Jitesh Kapadia
Filed under - WordPress
No Comments so far. Add yours now

WordPress is a robust platform but it is not impermeable—in fact, no platform is because some vulnerability always remains even after the best efforts. And where vulnerability exists hackers cannot be far behind.

In regard to WordPress, hackers exploit vulnerabilities in its plug-ins to insert and execute malicious codes. It is estimated that about 40% of WordPress security issues are related to plug-in vulnerabilities. Therefore, if you are a WordPress plug-in developer, your efforts should be geared towards making plug-in secure and ensuring your customers’ websites are protected from malicious attacks.

Five Security Best Practices For WordPress Plug-in:

1. Better use of functions:
Taking care of the inputs and outputs is extremely important for anyone into WordPress plug-in development. You should have better understanding of functions such as:
• wp_filter_kses – sanitizes HTML content as per KSES rule
• esc_html – used for escaping HTML blocks
• esc_url – Sanitizes URL
• esc_textarea – encodes text for use in any element
• esc_attr – retrieves text for safe use in attribute
• esc_url_raw – check for safety of URL in database queries
These functions play an important role in validating, sanitizing, and cleaning user input. Using database methods directly to retrieve data allows for opportunities to inject malicious code through SQL statements.

2. Checking of URL and Form:
You should take adequate steps to check for URL and Form that are posted back to WordPress. It is necessary to check whether the URL posted back was from your own WordPress website or some malicious agent. You can generate nonce field using function such as wp_nonce_form that will catch the URL, which is posted back. The wp_verify_nonce function can be used to validate the URL.

3. Loading only what is needed:
Your WordPress plug-in should only load the required elements needed for its functioning. You need to develop your plug-in in such a way that it only loads JavaScripts, scripts required for the section of the website. Avoid loading admin scripts for the front-end through your plug-in.

4. Accessing web services intelligently:
When your plug-in needs to access remote data, you should use HTTP API to process the request in the background.

5. Don’t use outdated functions:
If you are a plug-in developer learning from WordPress coding tutorials, you need to know that there are hundreds of outdated functions that are supported by current WordPress versions but which will not be supported in future versions. Using these functions in your coding can be a great security risk, as the new WordPress version won’t support the function that increase security risk. The best way to prevent a security risk is to look up in WordPress codex that gives you complete information about obsolete and current functions compatible with current and future WordPress versions.

So now you have considered all the security must do and ready to launch the plug-in. But before you submit it in marketplace, don’t forget to send it for security code audits. While these audits are not free of cost, they do tell you in clear terms how workable and secure your plug-in is.

Tags: , , ,

Leave your comment

You must be logged in to post a comment.

Share IT © 2017. All rights reserved.