Plugin Security is very important while developing a plugin. As your plugin can be used by millions of WordPress sites it is important to consider each and every aspect of security.
The following are the four major areas to focus on:
- Validation
- Testing user input data against pre-defined pattern so that it does not execute any malicious code.
- Sanitization
- Process of cleaning data from malicious code is sanitization.
- Escaping output
- Process of stripping output data of unwanted HTML tags or script tags.
- Nonces
- Nonces aka number used once is used to validate form submission.
- It is a special hash that is generated by letters and numbers which have a limited lifetime after which they expire.
- It is used to check if the form submitted is generated by the site or not by comparing the generated hash value which was also stored in the backend.
Reference Links:
- https://developer.wordpress.org/apis/security/#developing-a-security-mindset