WordPress Plugin Security Best Practices: another tutorial-style article explaining how to hack-proof your WP plugin.
WordPress Coding Standards: what was said above goes double for WordPress plugin code! The WordPress coding standards are a good start, but there’s more.
WordPress Plugin Vulnerabilities: learn from other people’s mistakes. The WordPress plugin directory lists serious vulnerabilities in plugins.
WordPress Version 4.0 and the GPL: if you’re distributing your plugin with the GPL, make sure you understand this update about how the license works for distributed software.
plugin-security.com: collection of resources on keeping your plugins safe and secure, including tools and documentation.
WordPress Plugins and the GPL 2.0: also check out this blog post by Mark Jaquith (a lead developer on WordPress) on how to follow the GPL 2.0 license as a plugin developer.
WordPress Plugin Security Best Practices
This article explains how to protect your WordPress plugins from hackers. It teaches you how to secure your plugins by using WordPress API functions, preventing SQL injection attacks and cross site scripting. The article also looks into ways to prevent users from accessing non-public parts of your plugin. If a hacker manages to gain access to these parts he can wreak havoc with his own code or even destroy the hard work you put into building the plugin.
WordPress API functions
WordPress has some very useful API functions that you can use in your plugins. These functions are available in all WordPress pages so you don’t have to worry about including them manually. They help keep your plugin safe and secure by performing checks and escaping strings for you, making it less likely that someone will be able to inject malicious code into your database or website.
Use wpdb instead of mysql_*() in plugin queries
For database queries always use wpdb instead of mysql_*(). The wpdb class provides a pluggable framework for interacting with the WordPress database system which is ideal for creating database independent plugins. This is especially important if you want the plugin to work on different databases (MySQL, MariaDB) and/or different servers (Windows,
WordPress plugin security is an important topic, but it doesn’t seem to be covered nearly as well as WordPress core security. The WordPress Codex has a whole page devoted to hardening your WordPress installation and securing your files, but there’s very little in the way of resources for plugin developers.
I’d like to change that, so today I’m posting the first of what I hope will be many articles on securing WordPress plugins. This post is aimed at plugin developers and assumes a basic understanding of PHP coding. If you’re a plugin user rather than a developer, you might not find this article terribly interesting. However, if you are interested in learning more about how plugins work under the hood, or if you want to get started developing your own plugins, hopefully this article will be helpful.
Writing secure code is hard, writing secure code for a complicated and potentially hostile environment is harder. WordPress has a lot of potential attack vectors, so it’s important to be security-conscious when you’re developing plugins.
This article will explain how to write secure code for WordPress plugins. It assumes some basic knowledge about PHP and WordPress hooks, but doesn’t assume any specific level of expertise.
WordPress plugins are a great way to extend the functionality of your website. But, plugins also introduce additional vulnerabilities that can be easily exploited by hackers. In this article, I’ll discuss how to tighten up your WordPress plugin security so that it’s less susceptible to attacks.
Escaping Output
When you’re creating a WordPress plugin and displaying data from a database or user input, it’s important to properly escape the data before outputting it. If you don’t do this, then malicious users could inject HTML or JavaScript into your plugin. This would allow them to execute code on your web server, add spam links, or even edit existing content on your website.
To escape data, you will need to use WordPress’ built-in escaping functions, esc_html()
, esc_url()
, and esc_attr()
. The easiest way to determine which function to use is by looking at
//various snippets of code
Add the following to your .htaccess file in the root directory of WordPress:
order allow,deny
deny from all
This will block all direct access to PHP files. This is important because most WordPress plugins include PHP files (even the ones that are not intended to be directly accessed by users).