Chapter 6. Plugin Security
WHAT'S IN THIS CHAPTER?
Understanding what security is
Learning to identify weak spots in code
Preventing malicious attacks such as XSS or CSRF
Checking user permissions
Validating and sanitizing data
Formatting robust and secure SQL queries
Keeping good practices in mind
In computer language, "security" often refers to scary buzzwords such as Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), SQL Injection, Privilege Escalation, Vulnerabilities, and Holes.
Are you frightened yet?
You should be scared because these are real threats and, as you will read, trivial to execute against shabby code. But then, you should not be scared because, fortunately, WordPress comes with all the tools you need to make your code safe and secure.
SECURING YOUR PLUGIN
Weak code may be subject to abuse and eventually compromise your server security, or retrieve otherwise hidden data about you or your users. This is the worst-case scenario.
But before letting Internet pirates wander in your files and directories, feeble code will simply fail at making sure that data entered by an honest user is valid and sanitary. As you can see in this chapter, a poorly coded form can, for instance, truncate user input and as a result process partial content.
What Securing Your Plugin Is
Making your plugin secure is dealing with vulnerabilities and data integrity and reliability. It's both preventing malicious attacks and making sure legitimate use cannot produce unexpected behavior.