Security πŸ›‘οΈ

When you are writing code for large open source projects like WordPress, you must realize that your code will potentially be used by millions of other people who use WordPress. WordPress powers nearly one-third of the web and the chances of someone using your code in their project are pretty high.

Security is really important and as a developer, you must take extra steps to keep your codebase secure. You must follow proper WordPress coding standards and ensure that the data you accept, process, store, and display on the website is safe for everyone.

Here’s a good place to start: Validating, Sanitizing and Escaping User Data.

In general, good security means not trusting user input β€” any input from $_POST, $_GET, or command-line arguments should be validated before use. This prevents injection attacks, such as Bobby Tables. For a good listing on avoid SQL injection in generic PHP and WordPress, see BobbyTables.com/php.

SQL injection is just one attack trajectory. Script injection, such as in Cross-Site Scripting attacks, is another major concern. Ideally, data would be validated at input and also sanitized or escaped at output.

For generic HTML output, see wp_kses() and wp_kses_post(). The _post() variant allows all HTML that’s valid for post_content, but doesn’t allow form fields or script tags. Also see wp_strip_all_tags(), which will strip all tags and <style> and <script> content.

For more escaping of more specific data, such as JavaScript, URLs, HTML attributes, etc., see “esc_” functions. Notice especially those functions which perform both escaping and translation at the same time: esc_attr__(), esc_html_e(), esc_html_x(), esc_html__().

Also see “sanitize_” functions. sanitize_key(), sanitize_title(), and sanitize_email() are especially notable. is_email() can also be useful.

Important default PHP functions for dealing with user input include filter_input() and filter_var() along with their their various options.

Scroll to Top