Mark Jaquith recently gave a good presentation on writing secure WordPress themes and plugins at Wordcamp Phoenix 2011. The notes are also available.
The main points are:
- Protect against SQL Injection by using the API whenever possible (because it automatically handles data sanitization). If the API can’t do what you need, use $wpdb->prepare().
- Protect against Cross-site Scripting by sanitizing any output with esc_html(), esc_url(), esc_js(), etc.
- Protect against Cross-site Request Forgery by using nonces.
- Make sure a user has permission to perform a task with current_user_can().
- Don’t use eval().
- Don’t post a form to $_SERVER[‘REQUEST_URI’]. If you want to post to the current page, just use action=””