WordPress Plugin and Theme Security

Mark Jaquith recently gave a good presentation on writing secure WordPress themes and plugins at Wordcamp Phoenix 2011. The notes are also available.

The main points are:

  • Protect against SQL Injection by using the API whenever possible (because it automatically handles data sanitization). If the API can’t do what you need, use $wpdb->prepare().
  • Protect against Cross-site Scripting by sanitizing any output with esc_html(), esc_url(), esc_js(), etc.
  • Protect against Cross-site Request Forgery by using nonces.
  • Make sure a user has permission to perform a task with current_user_can().
  • Don’t use eval().
  • Don’t post a form to $_SERVER[‘REQUEST_URI’]. If you want to post to the current page, just use action=””

Leave a Reply

Your email address will not be published. Required fields are marked *