Learn With Kamal

  • Understanding how drag and drop form builder works in javascript deeply for beginners

    Lesson 01 / 06

    The fields[] Array — Your Source of Truth

    In this modern day, al most all CMS including WordPress and many page builders, form builders etc uses drag and drop interface to build the UI. Have you wondered how it work behind the scene? Today we will explore how drag and drop work in a form builder which is very common. If you understand this, then you can understand how popular form builder plugin works and how Elementor, Gutenberg block editor etc work. Everything in the form builder lives in one JavaScript array. Understanding this is the foundation.

    The Concept

    A form builder doesn’t actually move HTML around the page. Instead, it manages a JavaScript array called fields[]. Each item in the array is a plain JavaScript object that describes one form field.

    When you drag a field onto the canvas, you add an object to the array. When you delete it, you remove it from the array. The HTML on screen is always just a reflection of what’s in the array.

    Key principle: The array is the form. The HTML is just a display. This is called having a single source of truth.
    What one field object looks like
    // Each field is just a plain JavaScript object
const field = {
  id: "field_1",        // unique ID
  type: "text",         // what kind of input
  label: "Full Name",   // the visible label
  placeholder: "e.g. John Smith",
  required: true,      // validation
  helpText: ""
};
    Live demo — click to add fields to the array

    Click the buttons below to add fields. Watch how the array grows:

    // fields[] is empty
let fields = [];
    1 of 6
    Lesson 02 / 06

    The 3 Drag Events You Need

    The browser fires events as you drag. You only need to listen to three of them.

    The Events
    dragstart
    Fires when the user begins dragging. You record what is being dragged.
    dragover
    Fires while hovering over a drop target. You must call e.preventDefault() here or the drop won’t work.
    drop
    Fires when the user releases. You use the recorded info to add a new field to the array.
    Try it — drag the pill into the drop zone
    Drag Source (Palette)
    Text Input
    draggable=”true”
    Drop Zone (Canvas)
    Drop here
    ondragover + ondrop
    // Events will appear here as you drag…
    The code pattern
    // 1. On the palette item — record what's being dragged
paletteItem.addEventListener('dragstart', function(e) {
  draggedType = 'text'; // save to a variable
});

// 2. On the drop zone — allow the drop
dropZone.addEventListener('dragover', function(e) {
  e.preventDefault(); // THIS IS REQUIRED or drop won't fire
});

// 3. On the drop zone — actually add the field
dropZone.addEventListener('drop', function(e) {
  var newField = { id: 'field_1', type: draggedType };
  fields.push(newField); // add to array
  renderCanvas();         // update the HTML
});
    2 of 6
    Lesson 03 / 06

    The 3-Panel Layout

    Every form builder uses the same layout. Once you know it, you can build it with plain CSS Grid.

    The layout diagram
    Left Panel
    Field Palette
    𝐓 Text
    @ Email
    ▾ Dropdown
    ☑ Checkbox
    ⊞ Date
    Center — Canvas
    Drop Zone
    Full Name ✱
    Email Address
    Drop here…
    Right Panel
    Settings
    Label Full Name
    Placeholder Enter…
    Required
    Help text
    Left Panel — The palette of available field types. Each item is draggable.
    Center Canvas — The drop zone. Shows a preview of the form being built.
    Right Panel — Settings for the selected field. Changes update the array and re-render.
    The CSS (it’s just 3 columns)
    /* The whole thing is just a CSS Grid */
.workspace {
  display: grid;
  grid-template-columns: 240px 1fr 260px;
  height: 100vh;
}

/* Drop zone gets a dashed border when empty */
.drop-zone {
  min-height: 200px;
  border: 2px dashed #ccc;
}

/* Highlight when something is dragged over it */
.drop-zone.drag-over {
  border-color: #4CAF50;
  background: #f0fff4;
}
    The HTML structure (simplified)
    <div class="workspace">

  <div class="palette">
    <div draggable="true" data-type="text">Text Input</div>
    <div draggable="true" data-type="email">Email</div>
  </div>

  <div class="canvas">
    <div class="drop-zone">
      <!-- field blocks appear here -->
    </div>
  </div>

  <div class="settings-panel">
    <!-- settings for selected field -->
  </div>

</div>
    3 of 6
    Lesson 04 / 06

    renderCanvas() — Turning Data into HTML

    One function reads the fields[] array and builds the HTML. You call it every time anything changes.

    Live demo — add fields, watch the array and canvas update together
    Canvas (what you see)
    // fields[] array (the data)
    // empty — add a field
    The renderCanvas function
    function renderCanvas() {
  var zone = document.getElementById('drop-zone');
  zone.innerHTML = ''; // clear existing HTML

  // Loop through the array and build HTML for each field
  fields.forEach(function(field) {
    var block = document.createElement('div');
    block.className = 'field-block';
    block.innerHTML = `
      <label>${field.label}</label>
      <input type="${field.type}"
             placeholder="${field.placeholder}">
    `;
    zone.appendChild(block);
  });

  // Show placeholder if empty
  if (fields.length === 0) {
    zone.innerHTML = '<p>Drop fields here</p>';
  }
}
    Key insight: You never manually update the HTML. You update the fields[] array, then call renderCanvas(). The function rebuilds everything from scratch. This is exactly how React, Vue, and WordPress Gutenberg blocks work.
    4 of 6
    Lesson 05 / 06

    The Settings Panel — Editing a Field’s Data

    When you click a field, the settings panel reads that field’s data and shows inputs to edit it.

    Live demo — type in the settings, watch the preview update
    Settings Panel
    // field object in fields[]
    {
      “label”: “Full Name”,
      “placeholder”: “e.g. John Smith”,
      “helpText”: “”,
      “required”: false
    }
    How it works in code
    // When a field is clicked — show its settings
function selectField(id) {
  selectedId = id;
  var field = fields.find(f => f.id === id);

  // Populate the settings panel with this field's values
  document.getElementById('input-label').value = field.label;
  document.getElementById('input-placeholder').value = field.placeholder;
  document.getElementById('toggle-required').checked = field.required;
}

// When user types in the settings panel — update the array
document.getElementById('input-label').addEventListener('input', function() {
  var field = fields.find(f => f.id === selectedId);
  field.label = this.value; // update the array
  renderCanvas();          // re-render the canvas
});
    The flow: Click field → selectField(id) fills the settings panel → user edits → event listener updates fields[]renderCanvas() redraws the canvas instantly.
    5 of 6
    Lesson 06 / 06

    The Complete Flow — From Drag to Save

    Put it all together. Here’s every step from dragging a field to saving the form.

    The full flow
    Palette
    Item
    draggable=”true”
    stores type
    dragstart
    event
    draggedType =
    ‘text’
    drop
    event
    on the canvas
    drop zone
    fields[]
    .push()
    new object
    added to array
    render
    Canvas()
    array → HTML
    on screen
    settings
    panel
    click field
    edit its data
    JSON.
    stringify()
    save to DB
    or export
    The complete minimal form builder (under 80 lines)
    <!-- HTML -->
<div class="workspace">
  <div class="palette">
    <div draggable="true" data-type="text">Text</div>
    <div draggable="true" data-type="email">Email</div>
  </div>
  <div id="drop-zone"></div>
  <div id="settings"></div>
</div>

// JavaScript
var fields = [];
var draggedType = null;
var selectedId = null;
var nextId = 1;

// Step 1: Each palette item stores its type on dragstart
document.querySelectorAll('.palette [draggable]').forEach(function(el) {
  el.ondragstart = function() { draggedType = el.dataset.type; };
});

// Step 2: Drop zone accepts the drop
var zone = document.getElementById('drop-zone');
zone.ondragover = function(e) { e.preventDefault(); };
zone.ondrop = function() {
  fields.push({
    id: 'field_' + nextId++,
    type: draggedType,
    label: draggedType + ' field',
    required: false
  });
  renderCanvas();
};

// Step 3: Render the array as HTML
function renderCanvas() {
  zone.innerHTML = fields.map(function(f) {
    return `<div onclick="selectField('${f.id}')">
      <label>${f.label}</label>
      <input type="${f.type}">
    </div>`;
  }).join('');
}

// Step 4: Show settings for the clicked field
function selectField(id) {
  selectedId = id;
  var field = fields.find(f => f.id === id);
  document.getElementById('settings').innerHTML = `
    <input id="s-label" value="${field.label}"
      oninput="updateField('label', this.value)">
  `;
}

// Step 5: Update the field object when settings change
function updateField(key, value) {
  var field = fields.find(f => f.id === selectedId);
  field[key] = value;   // update the array
  renderCanvas();       // re-render
}
    For WordPress — where each piece maps to
    fields[] array → stored in post_meta as JSON using update_post_meta()
    renderCanvas() → a PHP loop that outputs <input> tags on the front end
    Settings panel → a WordPress meta box with standard form inputs, or Gutenberg InspectorControls
    JSON.stringify(fields) → submitted via $_POST and saved with update_post_meta()
    6 of 6
  • A Comprehensive Guide to Setting Up Security for Your WordPress Website

    A Comprehensive Guide to Setting Up Security for Your WordPress Website

    Understanding WordPress Security Risks

    WordPress, being one of the most popular content management systems, is often targeted by malicious actors. Understanding the common security risks that accompany a WordPress website is essential for maintaining its integrity and safety.

    One significant risk arises from outdated themes and plugins. Developers regularly release updates to patch vulnerabilities, and neglecting to install these updates can expose a website to attacks. Cybercriminals frequently exploit these known weaknesses. Therefore, it is crucial for WordPress users to ensure that all themes and plugins are consistently up-to-date.

    Another common vulnerability comes from the use of weak passwords. Many users opt for simple passwords for convenience, allowing hackers to easily gain unauthorized access. Implementing strong, complex passwords and regularly updating them can greatly reduce the likelihood of a security breach. Additionally, utilizing tools like password managers can help users create and store secure passwords.

    The significance of an unprotected file system cannot be overstated. Without proper file permissions and access controls, sensitive information can be exposed to unauthorized users. This highlights the need for configuring file permissions correctly and regularly monitoring access logs for unusual activity.

    The consequences of security breaches can be severe, ranging from loss of sensitive data to damage to a site’s reputation. Such incidents often result in financial loss and a decline in user trust. Consequently, it is vital for website administrators to implement proactive security measures. Regular security audits, installing security plugins, and educating users about secure online practices are essential steps in safeguarding a WordPress website.

    Essential Security Plugins for WordPress

    Securing your WordPress website effectively requires the right tools, and security plugins play a crucial role in this endeavor. Among the most recommended plugins are Wordfence Security, Sucuri Security, and iThemes Security. These plugins provide a robust suite of features aimed at safeguarding your site from various threats.

    Wordfence Security functions as a comprehensive firewall and malware scanner. Its real-time traffic monitoring helps in detecting and blocking malicious users, while the built-in login security features, such as two-factor authentication and CAPTCHA, significantly enhance account protection. A premium version is available, offering additional benefits like country blocking and real-time firewall rule updates, which can be essential for larger websites.

    Sucuri Security focuses heavily on website monitoring and malware removal. Its features include file integrity monitoring, security activity auditing, and a dedicated firewall. The plugin also provides a hack repair service with its premium version, which can be a lifesaver should your site be compromised.

    iThemes Security, formerly known as Better WP Security, provides over thirty ways to secure your site. Its features include strong password enforcement, user action logging, and brute force protection. The premium version offers additional options such as two-factor authentication and scheduled malware scans, enhancing overall website security.

    For those who are budget-conscious, each of these plugins offers free versions with limited functionality that still cover essential security needs. When comparing free versus premium options, it’s important to consider the specific requirements of your website and the level of security you desire. Ultimately, these essential security plugins can vastly improve the safety of your WordPress website when leveraged effectively.

    Key Server and WordPress Settings for Enhanced Security

    Securing your WordPress website begins with optimizing the server settings and configuring relevant options within the WordPress dashboard. These adjustments can significantly heighten the security landscape of your site, guarding against potential threats and vulnerabilities.

    First and foremost, consider changing the default login URL. By default, WordPress uses /wp-admin and /wp-login.php as its login endpoints, making them prime targets for brute-force attacks. Customizing the login URL adds an additional layer of obscurity, reducing the likelihood of unwanted access attempts. Various plugins are available to assist you in changing the login page to a more secure URL.

    Next, implementing two-factor authentication (2FA) is a robust method of securing user accounts. This process requires users to provide two forms of identification before gaining access. Typically, this involves a password combined with an authentication code sent to a mobile device. Many popular WordPress security plugins offer built-in features for enabling 2FA, thus reinforcing your security posture.

    In addition to these settings, it is crucial to configure file and directory permissions appropriately. The recommended permissions are 755 for directories and 644 for files. This ensures that files are only writable by the owner, reducing the chances of unauthorized modifications. You can access these settings typically through your hosting control panel.

    Lastly, setting up SSL certificates is essential for encrypting data transmitted between the user’s browser and your server. This not only boosts security but also promotes trust among your visitors. Most hosting providers facilitate the installation of SSL certificates via their control panels.

    Overall, implementing these key server and WordPress settings will significantly enhance the security of your website, ensuring better protection against common threats.

    Regular Maintenance and Monitoring for Ongoing Security

    To ensure the security of your WordPress website, regular maintenance and monitoring are paramount. This ongoing process is critical to proactively safeguard against threats and vulnerabilities that may arise over time. One of the primary steps involves monitoring website activity. This includes tracking user access, identifying unusual login attempts, and keeping an eye on changes made to your content and files. A comprehensive auditing strategy can illuminate unauthorized changes that may indicate security breaches.

    Another essential aspect of maintaining security is implementing routine backups. Regularly backing up your website’s data not only protects against potential data loss due to cyberattacks but also prepares you to recover swiftly from such events. It is advisable to utilize automated solutions that enable scheduled backups, ensuring your data is continuously up-to-date and easily restorable.

    Additionally, keeping plugins, themes, and the WordPress core updated is crucial. Developers regularly release updates that often include security patches addressing known vulnerabilities. Delaying these updates can leave your website exposed to threats. Therefore, a routine schedule for reviewing and applying these updates can significantly enhance the security posture of your WordPress site.

    Conducting regular security audits is another effective strategy. These audits help identify potential weaknesses within your site, allowing for corrective actions to be taken promptly. During an audit, consider assessing the overall website structure, permissions, and installed plugins, ensuring that each component aligns with your security policies.

    Implementing a solid security policy is vital. This policy should encompass guidelines on user access levels, data protection measures, and procedures for responding to security incidents. By addressing potential threats before they occur, you establish a proactive security environment that significantly mitigates risks associated with hosting a WordPress website. Regular maintenance, monitoring, and adherence to a thorough security policy form the foundation for a robust defense against evolving cyber threats.