Security Best Practices

When you are writing code for large open-source projects like WordPress, you must realize that your code will potentially be used by millions of other people who use WordPress.

WordPress powers more than one-third of the web and the chances of someone using your code in their project are high.”

Security is important and as a developer, you must take extra steps to keep your codebase secure. You must follow proper WordPress coding standards and ensure that the data you accept, process, store, and display on the website is safe for everyone.

Validation & Sanitization

Here’s a good place to start:

In general, good security means not trusting user input — any input from $_POST, $_GET, or command-line arguments should be validated before use. This prevents injection attacks, such as Bobby Tables. For a good listing on avoid SQL injection in generic PHP and WordPress, see BobbyTables.com/php.

SQL injection is just one attack trajectory. Script injection, such as in Cross-Site Scripting attacks, is another major concern. Ideally, data would be validated at input and sanitized or escaped at output.

For generic HTML output, see wp_kses() and wp_kses_post(). The _post() variant allows all HTML that’s valid for post_content, but doesn’t allow form fields or script tags. Also see wp_strip_all_tags(), which will strip all tags and <style> and <script> content.

For more escaping of more specific data, such as JavaScript, URLs, HTML attributes, etc., see “esc_” functions. Notice especially those functions which perform both escaping and translation at the same time: esc_attr__(), esc_html_e(), esc_html_x(), esc_html__().

Also see “sanitize_” functions. sanitize_key(), sanitize_title(), and sanitize_email() are especially notable. is_email() can also be useful.

Important default PHP functions for dealing with user input include filter_input() and filter_var() along with their various options.

Nonces

Nonces play a part in validating that a form submitted by a user was intended to be submitted. See Using Nonces.

Exercises

  • Go through the lessons on security vulnerabilities on hacksplaining.com.
  • Identify security vulnerabilities in the following code and fix them.

Hints:

  • Sanitize User Input
  • Escape Output
  • Nonce Verification

References

Ideas to Explore:

  • How WordPress Nonces are different from the general concept of Nonces?
  • Could you explain the role of Nonces in WordPress plugin security? Where you can use them? How do they get checked and verified?
  • Should we use nonces in authentication? Why or why not?
  • If a user logs in or out, will the nonce still be valid?
  • How Nonce lifetime is calculated in WordPress?
  • How can we add a nonce to a URL?
  • How will conduct a security audit on the plugin which tools you will use?
  • What is validation? What’s the difference between client-side and server-side validation?
  • Can you explain the concept of “escaping” in detail? Additionally, could you provide a comprehensive list of all the available “esc_” functions in WordPress, including their descriptions and examples?
  • Can you explain the concept of “sanitizing” in detail? Additionally, could you provide a list of 10 available “sanitize_” functions in WordPress, including their descriptions and examples?