As a wannabe WP plugin developper, what are the main security flaws/holes I should look for?

I’m about to create a new plugin with a configuration panel (ie input fields and stuff). What should I be concerned about?

For example, is data sanitization such a big deal since it’s in the /wp-admin/ area? Could someone malicious directly hit my plugin page and send POST requests or something like that?

Thank you!


Here is a modified checklist, based on my current (work-in-progress) settings/data security checklist used for reviewing Themes (the principles should be no different for Plugins than they are for Themes):

  1. Plugins should prefix all options, custom functions, custom variables, and custom constants with plugin-slug.

  2. Plugins should implement Plugin Options and Plugin Settings pages deliberately, rather than relying on copy-and-paste scripts from website tutorials, such as the ones below, which are outdated, and do not include proper data security:

  3. Plugins should use the add_options_page() function to add the Plugin Settings Page to the Settings menu, rather than using add_menu_page() to add a top-level menu.

  4. Plugins should use an appropriate capability (e.g. manage_options) for the capability to add the settings page.

  5. Plugins should save options in a single array, rather than create multiple options for the settings page. The use of the Settings API (see below) would handle this.

  6. Plugins should use the Settings API(see below) to get and save form input data rather than rely on $_POST and $_REQUEST data directly.

  7. For checkboxes and select options, Plugins should use the checked() and selected() functions for outputting checked="checked" and selected="selected", respectively.

  8. Plugins should validate and sanitize all untrusted data before entering data into the database, and should escape all untrusted data before being output in the Settings form fields and before being output in the Theme template files:

  9. Plugins should use esc_attr() for text inputs and esc_html() (or esc_textarea() in WP 3.1) for textareas.

  10. Plugins should explicitly provide Settings-page nonce checking, if not using the Settings API:

  11. It is also highly recommended that Plugins use the Settings API, which is easier to use, more secure, and takes care of a lot of the hard work of settings pages:


For a good tutorial on using the Settings API, see:

If you want to check out a theme with a secure and solidly-coded theme settings page, check out this theme:

Leave a Reply

Your email address will not be published. Required fields are marked *