5 Tips to Writing More Secure Theme And Plugin Code – Joseph Scott

Joseph Scott, one of the star wordpress developers and Automattic employee presented a very useful and informative session on how to write secure wordpress theme and plugin code.

He started the session with a brief introduction about himself and the work he does at Automattic and then went on to talk about writing secure code.

According to Joseph, writing good theme and plugin code involves thinking about 2 fundamental things.

1. Providing for Security
2. Playing Nice

I’ve summarized Joseph’s talk into easy to read and understand highlights below. I hope you find this useful too.

Security Tips When Coding WordPress Themes and WordPress Plugins

1. Since most (if not all)your code is in PHP, you have to keep PHP Security in mind.
2. Drill this into your mind “DON’T TRUST EXTERNAL DATA!!!“. External data could come from a variety of sources including from
   • $_GET
   • $_COOKIE
   • $_POST
   • $_SERVER
   • $_REQUEST
   • Web Services.
3. ALWAYS Filter your external data against a “White List“. Check for
   • Exact Values
   • Data Type
   • Regular Expression Match (do double, triple check your expression for accurracy!)
4. Make sure Data is escaped properly.
5. Do have provisions for WordPress Database Security.

The 2nd Part of Secure WordPress Theme and Plugin Development involves Playing Nice!