A while ago I posted a list of free sources of images for web design.

I’ll be using this post to maintain lists of free web design resources and assets.  There will be some commercial sources in this list as well. But I’ll be keeping the emphasis on free materials. The point is to find assets for quickly kickstarting web design projects. I’ll be keeping this list updated.

Selfy Market

Creative Market



Image from Bigstock can be imported into your WordPress site directly through the Bigstock official plugin.


When it comes to self-hosted instances of WordPress security policies must be enacted. WordPress security is taken care of for user of wordpress.com or managed WordPress hosts.

However, when we are managing our own sites or client sites then we have to create our own security policies and deploy the right tools to implement those policies.

Wordfence is a great tool for this purpose. And today it announced it launched version 6. The announcement is here.

The new update maintains a free version of it’s offering while providing support for IPv6. The launch post describes the rational behind that decision.

I like Wordfence for it’s version of a lightweight Web Application Firewall and it’s built-in scanner. The scanner does automatic checks of core, plugin and theme files to test known file versions against the actual installed versions. Differences are flagged. There’s a much larger set of features in both the free and premium versions. But those are the features I particularly like.

Of course one tool does not a security policy make. Security depends on more then tooling and ‘defence in depth’ is key. WordPress security requires defence at the levels of the network, the server, the application and the user.

Having said that, WordFence is a great start for application-level security.

Google has communicated very clearly that mobile-friendly websites will be advantaged in search results pages. Delivering to mobile is important enough that Google even offer easy-to-use tools to test how mobile-friendly your website actually is.

The Mobile-Friendly Test is provided as a part of Google’s website “Mobile-Friendly Websites”, a resource furnished to developers and people making decisions about the design of business websites. The resource has been around for a while and I’m surprised that I haven’t seen it linked to more often.

In February this year Google announced that it would be updating it’s indexing to improve the positioning of mobile-friendly sites. Today Google has finally rolled out the changes. From today websites that are not mobile-friendly will be punished in search results. Conversely, websites that are mobile friendly will be rewarded.

Of course merely being mobile-friendly isn’t enough by itself to assure favourable positioning in search results. Other factors are important. However  the change is significant enough that some industry experts are calling the change “mobilegeddon” in anticipation of the impact on websites right across Googles mobile-accessible indexing.


Summary: hosting WordPress on Openshift can be a great option for folk with a little tech confidence if you are looking for an cheap option but you don’t want to cut corners on site performance.

Choosing wordpress hosting is pretty important: options to consider include customer support from the hosting company, quality of infrastructure, administrative ease of use and pricing. Many people taking on their first site simply don’t want to take on the decision-making required for choosing a host and go with the loudest advertiser without understanding their options.

That’s fair enough. And some loud advertisers aren’t necessarily poor service providers. And most site operators are are best advised to offload choosing hosts to their consulting agency or  developer.

I’m constantly assessing options for wordpress hosting because the industry is fascinating. It looks like big changes are headed our way that could save a lot of money for consumers and make site-providers lives easy. It’s early days. But in the course of my exploration I discovered an option that could be great for small site operators who aren’t scared of learning new things.

Basically, its possible to use openshift to get free hosting for wordpress sites.

This probably isn’t what Openshift is aiming to provide. Site owners with relatively simple sites and low resource needs aren’t in Openshifts target market. But the Openshift’s offerings can be used for this purpose.


Openshift is Red Hat’s offering in the Platform As A Service market. It’s targeted towards business who have the skill at hand to build and deploy applications on Red Hat’s infrastructure and it provides a convenience layer on top of that infrastructure for developers.

One of the cool things about openshift is that they give a small (but very useful) amount of resources for free as an introduction to their services. These resources are not time limited (like amazons free tier which is limited to a year).

The process is simple: select either the free or bronze plan, log in and click on the ‘create an application’ button. Select the wordpress option. The application will be created for you. Credentials for wp-admin and for SSH will be given to you from the panel.

Thats it. You now have a wordpress instance running that you have complete control over.

The Difference

At this you have a running wordpress instance with a funny domain name generated by Openshift. Openshift even give you instructions for how to connect your desired domain name to your site. However by now you might have noticed that this kind of hosting of very different from  traditional hosting. You don’t have anything like a cpanel and you might have to think about managing things called “gears” and “cartridges”.  In reality, if all you want is a running wordpress site then you don’t have to worry about this (Unless you want to dive into the deep and complex world of PaaS and Openshift’s version of PaaS).

The Advantage

The first thing that I noticed was the front-end of the site is fast. The frontpage using the 2015 theme reloads in around 2s. The admin takes longer, at about 5s to 7s as measured by chromedev. But my personal perception is that the admin loads rapidly.

Free wordpress hosting on Openshift using the free and bronze tiers could be great for you if you don’t need technical support on the platform, you are confident enough to navigate the (very easy to use) panel and if you want SSH access to the deployment.

[quote]”What kind of Web Hosting Do I Need?”[/quote]

The kind of hosting you require will be determined by:

  • Your estimated rate of regular incoming traffic
  • The type of applications that you’ll be running
  • Whether you want to manage your own host yourself

Most small business websites are best hosted on either a shared host or a VPS. This article will describe what shared hosting and VPS’s are, and give an introduction to other types of hosting.

Most hosting companies, including all the major global brands, each offer different three broad categories of hosting divided into their own named products. These categories might be subdivided again into different branded products but they are pretty much the same.

However the quality of these offering differs vastly between different companies.
So if you are new at this and you haven’t bought hosting yet then ask your developer for advice.
Lets say your host is rubbish and you are paying your developer to set up your site on it. If, across the lifetime of development your developer takes an extra 8 hours dealing with your hosting company and you are paying $90 per hour, then that’s an extra $720.

Chances are that your developer has worked with hosting companies and products before and knows best how to choose them.

Shared Hosting

This is the least expensive type: a hosting company can manage multiple hosting accounts across shared hard drive space. Your website (or websites) shares hard drive and computing resources with other companies. Sharing resources means sharing costs. The labour costs of system administration is one of those shared costs, and the hosting company takes responsibility for that, including administration of the security of the underlying server.

You can generally run multiple websites from a single shared server. The exception is for the cheapest shared plans from some hosting companies.


  • Inexpensive
  • Administration taken care of for you
  • Control often granted through a control panel


  • Security is as strong as the weakest link: one lazy customer on the host can compromise all guests
  • Poorly provisioned and configured hosts fail to share resources adequately among all users
  • Some hosts fail to offer tools necessary for developers

The last two ‘cons’ generally apply to cheaper companies working at the bottom end of the market. The last con applies to every shared host in New Zealand. Shared hosting offers in New Zealand generally can’t compete on features with their competitors in the US. It’s a matter of tradeoffs: a more distant host can add valuable response seconds to site response-time. But the better hosts based in the US can offer the tools that developers need even on their inexpensive shared host offerings.

Virtual Private Servers

VPS’s are more costly and offer a great deal more control. They also require hands-on system administration, thus requiring a good deal of knowledge on operating systems and their tools. They are much more flexible but they are not always the best option.

VPS offerings grant direct remote access to a virtual server: an operating system with guaranteed dedicated resources. The server itself doesn’t take up a whole actual physical computer. Rather, physical machines devoted to running VPS’s have their own resources divided up between multiple hosted VPS’s. On each “slice” an entire OS resides, each with it’s own dedicated resources. For one VPS to interfere with a neighbouring VPS is difficult and unlikely. This provides security benefits.


  • Greater assurance of security from “bad neighbours”
  • Much more control then control panels offer
  • Direct remote access to the operating system


  • Enough power to cause damage to your own applications or operating system
  • More responsibility
  • Much more skill required

VPS’s are suitable if you want the control to configure your own web server or database server, configure resource use or customize your operating system. But you have to take on system administration or hire someone to do it. Skilled admins are expensive

Dedicated Hosts

Dedicated hosting is the lease of a physical machine for your own hosting purposes. This can be useful when you want more resources for your applications or sites, you have the administrative skills on hand. Dedicated hosting can be a great deal more expensive then VPS hosting, and accounting for bandwidth infrastructure can become complicated.

Dedicated hosting is a “heavy duty” option suited for businesses that need to devote significant resources to sites and application beyond typical websites. In these cases organisations have engineers devoted to shaping application infrastructure around the available resources and dedicated hosts might be used for different parts of the application.

Although dedi’s still have a strong place in the market, over the last few years new products under the umbrella term Cloud Services have allowed companies to take more fine-grained control of leased infrastructure. I might cover these in another article, but they generally aren’t a concern unless your website or application is very complex and serves tens of thousands requests on an average day.

Cloud Hosting

This is something of an umbrella term that encompasses different kinds of product. Cloud services vary widely in price and in the details of the product. What they have in common is that generally billing is much more finely grained: insteading of leasing infrastructure on a per-month or per-year basis, you pay for the underlying resources. You might pay for the hours of CPU time your website or application uses, along with bytes of traffic and storage capacity.

Cloud hosting suits companies that have dedicated expertise for managing the administration of their cloud services, and when a great amount of flexibility is required.

Under some circumstances leasing cloud services can serve small businesses well. Cost can be managed by skilled administrators. But mistakes can be very costly.

Wherein I compare those things called “frontend frameworks” and hopefully bring Bourbon to the attention of more developers.

Following is a light, comparative review of some frontend frameworks. I give a glimpse into the existing landscape.

Context: Bootstraps Dominance

Presently and for at least two years or so, the most popular “front-end framework” has been bootstrap. It’s everywhere. It’s an industry standard. Job postings all over the web ask for applicants to have “experience using bootstrap”, as if seasoned frontend developers don’t have skills that are transferable to any frontend framework.

Bootstrap has little appreciable competition for mindshare in the webdev world even though there are other frontend frameworks in existence. Zurbs’ Foundation is notable. It’s been around for a long time. It’s mature and people know about it. It’s thought of as “the alternative to bootstrap”.

Pros and (mostly) cons of Foundation

My opinion is conventional: that Bootstrap is easier to simply load and use, and that Foundation takes a little longer to learn. Where I’d stray from conventional opinion is that I don’t think that all bootstrap sites have to look the same. It depends how you use the framework.

zurb's yetiI’ve enjoyed using Foundation in the past. But going back to it, I simply can’t tolerate it’s installation processes. There are three options and all of them are… a bit icky. In theory you can just download the library and pull Foundation components into your project. But it’s not easy to figure out. It’s undocumented. And the installation paths that are documented are done so lightly. You can beat through the thorny path if you are a seasoned Ruby developer. But there’s no sane reason for way you should have to be a seasoned Ruby developer if you just want to install some frontend components.

Foundation promises to make development faster. But the complicated magic dance required to actually get started using it annuls that promised benefit.

Newcomers based on Googles Material Design

mdGoogle Material Design is a pattern language for design. The purpose of which is to encourage UI designers to create beautiful interfaces by using taking improved metaphors for web design into the realm of responsive design.

Google supports its Material Design language with its Web Starter Kit.

I have yet to experiment with Web Starter Kit. But I’m looking forward to it. Another project is Material CSS. It’s a student project out of Carnegie Mellon University. There is also LumX, a toolkit that includes and is geared forAngular.js. I haven’t tried these either, but may well do so in the future. Obviously a huge amount of work has gone into them and they look… delicious.


Bourbon.io provides sets of mixins for sass. That’s all. It’s really that simple.

Like Foundation, you have to the gem installed. Unlike Foundation, the installation of the Bourbon gem doesn’t require the same tightrope-walk and chicken-sacrificing. Combined with it’s sub-projects neat, bitters and refills, it provides most every component that either Foundation or Bootstrap do. And some that they don’t.

I’ve been using bourbon for at longer then I recall and I’m surprised it’s not more popular. It’s dead easy to pull it into an existing project or start your own project around it. My initial attraction was that earlier versions of Bootstrap didn’t have integration with sass, so the only way to use bootstrap was to clutter up the DOM with nonsemantic markup. Bourbon Neat let me use a grid system without cluttering the DOM.

Bourbon itself provides a range of conveniences documented here. It’s sibling libraries, dependent on Bourbon provide a grid system, typography and a collection of compents like headers, footers, navigation bars and tab systems.

Bootstrap also has a sass version, but I’ve found it more difficult to install then Bourbon. With Bootstraps Sass library, you have to pull in the deps with bower. And to tidy your project up before deployment, you’d probably have to handcode a Grunt task to move your files to the right place.

You don’t have to do that work with Bourbon.

In conclusion, Bourbon is easier to install then Foundation but you aren’t compelled to build your whole app around it. It has pretty much all the tooling of either Foundation or Bootstrap, but it’s much easier to get started with and you probably won’t really lose anything.

In my recent post on OWASP Day 2015 I remarked that WordPress.org itself takes security seriously. I mentioned the recently-released WordPress Security White Paper and pointed to the documents on hardening WordPress.

Of course WordPress.org doesn’t exist in a vacuum and has a tight feedback loop with its wider community. This in itself may be one of the secrets of success both of the CMS itself and the ecosystem.

The Problem

Due to it’s popularity in the shared hosting space self-hosted WordPress is capable of running on old, outdated versions of PHP, including version that haven’t been getting security updates for three years. This has been a result of a design decision by core developers: new installations should not break existing websites. It’s both a feature and a bug.

Of course running on old, unsupported versions of PHP creates security liabilities. A professional developer will, at the very least, raise these issues with site owners where such issues exist. But the reality is that some substandard hosts continue to provision older version of PHP. And many existing sites live on old hosts that haven’t been updated.

An Approach to a Solution

A community project called wpupdatephp exist. It provides a PHP library “… to be bundled with WordPress plugins to enforce users to upgrade to PHP 5.4 or higher hosting.” The project also aims to raise awareness of the risks associated with running insecure versions of php among site owners, and furnishes template email content for owners to include in requests to their hosting company.

The core functionality of the plugin can be seen in the readme viewable on github.


OWASP (The Open Web Application Security Project) is a volunteer-run, non-corporate global organization devoted to making the web a safer place. It provides resources for developers and business to help them secure their assets. It’s many notable projects include the Owasp Top Ten: the canonical list of the top ten most likely types of threat to web applications.

The New Zealand chapter organized another fantastic, amusing and enthralling OWASP Day, and event aimed mostly at Developers. But also of interest to anyone with responsibility for managing (securing) infrastructure.

If that sounds a little dry, you should have seen the metal-as t-shirts worn by the Insomnia crew.

Observations and Thoughts

Pedro Worcel’s presentation ‘CMS Hell’ made an interesting contrast with Nick von Dadelszen’s presentation.

Pedro discussed his own testing of NZ internet for CMS vulnerabilities. Pedro introduced droopscan, a vulnerability scanner for CMS’s. It looks like a really useful tool, and I’ll definitely be experimenting with it.

Nicks talk involved discussion of Section 252 of the Crimes Act, describing penalties for “accessing computer systems without authorisation”. Nicks was focussed on “passive” scanning for vulnerabilities, thus using techniques that can’t be described as possible violations of the Section 252.

One of my takeaways from these two presentations is that a lot of security research that I and others would consider ethically legitimate could be interpreted as violations of the Crimes Act. Even it the resulting research is capable of making the web safer.

The content of Nicks talk can be attained here. (warning: pdf)

Defending WordPress

Adam Bell from Lateral Security presented a case study that provided a cautionary tale about a failure of Defense In Depth. A notorious and very young system cracker had successfully attacked a site managed by the presenter. Adam introduced the log analyser Splunk and described his forensic strategy.

My takeway was that the weakest link will render the entire chain useless. Something anyone in who works around security already knows. But this can be sobering when we consider the possible effect on business. When customers pay for “security”, they tend not to understand that “security” is a thing that can’t be bought. It can be only be defended. But the old maxim holds true: any attacker with sufficient time and skill will always win.

WordPress itself takes security very seriously. WordPress.org has maintained a document for developers and admins on Hardening WordPress for many years. This week they released the WordPress Security White Paper which I read as overview of the security environment of the wordpress world. It applies the OWASP Top Ten to the wordpress world and is required reading for anyone serious about defending wordpress. (Or for that matter, attacking it)

Can This Tool Help Me Build My Site Faster?

That’s the question I ask when I look at new tools. And it’s one of the ultimate benchmark tests that I consider when assess any new tool or process.

My core toolset is entirely programmatic. I either build custom themes from scratch, build child themes on top of existing themes, and plug the gap with plugins that I either get from the wordpress repository or build myself.

A handful of tools dominate the market for “visual builders” allowing people who are creating sites to build without having to code. Or at least minimising the amount of code that has to be written.

Over the last few days I’ve taken a look at a few of these tools. I’ve partly been motivated glowing reviews in the community, including from the likes of Chris Lema. Such posts often have a trail of positive comments talking of the wonders of these tools. That’s another motivation.

However my overall impression is that none of these tools offer a clear advantage over either customizing a child theme or coding from scratch. I’m likely to continue climbing the learning curve just in case something clicks. But the claims of added convenience and speed just don’t amount to much.

Here’s a summary of each of the builders that I’ve looked into, and my impressions.

iThemes Builder

iThemes Builder
iThemes Builder

Steep learning curve. Big and complicated. Unconventional coding makes child themes difficult to work with. iThemes provided themes are built very unconventionally and I learnt the hard way that you can’t just child them and expect to be able to use them without having learnt Builder deeply. I wouldn’t recommend picking up iThemes Builder as an experiment for an client project.

Support staff are responsive.

I’m uncertain that I’d ever use this for a real project. I can see that they’ve put a lot of work into it, but currently I can’t see the benefit of using Builder over creating a custom theme.



Also big and complicated with a steep learning curve. Advertises a “drag and drop builder”.  The term “drag and drop” gives an impression of simplicity. However, Ultimatum’s builder requires that you learn a complicated interface and new terminology. All of this has to be learnt before any dragging and dropping is done. An interface for customizing CSS the ultimatum way is too constraining for some simple things (You might have to add your own plugin to inject CSS into the footer). It isn’t helpful that they’ve overloaded the term ‘template’, already used by wordpress.

Subscription gives access to a bunch of plugins that you’d otherwise have to buy separately on codecanyon. I don’t know how they offer support for these.

Documentation is very detailed. However some parts of it are unclear, particularly when it comes to adding custom CSS.

I could end up using Ultimatum for a real project. But I wouldn’t expect to see any advantage in the speed of site creation over building from a child or custom theme.



A much more slick product then the previous ones but not without it’s own frustrations. It’s polish doesn’t prevent you from having to learn it’s nuances and many configurations. You get to the “drag and drop” action faster then you would if using Ultimatum. But it’s still big, complicated and constraining: as far as I can tell, if you are building a layout then you can’t create a custom loop within that layout.  You can add a “code area” with your own php. But thats frustrating, because you can’t code with the convenience of a proper text editor. So testing becomes a pain.

The actual “drag and drop” editing screen is also confusing for while. Power and simplicity do not go hand-in-hand.

An alternative is to drop in a widget area and then find a widget that lets you create a loop. But that’s much more of a pain then just, say, coding your own Page Templates from. Also, using a widget would require that you do custom styling without access to markup (annoying) and make it very difficult, if not impossible, to work with data created with tools like pods. This is entirely unnappealing.

I could possible use Headway for a real project. But I’d have to sink more time into learning it and I still wouldn’t expect to see a speed advantage.

**update: jan 5th 2015 **

Headway can be great for quickly laying out or prototyping sites. The difficulty comes when you need to use custom code. Headways templates allow you to drop in custom php. However, the workflow for this isn’t smooth. So the convenience of fast layout and intuitive layout production is offset significantly by clunky workflow. The headflow developers have clearly done much hard work on this polished product. But it isn’t developer-friendly.


For all of the above tools it could be relatively straightforward to build a simple site. But if you wanted to build a simple site you wouldn’t want to spend money and time on a new tool when you can just use an existing theme and possibly child it. Or code from scratch.

What I’m probably seeing is the emergence of niche: wordpress tools for “developers” who don’t actually do programming.

I don’t mean to sound like  grumpycat. I can see that the developers of these tools have put in a lot of work building their tools, marketing them and providing support. All the vendors have been industry players for at least a year and get a lot of great reviews – reviews that encouraged me to test their wares.  Clearly a lot of people in the industry are getting value from them.

And I’m likely to continue to experiment with these tools. Maybe I’ll have an “aha moment” with one of them. But for the moment the appeal of each of them is limited.