WordPress CMS Website Development
WordPress powers about 43% of websites globally. Not because of perfect architecture, but mature ecosystem: thousands of plugins, understandable editing interface, huge community. For most corporate sites, landing pages and blogs, it's reasonable choice allowing editor to work independently without developer help.
What's Included in Website Development
Full-featured project includes:
- Environment setup: LEMP stack (Linux + Nginx + MySQL + PHP 8.x), SSL, file permissions configuration
- Theme: custom development or existing theme modification preserving updateability via Child Theme
- Content Types: Custom Post Types and taxonomies per site structure
- Fields: ACF (Advanced Custom Fields) for structured data
- Security: XML-RPC disable, login attempts limitation, WP version hiding, Nginx rules
- Performance: caching, compression, image optimization
- SEO: Yoast or Rank Math, sitemap, Open Graph
Project Structure
Proper structure separates core, plugins, custom code:
/var/www/site.com/
├── wp-core/ ← WordPress core (don't touch manually)
├── wp-content/
│ ├── themes/
│ │ ├── parent-theme/ ← base theme
│ │ └── site-theme/ ← child theme (all custom code)
│ ├── plugins/
│ │ ├── advanced-custom-fields-pro/
│ │ └── site-core/ ← project custom plugin (CPT, functions)
│ └── uploads/
└── wp-config.php
Custom plugin instead of functions.php — good practice: plugin activates explicitly, independent of theme, deactivate without functionality loss.
Performance Out-of-Box
WordPress without tuning is slow. Basic measures:
# Nginx: static file cache
location ~* \.(css|js|png|jpg|jpeg|gif|webp|svg|ico|woff2)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# Gzip
gzip on;
gzip_types text/css application/javascript image/svg+xml;
gzip_vary on;
Caching plugins: WP Rocket (paid, best result) or W3 Total Cache (free). Redis Object Cache setup — for high-traffic sites.
Database optimization: WordPress accumulates drafts, revisions, transients:
-- Delete all post revisions
DELETE FROM wp_posts WHERE post_status = 'inherit' AND post_type = 'revision';
-- Delete expired transients
DELETE FROM wp_options WHERE option_name LIKE '_transient_timeout_%' AND option_value < UNIX_TIMESTAMP();
DELETE FROM wp_options WHERE option_name LIKE '_transient_%' AND option_name NOT LIKE '_transient_timeout_%';
Via WP CLI:
wp post delete $(wp post list --post_type=revision --format=ids) --force
wp transient delete --expired
wp db optimize
Security
Mandatory minimum for production:
// wp-config.php
define('DISALLOW_FILE_EDIT', true); // file editor ban
define('DISALLOW_FILE_MODS', true); // plugin/theme install ban
define('WP_DEBUG', false);
define('WP_DEBUG_LOG', false);
define('FORCE_SSL_ADMIN', true);
Nginx: block sensitive file access:
# Deny wp-config.php access
location = /wp-config.php { deny all; }
# Deny PHP in uploads
location ~* /(?:uploads|files)/.*\.php$ { deny all; }
# Disable XML-RPC if not needed
location = /xmlrpc.php { deny all; }
# Hide readme.html
location ~* ^/(?:readme|license|wp-config-sample)\.(?:html?|txt)$ { deny all; }
Login attempts limitation — Limit Login Attempts Reloaded plugin or Nginx level:
location = /wp-login.php {
limit_req zone=login burst=3 nodelay;
include fastcgi_params;
fastcgi_pass php-fpm;
}
# In http block
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/m;
Updates and Deploy
WP CLI in deploy script:
#!/bin/bash
set -e
echo "Backing up database..."
wp db export backups/pre-deploy-$(date +%Y%m%d-%H%M%S).sql
echo "Updating WordPress core..."
wp core update
echo "Updating plugins..."
wp plugin update --all
echo "Flushing cache..."
wp cache flush
wp rewrite flush
echo "Done."
For team projects — fix plugin and core versions in composer.json via johnpbloch/wordpress and wpackagist, deploy via CI/CD with tests (at least smoke test of key pages availability).
Timeline
Installation, security and performance configuration — 4–6 hours. Content structure (CPT, ACF), base theme — 1–2 days depending on complexity. SEO setup, sitemap, Open Graph — another 2–3 hours.