WordPress Plugin Developer Security Tips

When developing WordPress plugins it is always a good idea to be thoughtful about security. Follow these simple tips to harden your plugin:

Validate User Input

When you get data back from a user, validate it! There are a number of useful functions to help with input validation. For example:

Use intval() when you expect numbers
sanitize_title()

Sanitize Output

Depending on the context, data must be sanitized when displayed back to the user. Again, WordPress has a number of helpful functions to make this easy. For example:

esc_html()
sanitize_email()

Uses Nonces

You must be sure that when data is posted to WordPress, that you know where that data came from. Nonces help you “trust” a source. You can add a nonce to a URL using wp_nonce_url() or add a hidden nonce filed to your form using wp_nonce_field(). You can then verify the nonce by using check_admin_referer.

Prepare SQL Queries Correctly

For example, this is BAD:

$wpdb->prepare( "INSERT INTO employee (username, name) VALUES ('$username', '$name')" )

This should rather be written like this:

$wpdb->prepare( "INSERT INTO employee (username, name) VALUES (%s, %s)", $username, $name )

Trust WordPress Functions

When possible (and most times it is possible) use the built-in WordPress functions. These functions have been tried and tested and offer the most secure way to accomplish a specific task. For example, use the get_posts function rather than writing a custom select query and passing that to $wpdb->get_results.

Check Capabilities