WordPress Plugin Developer Security Tips

When developing WordPress plugins it is always a good idea to be thoughtful about security. Follow these simple tips to harden your plugin:

Validate User Input

When you get data back from a user, validate it! There are a number of useful functions to help with input validation. For example:

  • Use intval() when you expect numbers
  • sanitize_title()

Sanitize Output

Depending on the context, data must be sanitized when displayed back to the user. Again, WordPress has a number of helpful functions to make this easy. For example:

  • esc_html()
  • sanitize_email()

Uses Nonces

You must be sure that when data is posted to WordPress, that you know where that data came from. Nonces help you “trust” a source. You can add a nonce to a URL using wp_nonce_url() or add a hidden nonce filed to your form using wp_nonce_field(). You can then verify the nonce by using check_admin_referer.

Prepare SQL Queries Correctly

For example, this is BAD:

$wpdb->prepare( "INSERT INTO employee (username, name) VALUES ('$username', '$name')" )

This should rather be written like this:

$wpdb->prepare( "INSERT INTO employee (username, name) VALUES (%s, %s)", $username, $name )

Trust WordPress Functions

When possible (and most times it is possible) use the built-in WordPress functions. These functions have been tried and tested and offer the most secure way to accomplish a specific task. For example, use the get_posts function rather than writing a custom select query and passing that to $wpdb->get_results.

Check Capabilities

It is always wise to check that a user can perform a certain task before doing it. You never know, if a user somehow manages to run your top secret function, they could potentially do something malicious. So check they have the correct capabilities first, using current_user_can(), then you can safegaurd yourself against any possible issues.

Further Reading

Check out these other resource to learn more and get more clued up:

  • Mark Jaquith: Theme & Plugin Security
  • Brad Williams: Writing Secure WordPress Code
  • Data Sanitization And Validation Within WordPress
  • Review an intentionally vulnerable plugin, and then how to fix it.