WordPress theme security: How to keep your WordPress theme and plugin code secure

The sexy part of theme and plugin development is often creating what visitors see on the front end. However, without substance in the form of security measures, your slick solution could cause long-lasting damage. Of course, WordPress is hot on security. It’s no surprise there’s a whole section of the WordPress Developer Handbook dedicated to protecting users and their sites. What’s more, implementing WordPress theme security is incredibly easy (in theory).

Improve WordPress theme security in 4 easy steps

In this post, we’ll get straight down to business. We’ll offer four great ways to lock down WordPress theme security and provide a more dependable solution for your user base.

1. Validate your data.

2. Sanitize inputs and outputs.

3. Check user capabilities.

4. Create and validate nonces.

Ready to take a deeper look at securing your WordPress themes? Let’s get started!

1. Validate your data

Data validation is one of the core concepts of user website interaction. It ensures any information entered is in the correct format, and it’s crucial when requiring restrictive user input (such as a telephone number or zip code field). Good validation will reduce errors, but also shut any “open doors” to code injections in website forms.

Validation can take three main forms. First, there are the standard built-in functions you already know if you code mainly in PHP — and if you’re developing for WordPress, that’s likely. However, WordPress also provides some core validation functions, including:

• is_email() — Checks whether an email address is valid
• term_exists() — Determines whether a taxonomy term exists
• username_exists() — Similar to taxonomies, checks if a username exists
• validate_file() — Validates an entered file path is real, but not whether the file exists

Lastly, you can always custom code a solution. When tackling validation with this method, ensure your functions are phrased as questions and return boolean values (i.e., true or false).

2. Sanitize inputs and outputs

Sanitizing inputs and outputs for WordPress theme security sounds complex, but it’s just a term for cleaning up user information and putting it into the correct format. Both methods deal with stripping unwanted or malicious elements (such as code or scripts), so they’re each essential for security.

Contact forms are a good example of when this is appropriate. In fact, with such forms you’d likely both sanitize and validate the input — although you should always be doing one or the other.

When outputting data, however, it should always be escaped before rendering — this is key for preventing Cross-Site Scripting (XSS) attacks. WordPress includes a number of helper functions to sanitize inputs. For example, the sanitize_text_field() function strips all tags, removes line breaks, tabs, extra white space — and much more.

As for outputs, there are standard helper functions, and additional localization functions that enable you to output without using the echo command. Finally, there’s wp_kses_post(), a function that comes in useful if you need to output data in a specific way. It will enable you to code custom escape rules for any given data.

3. Check user capabilities

As you might know, WordPress includes a number of user roles defining what actions a specific user can carry out. Regardless of whether your theme or plugin lets users submit data on the back or front ends, you should prioritize WordPress theme security by checking their capabilities before allowing access.

Without this precaution implemented into your code, you could accidentally enable any logged-in user to delete content, or much worse. Adding this check offers an additional failsafe against anyone (or anything) looking to introduce potentially harmful code.

To do this, you’ll want to combine some handy WordPress functions. To continue the above example, create an if statement using both the current_user_can and edit_others_posts functions. It checks the role of user, and displays the Move to Trash button, if both values return as True.

4. Create and validate nonces

Our last method is creating and validating nonces. If you haven’t heard the term before, this is a one-time generated number that ensures you’re actually the person carrying out an action.

While the latter simply checks whether a user has the necessary permissions to perform an action, the former is only concerned with the intent behind the action.

For example, imagine you were tricked into deleting a post through a malicious link. If there are no measures in place to check your intent, content will simply be removed. Using user capability checks along with nonces is key to making sure all actions are valid and ensuring maximum security.

To offer a real-world example, first add a nonce to your link using the wp_create_nonce function. The argument passed to the function will ensure that the created nonce is unique to the particular action. Then, you can use the wp_verify_nonce function to check that actions are correctly processed.

Conclusion

In this post, we’ve taken a look at four smart ways to protect your code and users’ websites, straight from the WordPress Developer’s Handbook. Let’s recap them briefly:

1. Validate inputs and outputs to reduce data errors.
2. Make sure inputs and outputs aren’t susceptible to scripting hacks.
3. Check that only certain users can carry out specific administrative tasks.
4. Use nonces to guarantee that users are genuine.

While the front end of your theme or plugin deserves plenty of attention, it’s the dependability of your solution that will ultimately grow your user base. Fortunately, ensuring WordPress theme security is quite straightforward.

Also published on Medium.