Using a Child Theme

(and other things you need to know to start editing your theme)

A child theme allows you to change small aspects of your site’s appearance yet still preserve your theme’s look and functionality.

WordPress Theme Handbook

Child themes

  • allow you to modify a theme without blocking the ability to apply theme updates
  • give you a starting point to make development much faster rather than coding everything from scratch

Slide Presentation on Child Themes from Ottawa WordCamp 2019

WordCAmp Ottawa 2019

I recently led a session on Child Themes for Ottawa WordCamp 2019 entitled Child Themes and what else you need to know to start editing your theme. Hopefully this may be helpful, even without the commentary!


Here are some additional resources that you may find useful:

Google Indexing API for WP Job Manager Plugin

When one thing leads to another . . .

As a developer it’s not unusual that, as you work on a major project, you stumble over a smaller but really useful product. This has been the story of our new Google Indexing API for WP Job Manager Plugin.

After many hours of head-scratching, debugging and deciphering of Google’s documentation, I finally got the Google Indexing API working for Matador Jobs
(the WordPress Job Board Plugin for Bullhorn ATS) early this year. It was a key feature in our biggest Matador update to date (Matador Jobs Major release 3.4.0).

This apparently relatively small feature addition has proved extremely useful in improving our clients page ranking and in getting their jobs listed in near real-time on Google Jobs Search.

It wasn’t much of a leap to realize that this functionality could be useful for other job-boards. As we already have a Matador add-on to provide WP Job Manager integration, we decided to wrap the relevant fragment of the code we developed for Matador into a dedicated Plugin for users WP Job Manager. Launched at the beginning of April 2019, the Google Indexing API for WP Job Manager Plugin is my second Premium Plugin.

How the Google Indexing API for WP Job Manager Plugin works

Google created its Indexing API so that Google Jobs can be informed immediately when a job is posted or removed from a job board.

The API allows you to PUSH notifications that you have published a new job or deleted a filled job so that Google adds/removes your jobs straight away.

By making use of this, when you post a job it is included in the Google Job Search results almost instantly, giving you an important advantage.

Similarly, filled jobs are removed promptly and are no longer indexed in Google. So job-seekers should never end up on a 404 page.

When you implement the Google Indexing API for WP Job Manager Plugin, you don’t have to wait for Google to get around to crawling your site and add your jobs to their job search index. It happens automatically then and there.

Google Indexing API for WP Job Manager - Buy now!

How can I know I am writing secure WordPress code?


Even as experienced coder, it can be daunting to try to write secure WordPress code.

There is one golden rule: trust no-one!

But if you habitually make use of a few good tools, you should be able significantly to reduce potential vulnerabilities. As a bonus, secure code tends to be both performant and readable.

Where to begin – good tools

Use the tools that exist – don’t just write your code in a basic text editor!

I would recommend as a starting point using an IDE – Visual Studio Code, PHP Storm (IntelliJ), or, if you want a more editor based option, Sublime Text. Amongst other features, all of these offer code completion and syntax highlighting. This easily eliminates some of the ‘basics’, allowing you to focus on the actual code.

Next, you need a static code analysis tool. For WordPress coders this means installing  PHP_CodeSniffer ( ). If you integrate this with your IDE, you will get real-time feedback as to whether you are meeting the coding standards that you have selected.  For example, CodeSniffer will complain if you do not sanitize the input, escape the output or use a nonce when receiving data.

Note: A team of volunteers has created a set of WordPress Coding Standards rules (sniffs) to enforce WordPress coding conventions.  You can download these, together with integration instructions, from GitHub ( )

Applying the golden rule

What does it mean to ‘trust no-one’?

Your code needs to check that any input passed to it from a user, another coder or function is what you expect and that any time you return content your code confirms that it is the right type of content.

Example of checking input data

In the code fragment below, I first check that a form submitted was created by the website by using a nonce and then use absint() to make sure the form value is a number, followed by using the sanitize_text_field() to clean the name value input.

// Check we have a form field called wp_nonce
// Check the value of wp_nonce is what WP created
if ( isset( $_POST['wp_nonce'] ) && wp_verify_nonce( $_POST['wp_nonce'], 'save_form' ) ) {

 // make sure that a and ID is an int    
 $post_id = absint( $_POST['id'] );

  // - Checks for invalid UTF-8,
 // Converts single `<` characters to entities
 // Strips all tags
 // Removes line breaks, tabs, and extra whitespace
 // Strips octets
 $name = sanitize_text_field( $_POST['name'] );

 // Save form

Examples of escaping output data

It is important to escape any translated content as you don’t know what is in the translation. In the following code fragment, the last thing I do before echoing the html is to pass it through esc_html() to make sure it is valid and allowed html.

 echo esc_html( sprintf( '<p>%s</p>', __( ' Some content to by translated', 'text_domain' ) ) );

You should never trust the output of a function, even if you wrote it, as someone else might change it later. In this example, I use esc_url() and esc_attr() to clean the returned output of the functions.

echo sprintf( '<a href="%s" title="%s">click here</a>', esc_url( get_a_url_from_somewhere() ), esc_attr( get_a_title_from_somewhere() ) );

Writing secure WordPress code – the last word

Security is always going to be a challenge – change is a constant and vulnerabilities exist everywhere. But it is our responsibility as coders to do the best we can. At the very least, consistently using the tools available, applying coding standards and following basic good practice guidelines, is just good sense. It should eliminate a significant proportion of risks and leave you some headspace to tackle the edge-case scenarios.

WP JSON API – how to extend it

Slides as presented at WordCamp Toronto, 2016

In this talk, I demonstrate how to use the WP JSON API to add your own end-point for a custom post type or add/change data being returned.

I walk you through example code that extends the API and show you how simple it can be and how few lines it takes once you get your head around it.

Learning Outcomes

  • expose a custom post type in the API
  • view the output of the API
  • send date to the API
  • save data sent to the API
  • return custom data to an API call