Joe Tuan
Joe Tuan
Founder, Topflight Apps
June 11, 2018

WordPress development has grown exponentially in popularity. This is in large part because the platform itself is free and is extremely easy to customize. When starting a new WordPress development, you are presented with 3 options for doing your development. You can do it on the live site (not a good idea), you can set up a staging environment or you can set up a local environment. 

Having a solid local WordPress development environment will help with your workflow and will provide you with a stress-free environment to code. Let’s have a look at what a local WordPress environment is, why they are beneficial and how to set one up.

wordpress development

Setting Up A Local WordPress Development Environment

A local WordPress development environment involves setting up a server environment on your local machine. Rather than using a server provided by a hosting company, all development is done locally on your own machine. This allows you to customize your site without the fear that it will break, and make all kinds of changes, before pushing your site online. This helps eliminate any risk when building your site and can make the development process much less stressful.

Even though you’re not working on your site live, your site will look like it’s live in your browser. Your browser will simply be referencing the files stored locally on your computer, but no one else will be able to access or view your site.

To set up a local development environment you’ll need a few additional tools (which I will get into below).

Why Use a Local WordPress Development Environment?

One major advantage of a local WordPress development environment for your site is that you can work on your site without being connected to the internet. If you have slow wifi or you’re traveling, you can continue to work without having to endlessly search for a wifi signal.

Your site will also be secure and free from prying eyes until you’ve actually completed the project. You won’t run into any server performance issues or spend endless time waiting for your site to refresh. The performance of your site will simply depend upon your local machine.

A local WordPress development environment will allow you to maintain high levels of security while testing your site and let you ensure there are no bugs or fixes that require your attention.

However, if you do need to show progress on a site you’re building, then you may want to opt for a staging environment, which allows you to host your site on a live server, while it’s still shielded from the general web.

This gives you more flexibility in showcasing your work, while still being able to access your site from any computer or location and improving the security.

The Steps to Setting Up a Local WordPress Development Environment

If you’re sold on creating your own local WordPress development environment, then you’ll need a few tools to help you get started. There is no perfect solution for setting up your local environment, so it’s important to choose the tools that are the best fit for your needs.

1. Choose a local server environment. 

Using the right tools will speed up the time it takes to setup your local development environment. There are numerous options to choose from, but the tools below are the easiest and most commonly used:

  • MAMP
    MAMP will give you a complete local environment for developing your WordPress site. This solution will bundle everything you need to get your server up and running together, so you don’t have to bring multiple tools together. It’s available for both Mac and Windows.
    XAMPP is a great open source tool that’ll work across Mac, Linux, and Windows machines. Plus, it’s one of the easier options to setup and use. Once you’ve installed the tool you can quickly install the WordPress software stack, which will allow you to start building your WordPress site immediately.

2. Pick a text editor. 

If you’re an experienced developer, then you probably already have a preferred text editing tool to edit your code. But, if not, then you’ll want to find a solid text editor.

A text editor that’s built for developers will help to increase your programming efficiency and avoid making errors in your work.

Some commonly used solutions that are geared towards WordPress development include:

  • PhpStorm – This editor supports WordPress development right out of the box, and will atomically detect if you’re building a site in WordPress.
  • Atom – This is a relatively new open source editor that easy to use, has an active community, and has a number of WordPress-specific add-ons.
  • NetBeans – This is a full-function editor that’s been around since the 90s. It includes impressive features like a built-in debugger and numerous WordPress add-ons.
  • Sublime Text – This editor is very lightweight, fast, and a pleasure to use, while coming equipped with WordPress development add-ons.
  • Coda – This is a Mac-only editor that’s very lightweight and includes WordPress-specific plugins.
  • Install the right tools and plugins. Before you start building your site you’ll want to enable WordPress debugging features. This will allow you to find any glaring errors or bugs and fix them before you push your site live.

To enable debugging you’ll need to locate your wp-config.php file and add the following piece of code (which will turn on the debugging feature):

define( 'WP_DEBUG', true );
define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true );

You can also install a plugin like Log Viewer, which will allow you to view and clear your debug log.

Other tools and plugins you might want to install include WP-CLI, which will streamline the development experience or Query Monitor, which acts as a comprehensive debugging plugin.

3. Start building your site. 

With your local development environment created, WordPress installed, and the right tools and plugins active it’s now time to start building your site.

If you’re building a site from scratch then you’re ready to go. However, if you’re making changes to an existing site, then you can use a cloning tool to create a copy of your site you can then begin customizing.

Setting up a local WordPress development environment might seem like a lot of work, but developing a site on your local machine can become a crucial part of your development workflow. It’ll not only make you more efficient, but you’ll be able to build a site without the worry that you will break something.

There are many approaches to setting up a local WordPress development environment. The one contained herein is just a suggested approach. What you do will largely depend upon the operating system your local machine uses. 

WordPress Security Concerns

Securing your WordPress installation

WordPress security concerns are extremely valid for a number of reasons. The question often arises “Is WordPress secure?” The answer is that it depends. WordPress itself is very secure as long as WordPress security best practices are followed, but there are hackers who attack these sites. In fact, there are an estimated 90,000 hack attempts per minute against WordPress installations.

Since WordPress powers 25% off all websites, security vulnerabilities are inevitable because not all users are careful, thorough, or security conscious with their websites. If a hacker can find a way into one of the 700 million WordPress websites on the web, they can scan for other websites that are also running insecure setups of old or insecure versions of WordPress and hack those too.

WordPress runs on open source code and has a team specifically devoted to finding, identifying and fixing WordPress security issues that arise in the core code. As security vulnerabilities are disclosed, fixes are immediately pushed out to patch any new security issues discovered in WordPress. That’s why keeping WordPress updated to the latest version is incredibly important to the overall security of your website.

It’s important to note that WordPress security vulnerabilities extend beyond WordPress core into the themes or plugins you install on your site. According to a recent report by, of the 3,972 known WordPress security vulnerabilities:

  • 52% are from WordPress plugins
  • 37% are from core WordPress
  • 11% are from WordPress themes

Armed with this information, here are 5 common WordPress security concerns.

Brute force attacks.

A brute force attack is a trial and error approach to entering usernames and passwords in an attempt to break into a WordPress installation.The brute force attack method exploits the simplest way to get access to your website: your WordPress login screen.WordPress, by default, doesn’t limit login attempts, so bots can attack your WordPress login page using the brute force method. Even if a brute force attack is unsuccessful, it can still wreak havoc on your server, as login attempts can overload your system. While you’re under a brute force attack, some hosts may suspend your account, especially if you’re on a shared hosting plan, due to system overloads.

File inclusion exploits.

After brute-force attacks, vulnerabilities in your WordPress website’s PHP code are the next most common security issue that can be exploited by attackers. (PHP is the code that runs your WordPress website, along with your plugins and themes.) File inclusion exploits occur when vulnerable code is used to load remote files that allow attackers to gain access to your website. File inclusion exploits are one of the most common ways an attacker can gain access to your WordPress website’s wp-config.php file, one of the most important files in your WordPress installation.

SQL injections. 

Your WordPress website uses a MySQL database to operate. SQL injections occur when an attacker gains access to your WordPress database and to all of your website data.With an SQL injection, an attacker may be able to create a new admin-level user account which can then be used to login and get full access to your WordPress website. SQL injections can also be used to insert new data into your database, including links to malicious or spam websites.

sql injections

Cross-site scripting.

84% of all security vulnerabilities on the entire internet are called Cross-Site Scripting or XSS attacks. Cross-Site Scripting vulnerabilities are the most common vulnerability found in WordPress plugins.The basic mechanism of Cross-Site Scripting works like this: an attacker finds a way to get a victim to load web pages with insecure JavaScript scripts. These scripts load without the knowledge of the visitor and are then used to steal data from their browsers. An example of a Cross-Site Scripting attack would be a hijacked form that appears to reside on your website. If a user inputs data into that form, that data would be stolen.


Malware, short for malicious software, is code that is used to gain unauthorized access to a website to gather sensitive data. A hacked WordPress site usually means malware has been injected into your website’s files, so if you suspect malware on your site, take a look at recently changed files.Although there are thousands of types of malware infections on the web, WordPress is not vulnerable to all of them. The four most common WordPress malware infections are:

  • Backdoors
  • Drive-by downloads
  • Pharma hacks
  • Malicious redirects

Each of these types of malware can be easily identified and cleaned up either by manually removing the malicious file, installing a fresh version of WordPress or by restoring your WordPress site from a previous, non-infected backup.

Other vulnerabilities that are commonly exploited:

  • Cross-Site Request Forgery (CSRF) – Code or strings are entered and executed from a site’s URL
  • Denial of Service (DoS) – When a site goes down due to a steady stream of traffic coming from a hackbot
  • Distributed Denial of Service (DDoS) – Similar to a DoS attack, except the hackbot is sending traffic from multiple sources such as infected computers or routers
  • Open Redirect – Occurs due to a vulnerability and it’s a site’s page that’s redirected to a different one that’s set by a hacker and is often spam or a phishing site
  • Phishing (Identity Theft) – A site or page created by a hacker that looks like a well-known, commonly trusted site, but is used to collect login credentials by tricking a user to input their details
  • Authentication Bypass – A security hole that enables a hacker to circumvent the login form and gain access to the site
  • Full Path Disclosure (FPD) – When the path to a site’s webroot is exposed such as when the directory listing, errors or warnings are visible
  • User Enumeration – Being able to determine a valid username to later use for brute force attacks by adding a string to the end of a WordPress site’s URL to request a user ID which may return an author’s profile with the valid username
  • XML External Entity (XXE) – An XML input that references an external entity and is processed poorly by improperly set up XML parser and can lead to confidential information disclosure
  • Security Bypass – Similar to authentication bypass, except that a hacker can circumvent the current security system that’s in place to gain access to some part of a site
  • Remote Code Execution (RCE) – A hacker has the ability to execute arbitrary code on a machine or site from a different machine or site
  • Remote File Inclusion (RFI) – Exploiting a reference to an external script on a site in order to exploit it to upload malware and all from an entirely different computer or site
  • Server Side Request Forgery (SSRF) – When a hacker can take control of a server either partially or totally to force it to execute requests remotely
  • Directory Traversal – Cases where HTTP can be exploited to access a site’s directories and execute commands outside of the server’s root directory

Armed with this knowledge of the common WordPress security concerns, you can come up with a plan that will all but avoid these issues. This approach needs to look at the following things to be successful.

Best Practices for Securing Your WordPress Installation

Wordpress security

Keep your own computer secured

Make sure your own computer is secure. You must keep your computer free of malware and viruses. These can attach themselves to files and when you upload those to your WordPress installation, it gets infected as well.

Avoid weak passwords. 

Using a weak password is one of the biggest security vulnerabilities you can easily avoid. Your WordPress admin password should be strong, include multiple types of characters, symbols or numbers. In addition, your password should be specific to your WordPress site and not used anywhere else.

Keep WordPress, plugins and themes updated.

Allowing WordPress, plugins or themes to become outdated is a major problem for addressing WordPress security concerns. it’s important to always run the latest version of all software installed on your WordPress website. Updates will appear in your WordPress dashboard as soon as they’re available. Make a practice of running a backup and then running all available updates every time you login to your WordPress site. While the task of running updates may seem inconvenient or tiresome, it’s an important WordPress security best practice. Also, if you update your plugin manually, make sure you use FTPS instead of FTP.

Using plugins and themes from untrustworthy sources.

Poorly-written, insecure, or outdated code is one of the most common ways attackers can exploit your WordPress website. Since plugins and themes are potential sources of security vulnerabilities, as a security best practice, only download and install WordPress plugins and themes from reputable sources, such as from the repository, or from premium companies that have been in business for a while. Also, avoid bootleg or torrented “free” versions of premium themes and plugins, as the files may have been altered to contain malware.

Using poor quality or shared hosting.

Since the server where your WordPress website resides is a target for attackers, using poor-quality or shared hosting can make your site more vulnerable to being compromised. While all hosts take precautions to secure their servers, not all are as vigilant or implement the latest security measures to protect websites on the server-level.Shared hosting can also be a concern because multiple websites are stored on a single server. If one website is hacked, attackers may also gain access to other websites and their data. While using a VPS, or virtual private server, is more expensive, it assures your website is stored on its own server.

By doing the following 8 things, you can ensure that your WordPress security concerns are under control.

Using a Strong Password

If you’re currently using a password that contains fewer than 6 characters, change it now. If you’re currently using a password on more than one login, change it now. If you’ve had the same password for more than six months, change it now. Start practicing good WordPress password security, especially if you’re an admin user. Using a password manager like LastPass makes it much easier to use strong passwords everywhere.

Install a WordPress Security Plugin

Using a WordPress security plugin is a great way to take care of additional security measures on your WordPress website. Most of these plugins offer a one-click WordPress security check that activates the most important and recommended WordPress security settings.

An SSL certificate is also very important because it assures people that their connection with your website is secure.

Enable WordPress Two-Factor Authentication

enable two factor

Two-factor authentication adds an extra layer of protection to your WordPress login. In addition to your password, an additional time-sensitive code is required from another device such as your smartphone, in order to login. Two-factor authentication is one of the best ways to lock down your WordPress login and nearly completely minimizes the potential of successful brute force attacks.

Keep Your WordPress Site Updated

Again: keeping your WordPress site updated is one of the best ways you can avoid potential WordPress security issues. Login to your WordPress site now and run any available updates for WordPress core, your themes or plugins. If you’re using premium WordPress plugins or themes, make sure you have a current license to ensure you’re getting updates and not running outdated versions.

Setup Proper Permissions on Your Server

Ensure proper permissions are set on all directories on your server. Proper permissions dictate who has permission to read files, create and edit files.

Run Scheduled Malware Scans

Keep tabs on potential malware infections with scheduled malware scans. Most services give you a report on your website’s malware status along with several other blacklisting statuses.

Have a Reliable WordPress Backup Plan

Having a WordPress backup plan is an important component of your WordPress security strategy. Set up scheduled backups to run and make sure you’re sending your backups safely off-site in a secure, remote WordPress backup location. Also, make sure your backup strategy has a restore component in case you need to restore a backup.

Activate WordPress Brute Force Protection

Protecting yourself from brute force attacks is another way to reduce any potential vulnerabilities or server overloads. Use a service that includes both local and network brute force protection to ban users who have tried to break into other sites from also breaking into yours.

Disable the Theme and Plugin Editor

WordPress allows you to edit theme code and plugin code in a built-in editor.

This is considered a security risk by many developers because a hacker who has access to your admin dashboard could edit theme and plugin files directly without needing to hack their way further into your site’s directories.

You can add this code to your wp-config.php file to disable the theme and plugin editors:

define('DISALLOW_FILE_EDIT', true); 

Relocate wp-config

If you move the wp-config file from its default location, you will do wonders towards securing your WordPress installation. The only requirement is that you must create a new wp-config file that is located in the same place as the original with the following code inserted:

define('ABSPATH', dirname(__FILE__) . '/');

require_once(ABSPATH . '../path/to/wp-config.php');

Be sure to change ‘/path/to/wp-config.php’ to the actual path on your server.

Change the Database Table Prefix

This is something I do on every WordPress installation I setup. By default, the table prefix for a WordPress installation is wp_ and that makes it even easier for hackers to exploit your site. Changing it to something random and complex can thwart hacking attempts.

Rules in .htaccess

Another step to securing your WordPress installation is to add some rules to the .htaccess file to protect files and directories.

You can protect important files by adding the following to your .htaccess file:

<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all

You can restrict access to your WordPress PHP files by adding the following code to your .htaccess:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/

RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]

RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php<

RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/

RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

You can restrict access to your WordPress admin dashboard by allowing only certain static IP addresses by adding the following to your .htaccess:

ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteCond %{REMOTE_ADDR} !^IP Address Three$
RewriteRule ^(.*)$ - [R=403,L]

Lines one and two redirect users to a 404 error page if they try to visit the admin dashboard from a different IP address than what’s defined in this rule. It helps resolve possible redirect loops so your site doesn’t appear to be down. Just be sure to replace /path-to-your-site/ with the actual path of your WordPress site.

Change Your Default Username

By default, the initial WordPress user is an admin role and is called simply ‘admin’. You should definitely change this. If you leave it at the default, you are giving the hacker half of the credentials to get into your site. Use something you will remember, but definitely do not use the default username. If your site is already set up and you used the default username, you can change it via PHPMyAdmin directly in the users’ table.

Many or most of the security techniques mentioned above can be applied quickly with a security plugin. Installing one and keeping it active is a simple and excellent way to ensure your site is protected and without having to remember to apply all the security tactics yourself.

WordPress itself is secure as long as you keep it updated, but new vulnerabilities surface as hackers find them. A security plugin helps protect you while the WordPress security team works on a fix to release in the next core update.

You can find a list of reliable and solid security plugins later on, but remember to install one if you don’t have one on your site already.

Reasons to Opt for A Custom WordPress Plugin

wordpress plugins

Source: WPExplorer

There are many reasons to build a custom WordPress plugin for your solution. As a stakeholder, you want your content to sing. You want it to stand out from the crowd. You probably chose WordPress because you heard how customizable it was. With so many free plugins for different purposes WooCommerce (for eCommerce),  Yoast (for SEO), WordFence for security, and so on and so forth, you are now able to customize the user experience and how your WordPress site functions. You might even think spending money on a custom WordPress plugin is a bad idea. Is that true?

Free plugins can definitely be a motivating factor for many when putting together a new website, but the problem is there are no guarantees that the developer will have adhered to the WordPress coding standards, always use best practices and design for easy maintenance and use. When implementing a free plugin to solve a problem, you will likely find that it isn’t meeting the expectations of the development team and others.

Unfortunately, this only reveals itself after you’ve already invested a lot of time and money into the path you chose. This is not to say there aren’t some really good commercially available plugins, but their best features are not always free. You have to carefully do your research before buying any plugins. The long bulleted list of features may not all be available at the basic level. Many commercially available plugins offer various licensing options for their product, making the license expense greater and greater. Some even limit how many sites you can use the plugin on. This can create issued depending upon your own circumstances.

If It is Free, You Get What You Pay For

Free plugins move from developer to developer as one developer picks up the sack for a previous developer who lost interest in the project. This is a problem when you want your site operational for at least the next 5 years before any further major changes are done to it. Commercially available plugins have a better chance of remaining relevant because their developers have a vested interest in keeping their product up-to-date and viable in the WordPress community.

If true quality and longevity are what you desire, it might be time to consider a custom WordPress plugin. When you develop your own custom WordPress plugin, you maintain control of the code. You can, of course, use GitHub to open it up for development assistance from other developers, but even then, you control what does and does not make it into your actual codebase. You can be sure to thoroughly test and approve any and all changes before merging them into your existing codebase, thereby maintaining a high level of quality.

Even Commercial Plugins Can Suck

I cannot tell you how many times I’ve worked on a WordPress project and the client rejected the idea of a custom WordPress plugin in favor of an off-the-shelf plugin, only to find out at some point that the plugin doesn’t adhere to those WordPress Coding Standards, follow good practices, and most definitely doesn’t spit out quality markup for our designers and developers to work with. This is where the hidden cost of off-the-shelf plugins comes into play.

When I’ve experienced issues with off-the-shelf plugins, my estimates are that it takes me triple the time to overcome the issues the plugin itself presents. Many times addressing the issues means making changes to the plugin’s code. That is a time-consuming process that you avoid with a custom WordPress plugin. Even when you overcome the issues, there is still the possibility that a future update ruins all the customizations done, which wastes the money originally spent on those customizations.

We Should Have Developed a Custom WordPress Plugin

This decision isn’t always easy, but thankfully, asking the right questions will help make the decision as easy as possible. Does the plugin developer know your needs? Do they understand your workflow? Do they empower your website to do the job you intended? If the answer to these questions is no, you should probably develop a custom WordPress plugin.

What Can a Custom WordPress Plugin Do?

The purpose of a WordPress plugin is to provide additional functionality the platform itself doesn’t already provide. A custom WordPress plugin can provide customizations to existing functionality of an e-commerce website. They can integrate outside APIs into the site or potentially merge the data from two existing plugins. They can even change some of the built in functionality of tools like Woo commerce.

As previously mentioned, building a custom WordPress plugin can save time and money. Instead of hoping the off-the-shelf plugin meets your needs, the custom-built plugin will definitely meet your needs because you are driving its development. You will likely find that the more customizations you need, the more money you save doing it from scratch. This ensures your custom WordPress plugin uses WordPress Coding Standards, making it less likely to be hacked. It makes future maintenance easier and insures that features are not broken during an update process. Your developer knows your needs. S/he knows your workflow. They will empower your site to do what you intended with your custom WordPress plugin. These are all good reasons to have your own custom WordPress plugin.


Now that you’re armed with the knowledge to set up a local WordPress development environment and you’ve learned the strategies to protect your WordPress site, you can begin setting up your own site. Or, if you need help with WordPress, call +1 949-391-6317 or get in touch with us via our proposal and estimates page. Topflight Apps has been recognized as a Top Website Development Company on DesignRush. Talk to us today.

Joe Tuan

Founder, Topflight Apps
Founder of Topflight Apps. We built apps that raised $165M+ till date. On a mission to fast-forward human progress by decentralizing healthcare and fintech.
Learn how to build winning apps.

Privacy Policy: We hate spam and promise to keep your email address safe

Copy link