As a wannabe WP plugin developper, what are the main security flaws/holes I should look for?
I’m about to create a new plugin with a configuration panel (ie input fields and stuff). What should I be concerned about?
For example, is data sanitization such a big deal since it’s in the /wp-admin/ area? Could someone malicious directly hit my plugin page and send POST requests or something like that?
Thank you!
Here is a modified checklist, based on my current (work-in-progress) settings/data security checklist used for reviewing Themes (the principles should be no different for Plugins than they are for Themes):
Plugins should prefix all options, custom functions, custom variables, and custom constants with plugin-slug.
Plugins should implement Plugin Options and Plugin Settings pages deliberately, rather than relying on copy-and-paste scripts from website tutorials, such as the ones below, which are outdated, and do not include proper data security:
Plugins should use the
add_options_page()
function to add the Plugin Settings Page to theSettings
menu, rather than usingadd_menu_page()
to add a top-level menu.Plugins should use an appropriate capability (e.g.
manage_options
) for the capability to add the settings page.Plugins should save options in a single array, rather than create multiple options for the settings page. The use of the Settings API (see below) would handle this.
Plugins should use the Settings API(see below) to get and save form input data rather than rely on
$_POST
and$_REQUEST
data directly.For checkboxes and select options, Plugins should use the
checked()
andselected()
functions for outputtingchecked="checked"
andselected="selected"
, respectively.Plugins should validate and sanitize all untrusted data before entering data into the database, and should escape all untrusted data before being output in the Settings form fields and before being output in the Theme template files:
Plugins should use
esc_attr()
for text inputs andesc_html()
(oresc_textarea()
in WP 3.1) for textareas.Plugins should explicitly provide Settings-page nonce checking, if not using the Settings API:
It is also highly recommended that Plugins use the Settings API, which is easier to use, more secure, and takes care of a lot of the hard work of settings pages:
For a good tutorial on using the Settings API, see:
http://www.chipbennett.net/2011/02/17/incorporating-the-settings-api-in-wordpress-themes/
http://planetozh.com/blog/2009/05/handling-plugins-options-in-wordpress-28-with-register_setting/
If you want to check out a theme with a secure and solidly-coded theme settings page, check out this theme:
http://wordpress.org/extend/themes/coraline
There are two aspects to this:
Basic principles.
Specifics.
defined('ABSPATH') or die('Access denied');
at every plugin’s script that used by wordpress directly