Chapter 6. Plugin Security


  • Understanding what security is

  • Learning to identify weak spots in code

  • Preventing malicious attacks such as XSS or CSRF

  • Checking user permissions

  • Validating and sanitizing data

  • Formatting robust and secure SQL queries

  • Keeping good practices in mind

In computer language, "security" often refers to scary buzzwords such as Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), SQL Injection, Privilege Escalation, Vulnerabilities, and Holes.

Are you frightened yet?

You should be scared because these are real threats and, as you will read, trivial to execute against shabby code. But then, you should not be scared because, fortunately, WordPress comes with all the tools you need to make your code safe and secure.


Weak code may be subject to abuse and eventually compromise your server security, or retrieve otherwise hidden data about you or your users. This is the worst-case scenario.

But before letting Internet pirates wander in your files and directories, feeble code will simply fail at making sure that data entered by an honest user is valid and sanitary. As you can see in this chapter, a poorly coded form can, for instance, truncate user input and as a result process partial content.

What Securing Your Plugin Is

Making your plugin secure is dealing with vulnerabilities and data integrity and reliability. It's both preventing malicious attacks and making sure legitimate use cannot produce unexpected behavior.

What Securing ...

Get Professional WordPress® Plugin Development now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.