This section covers how we programmatically secure our WordPress code. It covers sanitization, validation, escaping, and nonces.
Official Handbooks
- See the Plugin Security section in the Official WordPress Plugin Handbook.
- Checking User Capabilities
- Data Validation
- Discusses built-in PHP functions:
isset
,empty
,mb_strlen
,strlen
,preg_match
,strpos
,count
, andin_array
. - Discusses WP core functions:
is_email
,term_exists
,username_exists
, andvalidate_file
.- Recommends checking the Code Reference for more functions named like
*_exists
,*_validate
, andis_*
.
- Recommends checking the Code Reference for more functions named like
- Discusses built-in PHP functions:
- Securing Input
- Securing Ouput
- Nonces
- See the Theme Security section in the Official WordPress Theme Handbook.
- Data Sanitization/Escaping
- Covers built-in WP sanitization functions including:
sanitize_email
,sanitize_file_name
,sanitize_html_class
,sanitize_key
,sanitize_meta
,sanitize_mime_type
,sanitize_option
,sanitize_sql_orderby
,sanitize_text_field
,sanitize_title
,sanitize_title_for_query
,sanitize_title_with_dashes
,sanitize_user
,esc_url_raw
,wp_filter_post_kses
,wp_filter_nohtml_kses
. - Covers built-in WP escaping functions including:
esc_html
,esc_url
,esc_js
,esc_attr
,esc_textarea
. Including those with localization:_e
,__
,esc_html__
,esc_html_e
,esc_html_x
,esc_attr__
,esc_attr_e
,esc_attr_x
. - Also covers custom escaping using
wp_kses
including the wrapperwp_kses_post
. - And for escaping data for the database.
- Covers built-in WP sanitization functions including:
- Data Validation
- Using Nonces
- Covers creating a nonce:
wp_nonce_url
,wp_nonce_field
,wp_create_nonce
as well as verifying a nonce:check_admin_referer
,check_ajax_referer
,wp_verify_nonce
.
- Covers creating a nonce:
- Common Vulnerabilities
- Data Sanitization/Escaping
General
- Frank Klein. A Guide to Writing Secure Themes. WordPress Make, 2015.
- Luc Princen. WordPress Security as a Process. Smashing Magazine, 2018.
- WordPress Security for Developers. Wordfence, 2017.
- Introduction to Writing Secure PHP Code.
- How to Prevent Cross Site Scripting Attacks.
- Understanding SQL Injection Attacks.
- How to Prevent Authentication Bypass Vulnerabilities.
- How to Prevent File Upload Vulnerabilities.
Sanitization / Validation / Escaping
- Validating, Sanitizing, and Escaping. WordPress VIP Go.
- Brian Hogg. Tips on Sanitizing and Validating WordPress Plugin Data. 2017.
- Josh Pollock. Beginner’s Guide to Data Sanitization and Validation in WordPress. Torque, 2016.
- Josh Pollock. Beginner’s Guide to Escaping Outputs in WordPress. Torque, 2016.
- Justin Tadlock. Whitelist Validation in WordPress. 2018.
- Tom McFarlin. An Object-Oriented Approach to the WordPress Settings API. 2015.
- Tom McFarlin. Sanitization with the WordPress Settings API. 2015.
- A sequel of sorts to the above Object-Oriented Approach.
- 1. Sanitizing Multiple Values with the WordPress Settings API.
- 2. Sanitizing Arrays: The WordPress Settings API.
- 3. On Pause: The WordPress Settings API.
- 4. Refactoring Input Sanitization with the WordPress Settings API.
- 5. Validating Input via the WordPress Settings API.
- 6. Validation and Sanitization in the WordPress Settings API.
- Tom McFarlin. Quick Tip: Sanitize Post Data in WordPress. 2018.
- Tom McFarlin. Sanitizing URLs in WordPress with its API and Built-In PHP Functions. 2018.
- Tom McFarlin. Custom Data Validation in WordPress. 2016.
- Tom McFarlin. Late Escape WordPress Data. 2016.
- Narayan Prusty. Sanitizing, Escaping and Validation Data in WordPress. sitepoint, 2015.
- Data Validation and Sanitization with WordPress. devotepress, 2014.
- Stephen Harris. Data Sanitization and Validation with WordPress. envatotuts+, 2012.
- Paul Lund. Data Validation with WordPress. 2012.
Nonces
- Tim Carr. What Are WordPress Nonces? sitepoint, 2015.
- Joe Fylan. An Introduction to WordPress Nonces with Examples. elegant themes, 2015.
- Peter Petreski. A Brief Introduction to WordPress Nonces. Tips and Tricks HQ, 2015.
- Nicolas Sebastiani. How Do WordPress Nonces Work. Really. 2017.
- Josh Pollock. What’s a WordPress Nonce and How to Use Them. Torque, 2016.
- Daniel Pataki. Using Nonces to Strength WordPress Security. wpmudev, 2015.
- Cal Evans. NONCE Upon a Time in WordPress. panetheon, 2014.
- Andy Adams. WordPress Front End Security: CSRF and Nonces. css-tricks, 2015.
- Mark Jaquith. WordPress 2.0.3: Nonces. 2006.
- Josh Pollock. Nonces: The Other Problem with WordPress Caching. 2017.
- Stephen Harris. Capabilities and Nonces. 2012.
- Eric Mann. WordPress Nonces: Why We Can’t Have Nice Things. Things That Matter Most, 2019.
- Eric explains how WP nonces are truly nonces and the weaknesses this brings to the WP platform.