What Are Security Best Practices for WordPress Plugins and Themes? [closed]

As suggested in this question, I am adding this topic as a new question, for community discussion/voting regarding best-practices for Plugin/Theme security.

Here is the starting checklist, based on my current (work-in-progress) settings/data security checklist used for reviewing Themes (the principles should be no different for Plugins than they are for Themes).

If you want to check out a theme with a secure and solidly-coded theme settings page, check out this theme:


Use Nonces (when not using Settings API)

Plugins and Themes should explicitly provide Settings-page nonce checking, if not using the Settings API:

  • WordPress Nonces (Codex)
  • WordPress Nonces (Mark Jaquith)
  • Improving security in WordPress plugins using Nonces (Vladimir Prelovac)
  • 5 tips for using AJAX in WordPress > 3. Use nonces and check for permission (Gary Cao)

Leave a Comment