WordPress theme security: How to keep your WordPress theme and plugin code secure

Keep users safe

The sexy part of theme and plugin development is often creating what visitors see on the front end. However, without substance in the form of security measures, your slick solution could cause long-lasting damage. Of course, WordPress is hot on security. It’s no surprise there’s a whole section of the WordPress Developer Handbook dedicated to protecting users and their sites. What’s more, implementing WordPress theme security is incredibly easy (in theory).

Improve WordPress theme security in 4 easy steps

In this post, we’ll get straight down to business. We’ll offer four great ways to lock down WordPress theme security and provide a more dependable solution for your user base.

  1. Validate your data.

  2. Sanitize inputs and outputs.

  3. Check user capabilities.

  4. Create and validate nonces.

Ready to take a deeper look at securing your WordPress themes? Let’s get started!

1. Validate your data

Validate WordPress Theme Security
Data validation is a fundamental way to secure your themes and plugins.

Data validation is one of the core concepts of user website interaction. It ensures any information entered is in the correct format, and it’s crucial when requiring restrictive user input (such as a telephone number or zip code field). Good validation will reduce errors, but also shut any “open doors” to code injections in website forms.

Validation can take three main forms. First, there are the standard built-in functions you already know if you code mainly in PHP — and if you’re developing for WordPress, that’s likely. However, WordPress also provides some core validation functions, including:

  • is_email() — Checks whether an email address is valid
  • term_exists() — Determines whether a taxonomy term exists
  • username_exists() — Similar to taxonomies, checks if a username exists
  • validate_file() — Validates an entered file path is real, but not whether the file exists

Lastly, you can always custom code a solution. When tackling validation with this method, ensure your functions are phrased as questions and return boolean values (i.e., true or false).

2. Sanitize inputs and outputs

Sanitize WordPress Theme Security
Sanitizing your inputs and outputs can help prevent code injections.

Sanitizing inputs and outputs for WordPress theme security sounds complex, but it’s just a term for cleaning up user information and putting it into the correct format. Both methods deal with stripping unwanted or malicious elements (such as code or scripts), so they’re each essential for security.

Sanitize inputs when you don’t want to relax data validation, or when you’re unclear on what data to expect.

 

Contact forms are a good example of when this is appropriate. In fact, with such forms you’d likely both sanitize and validate the input — although you should always be doing one or the other.

When outputting data, however, it should always be escaped before rendering — this is key for preventing Cross-Site Scripting (XSS) attacks. WordPress includes a number of helper functions to sanitize inputs. For example, the sanitize_text_field() function strips all tags, removes line breaks, tabs, extra white space — and much more.

As for outputs, there are standard helper functions, and additional localization functions that enable you to output without using the echo command. Finally, there’s wp_kses_post(), a function that comes in useful if you need to output data in a specific way. It will enable you to code custom escape rules for any given data.

3. Check user capabilities

WordPress Theme Security Capabilities
Checking the capabilities of user roles prevents catastrophic mistakes, such as letting users delete posts.

As you might know, WordPress includes a number of user roles defining what actions a specific user can carry out. Regardless of whether your theme or plugin lets users submit data on the back or front ends, you should prioritize WordPress theme security by checking their capabilities before allowing access.

Without this precaution implemented into your code, you could accidentally enable any logged-in user to delete content, or much worse. Adding this check offers an additional failsafe against anyone (or anything) looking to introduce potentially harmful code.

To do this, you’ll want to combine some handy WordPress functions. To continue the above example, create an if statement using both the current_user_can and edit_others_posts functions. It checks the role of user, and displays the Move to Trash button, if both values return as True.

4. Create and validate nonces

WordPress Theme Security Edit Page
Without nonces, the tiny elements, such as the Move to Trash link, become potential major security points.

Our last method is creating and validating nonces. If you haven’t heard the term before, this is a one-time generated number that ensures you’re actually the person carrying out an action.

Using nonces works in tandem with checking user capabilities.

 

While the latter simply checks whether a user has the necessary permissions to perform an action, the former is only concerned with the intent behind the action.

For example, imagine you were tricked into deleting a post through a malicious link. If there are no measures in place to check your intent, content will simply be removed. Using user capability checks along with nonces is key to making sure all actions are valid and ensuring maximum security.

To offer a real-world example, first add a nonce to your link using the wp_create_nonce function. The argument passed to the function will ensure that the created nonce is unique to the particular action. Then, you can use the wp_verify_nonce function to check that actions are correctly processed.

Conclusion

In this post, we’ve taken a look at four smart ways to protect your code and users’ websites, straight from the WordPress Developer’s Handbook. Let’s recap them briefly:

  1. Validate inputs and outputs to reduce data errors.
  2. Make sure inputs and outputs aren’t susceptible to scripting hacks.
  3. Check that only certain users can carry out specific administrative tasks.
  4. Use nonces to guarantee that users are genuine.

While the front end of your theme or plugin deserves plenty of attention, it’s the dependability of your solution that will ultimately grow your user base. Fortunately, ensuring WordPress theme security is quite straightforward.


Also published on Medium.