What are the common security flaws I need to look for? [closed]

Here is a modified checklist, based on my current (work-in-progress) settings/data security checklist used for reviewing Themes (the principles should be no different for Plugins than they are for Themes):

  1. Plugins should prefix all options, custom functions, custom variables, and custom constants with plugin-slug.

  2. Plugins should implement Plugin Options and Plugin Settings pages deliberately, rather than relying on copy-and-paste scripts from website tutorials, such as the ones below, which are outdated, and do not include proper data security:

  3. Plugins should use the add_options_page() function to add the Plugin Settings Page to the Settings menu, rather than using add_menu_page() to add a top-level menu.

  4. Plugins should use an appropriate capability (e.g. manage_options) for the capability to add the settings page.

  5. Plugins should save options in a single array, rather than create multiple options for the settings page. The use of the Settings API (see below) would handle this.

  6. Plugins should use the Settings API(see below) to get and save form input data rather than rely on $_POST and $_REQUEST data directly.

  7. For checkboxes and select options, Plugins should use the checked() and selected() functions for outputting checked="checked" and selected="selected", respectively.

  8. Plugins should validate and sanitize all untrusted data before entering data into the database, and should escape all untrusted data before being output in the Settings form fields and before being output in the Theme template files:

  9. Plugins should use esc_attr() for text inputs and esc_html() (or esc_textarea() in WP 3.1) for textareas.

  10. Plugins should explicitly provide Settings-page nonce checking, if not using the Settings API:

  11. It is also highly recommended that Plugins use the Settings API, which is easier to use, more secure, and takes care of a lot of the hard work of settings pages:

For a good tutorial on using the Settings API, see:

If you want to check out a theme with a secure and solidly-coded theme settings page, check out this theme:
http://wordpress.org/extend/themes/coraline

Related Posts:

  1. Making my plugin multi-site compatible
  2. WordPress Capabilities: edit_user vs edit_users
  3. Where should my plugin POST to?
  4. Security error WP 4.0 + WP phpBB Bridge [closed]
  5. Should I use RIPS tool to test my themes and plugins?
  6. Escape when echoed
  7. Plugin Development sqlite or WordPress’ database
  8. wp_create_nonce function doesn’t work inside a plugin?
  9. Prevent duplicate records in plugin table
  10. I should enable automatic updates?
  11. Prevent direct access to WordPress plugin assets?
  12. How to prevent plugins from sniffing/stealing other plugins’ options?
  13. Security of a WordPress Plugin
  14. Help to Create a Simple Plugin to make a post
  15. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  16. Securing a plugin pop-up window
  17. wp_verify_nonce fails always
  18. Create Array from data in the OPTIONS table
  19. Validating values using Settings API?
  20. Get all the related data from WordPress DB
  21. Where is the best place to use add_filter
  22. Can a developer adopt a plugin marked as “not updated in over 2 years”?
  23. What could a hacker do with my wp-config.php
  24. When can you get current page ID and initialize hooks right after?
  25. How do I email a new page password to somebody every month?
  26. How to load different css file for different pages
  27. Overrides Plugin Files on WordPress Themes
  28. Why is my ajax call refreshing the page?
  29. Is there an equivalent to Drupal’s Batch API in WordPress?
  30. Localize Plugin Description
  31. Display future posts?
  32. Passing RichText attributes to function onChange
  33. Getting media library popup in custom plugin admin page
  34. What is the way to ship read-me strings like plugin-strings for internationalization?
  35. Variable from a plugin into a theme
  36. Upload file inside plugins options page
  37. How to automate wordpress plugin activate and deactivate by php logic?
  38. How to get variables from fucntion.php to my plugin files
  39. Is there any way to get all the name or slug of template parts used in a page?
  40. What function can I use consistently to escape possible HTML for editing and display?
  41. How can I make uploaded images in the editor load with HTTPS?
  42. How to change custom post type pemalink Hierarcy
  43. Test files for plugin development
  44. Updating the Drag-To-Share eXtended share URLs?
  45. Send Custom welcome email to specific user group
  46. WordPress Backend HA (Automatic failover)
  47. List the authors that have written posts in a category
  48. Is it necessary to auto delete my WP plugin database tables when users deactivate/delete my plugin?
  49. Namespaced shortcode?
  50. My custom plugin did not create db tables in database
  51. Custom post types – remove default post supports through empty array?
  52. How to insert and call new data in wordpress website database through a plugin
  53. How to be escape Variables and options when echo?
  54. Release the plugin in the WordPress repository where redux is used
  55. Dokan Marketplace store link in single product page
  56. YOAST Seo xmlsitemap menu item not showing in the dashboard [closed]
  57. Possible?? Pull Plugin Property Data to a Theme’s Custom Post Type
  58. Using meta_query in a WP_Query not working for numbers properly
  59. Plugin is creating posts twice
  60. How do I reliably find a URL to a script or other file?
  61. How to add captcha to publish widget
  62. How to add logo to a WordPress Custom Plugin?
  63. Use a custom block in another block
  64. WordPress search shows protected content
  65. Set Button in PluginDocumentSettingPanel Content (WordPress Gutenberg)
  66. Fixed: Console.log twice in the edit function
  67. Using OR Condition with facetwp facets
  68. How to copy the all WordPress media items to another custom plugin folder?
  69. Personality quiz in wordpress using a plugin
  70. How can we get this dynamically as this folder may not be by the same name always → wp-admin
  71. Error on plugin activation and creating new page
  72. Child theme modifications not showing up
  73. Why is my shortcode not working?
  74. Link custom post type to page
  75. “Fire Secure” menu item
  76. wp_remote_post To external API multiple values with the same key
  77. Function settings_fields() not recognized (Uncaught Error: Call to undefined function settings_fields())
  78. Why my multisite is this slow? (stats inside)
  79. what’s different between wpdb->prefix and table_prefix
  80. Can we rename a plugin directory for a already launched plugin?
  81. How to use custom footer template in a site-plugin?
  82. trying to create simple plugin to filter categories from all authors
  83. How to create a new database table whenever user changes options
  84. Am I correctly adding styles to plugin?
  85. How can I insert a record into a custom table from my custom form in my custom admin page?
  86. how to create table during plugin installation in side a class
  87. WP_Filesystem usage within a block of code
  88. Proper Failure of Plugin Activation
  89. Why function hooked using object are executing at all time?
  90. What is the Object for WP_Error Class?
  91. Ajax in Plugins: returns the whole page
  92. how to search through plugin in wordpress cimy-user-extra-fields?
  93. Any way to hook into WP after a page displays?
  94. How I can hide my wp folders from Inspect Element (Developer Tools)
  95. How to Find WordPress site has backdoor login Codes
  96. How can I save the selected page in the dropdown after anyone clicks on Save Changes?
  97. Wrong block appender button showing
  98. Uncaught Error: Cannot use object of type stdClass while showing the list using WP_List_Table
  99. plugin doesn’t retrieve data from database
  100. Display Any Field fromAdmin Panel in Frontend via Shortcode?

Leave a Comment