This article is for developers who are looking to get a general overview over WordPress, but might also be suitable to you if you are not an advanced users.
Important files/directories
wp-config.php – located at web root
This files holds the credentials for your database & other configurations such as dbugging. Beyond that this files is often used by plugins to store sensitive information such as API keys, as it is the simplest straightforward option, but not necessarily the safest.
/wp-content/
Directory that holds all your relevant content: Theme, Uploads & Plugins. You can migrate you whole website with just the database and the wp-content directory.
functions.php – wp-content/themes/[theme_name]/
Used to add custom functionalities. More complex functionalities should be created as plugins in wp-content/plugins/
Important concepts
Theme/ Child Theme
Themes define custom styles and some functionalities. Every wp site requires a theme. You can either create a custom theme from scratch or use a child theme.
Reasons to use child theme:
- Make your modifications portable and replicable.
- Keep customizations separate from the parent theme.
- Allow parent themes to be updated without losing your modifications.
- Save on development time since you’re only writing the code you need.
- Are a great way to start your journey toward developing full themes.
Post Types
Post types are a way of categorising content in WordPress.
The best-known default post types are “post” and “page”, but you can create custom post types for your website i.e. “projects” or “services”. You can customise the capabilities of your post types.
All post types are stored in the wp_post table in the database.
WordPress default post types are:
- Post (Post Type: ‘post’)
- Page (Post Type: ‘page’)
- Attachment (Post Type: ‘attachment’)
- Revision (Post Type: ‘revision’)
- Navigation menu (Post Type: ‘nav_menu_item’)
- Block templates (Post Type: ‘wp_template’)
- Template parts (Post Type: ‘wp_template_part’)
Taxonomies
Each taxonomy consist of term in either hierarchical or non-hierarchical structure. The WordPress default taxonomies are categories (hierarchical) tags (non-hierarchical).
Plugins
Custom functionalities you can add to your website. Custom plugins can be added in wp-content/plugins and standard plugins can be added through the WordPress plugin directory in your dashboard.
Database
WordPress operates with a SQL database that stores all the data.
Important Tables:
- wp_options - Stores site-wide settings, plugin settings, and theme options (e.g., site URL, admin email, active theme, active plugins).
- wp_posts - Stores all content types: posts, pages, attachments, revisions, menus, and custom post types. Each row represents a “post” of some type.
- wp_postmeta - Stores metadata for posts (custom fields). Each meta is a key-value pair linked to a post.
- wp_users - Stores registered user information: username, email, hashed password, registration date, etc.
Other Tables
- wp_usermeta - Stores metadata about users (roles, capabilities, preferences).
- wp_termmeta - Stores metadata for terms (categories, tags, or custom taxonomy terms).
- wp_terms - Stores individual taxonomy terms (like “Category: News” or “Tag: WordPress”).
- wp_term_relationships - Links posts (or other objects) to taxonomy terms.
- wp_term_taxonomy - Defines the taxonomy type for each term (category, tag, or custom taxonomy) and counts associated objects.
- wp_comments - Stores comments submitted on posts/pages.
- wp_commentmeta - Stores metadata related to comments.
Hooks (Actions & Filters)
Filters are used to modify information, and actions are used to execute actions. Both need to be triggered by built in hooks. Common hooks are wp_footer or wp_head. There are hundreds of hooks, which are used to add custom scripts & stylesheets. Plugins can create custom hooks.
Additional Concepts:
Other concepts that might be worth looking at:
- Widgets
- Short codes
- REST API / AJAX References
WordPress Security
I would look at the security in 3 layers:
- Layer one is your DNS – use a proxy like cloudflare to block malicious traffic before it visits your server. This also keeps you IP address secured from attackers.
- Layer two is your server – make sure that your (1)file permissions are secure, perhaps use a (2)custom plugin on plesk or cpanel to secure your server and (3)keep your server languages & systems updated.
- Layer three is your site – run regular updates, use a good firewall plugin, keep plugins to a minimum,
Server Security
- Good quality webhosting
- KEEP BACKUPS in a separate location
- Keep your file permissions secure, limit the files you server can write in the case it gets compromised
- Create separate database users for each website, don’t share the database between websites
- Keep server languages up to date e.g. the php version (fully managed webhosts will do that for you)
- Prefer SFTP over FTP
- Assure that each website is isolated in case your server compromised
- Change the table prefix in your database from wp_ to something else
- Log activity – will allow you to see what happened when and which IP address was used
- Use SSL for your server
WordPress Security
- Limit the number of plugins
- Update plugins & theme(s)
- Add a firewall plugin to your site
Additional Security Advice
- Use a CDN like Cloudflare as a proxy between server and client to block threats before they each your server.
- Limit access to the site (especially for clients lol)
WordPress Rescources
Child Themes: https://developer.wordpress.org/themes/advanced-topics/child-themes/
Post Types: https://developer.wordpress.org/themes/classic-themes/basics/post-types/
Taxonomies: https://developer.wordpress.org/themes/classic-themes/basics/categories-tags-custom-taxonomies/
Hooks: https://developer.wordpress.org/plugins/hooks/
Custom Hooks: https://developer.wordpress.org/plugins/hooks/custom-hooks/
Security: https://developer.wordpress.org/advanced-administration/security/hardening/
