Plugin Security

Topics

NOTE: If you are looking to report a plugin with security issues, please read Reporting Security Issues.

Congratulations, your code works! But is it safe? How will the plugin protect your users if their sites get hacked? The best plugins in the WordPress.org directory keep their users’ information safe.

Please keep in mind that your code may be running across hundreds, perhaps even millions, of websites, so security is of the utmost importance. This is especially important when building a settings page for your theme, creating and manipulating shortcodes, or saving and rendering extra data associated with a post.

Fortunately, there are common patterns you can follow to ensure the security of your code. We’ve broken them into three key ideas:

Securing Input #

Every time a user submits data to WordPress, data is imported from an external feed, or data comes into WordPress, you should make sure it’s safe to handle. You can do so by validating and sanitizing the data.

Top ↑

Escaping Output #

Every time a post title, post meta value, or some other data from the database is rendered to the user, we need to make sure it’s properly escaped. This helps prevent issues like Cross-site scripting (XSS).

Note: Note: “Cross-site scripting (XSS)” attacks are malicious attacks whereby scripts are injected  into your site, typically via a browser side script. Generally this occurs when a website applies data entered by a user within the output it creates without validating or encoding it. Bad things can happen if this occurs, so it is very important to ensure a website is appropriately protected.”

Top ↑

Confirming Credentials #

To prevent an unauthorized person from changing your plugin’s settings or performing actions they are not authorized to perform, it’s important to always confirm their credentials.  WordPress offers two ways: nonces and capability checks.

Start with Checking User Capabilities and Nonces to begin the process of ensuring that your plugin is secure.

Top ↑

External Resources #