WordPress Plugin and Theme Security

Mark Jaquith recently gave a good presentation on writing secure WordPress themes and plugins at Wordcamp Phoenix 2011. The notes are also available. The main points are: Protect against SQL Injection by using the API whenever possible (because it automatically handles data sanitization). If the API can’t do what you need, use $wpdb->prepare(). Protect against […]

Continue reading...

Making Coding Mistakes Obvious

Joel Spolsky wrote an interesting article on ways to¬†make coding mistakes obvious, like using semantic¬†prefixes on variable names. If you have unfiltered data from the user, you can make the variable something like $usFoo so that you always remember that the data is unsafe, and won’t output it unfiltered (therefore preventing malicious code injection).