theme by Chris Coyier. The visual design for this theme was used to create the All AJAX theme. So Lines & Boxes looks great with the same crisp, clean "lines and boxes" style, but goes a little further than All AJAX in terms of behind-the-scenes functionality. It's got a lot of great features and includes a "dark" version Child Theme. You can get a better look at Lines & Boxes (and its Child Theme) at the Theme Clubhouse.

Plastique + Child theme

Plastique is an exclusive DigWP designed by Jeff Starr. It provides a wealth of widgetized areas in just about every part of the theme, so you can customize any part of your site from within the comfort of the WP Admin Area (without touching any code). Plastique also includes a robust settings page, optional multiple sidebars, and a sweet black-&-white Child theme that's ready for action. Check out Plastique and the Child Theme in the Theme Clubhouse.


The Quantify theme is a clean, well-styled WordPress theme focused on usability and readability. Quantify is built with HTML5, liberal doses of CSS3, and a few jQuery snippets thrown in for good measure. Features include custom fonts, widgetized areas, smart/expanding sidebar functionality, and expanding code boxes with lightbox-style sidebar hover effect. You can learn more about Quantify on its launch post.

How to get the exclusive themes

The exclusive themes are included free with any book purchase. If you already own the book, you can log in to the Members Area to download the latest versions at your convenience. To learn more about our exclusive themes, check out the Theme Clubhouse (select any theme from the dropdown/select menu). To get unlimited access to all of the exclusive themes (and future updates), buy a copy of our book, Digging Into WordPress:

Get the book!


The new theme versions include significant changes. Please make complete backups of your current theme and any settings/options data before upgrading. For more infos on recent changes, check out the theme's readme.txt file.

Even more theme updates!

Also updated all themes for my other books, The Tao of WordPress and WordPress Themes In Depth. Current members may log in anytime to download the latest versions of the following themes:

  • 2020 Theme
  • DIY Theme
  • General Theme
  • Simplest Theme
  • Tao of WP
  • shapeSpace

That's all for now, Happy New Year! :)

Read Full Article
Visit website
  • Show original
  • .
  • Share
  • .
  • Favorite
  • .
  • Email
  • .
  • Add Tags 

Separate tags by commas
To access this feature, please upgrade your account.
Start your free year
Free Preview