Tips: For WordPress Plugin Developers to Secure Their Plugins
October 7, 2014
Millions of the WordPress developers are downloading numerous plugins, which are being medium for hackers to penetrate into the website and yet the mess of the website begins. This is happening because of the gap between WordPress and plugin security. Who becomes culprit for that? As anyone can develop plugins and launch it. You never know who have developed that plugins, a developer or hacker.
If you want to save yourself from the culprit label then you should develop plugins which are not prone to vulnerability. Here I have listed some wordpress security tips for you that can save your plugins from being vulnerable.
How to deal with XSS Vulnerabilities in wordpress?
XSS stands for Cross site Scripting. You can prevent these vulnerabilities by doing two things. 1. Sanitize data input. 2. Sanitize output data.
You can achieve sanitize using methods according to the data and the platform it has used. In short, you should not trust on the input data and output data.
For checking an input data you can use sanitize text field() that ensure for invalid UTF-8, Depending on your context that changes characters to single strip, all tags, remove line breaks, entity, tabs and extra white space and strip octets with the assist of different functions. This same process is applied when output your data. Here below have given an example about how to output a link for a reference.
esc_url : don’t permit invalid urls and removes dangerous and invalid characters.
esc_html: encodes your data using <>&”’ when outputting HTML.
Meanwhile, esc_js function is used for Java script.
Note: don’t forget to validate your date when you sanitize your data.
How to prevent direct access to your files in WordPress?
Generally, all host file can be accessed directly. That can lead any PHP errors in your plugin and those errors are valuable information for attackers. So better to prevents direct access to your files. What you need to do to prevent an access to your files is you just need to add below basic code to top of your script which will prevent an execution of the script if you are not accessing it through WordPress.
// Exit if accessed directly if ( ! defined( ‘ABSPATH’ ) ) exit;
Have you ever thought that Warnings and Notices can be a Reason for hacking WordPress!!
The answer is yes, warnings and notices are also can help attackers because of the existence of valuable information in warnings and notices. To avoid this issue you should code every plugin using DEBUG mode. Debug mode not only helps you to prevent warnings and notices, but also help you to catch deprecated functions on your plugin. To activate DEBUG mode, you just need to add below line in your wp-config.php and change it to TRUE.
Define (WP_DEBUG, true );
To avoid queries relates to a database, you need to add Debug Bar plugin, which will able you to examine database queries.
Define (‘SAVEQUERIES’, true);
What is Nonce Value in wordpress?
Small Numbers which are used once for a one to protect websites from the fake requests or CSRF (cross site request forgeries) are known as Nonce values. It is necessary as attackers use CSRF requests for permanent changes in your website database. There are many ways to create nonce.
wp_nonce_url() : used on link $complete_url = wp_nonce_url( $bare_url, ‘trash-post’, ‘my_nonce’ ); wp_nonce_field(): used on form wp_nonce_field( ‘trash-post’, ‘my_nonce’ ); wp_create_nonce(): used on any other name wp_localize_script( ‘my-script’, ‘my-var-name’, array( ‘nonce’ => wp_create_nonce( ‘trash-post’, ‘my_nonce’ ) );
The first choice should be WordPress Functions and Libraries:
If you want to keep your script less prone to vulnerable, you should use WordPress functions and libraries. So whenever you are writing scripts first look at the WordPress functions and libraries to be used in your script and in case if you find any vulnerabilities in your script then don’t worry, it will be solved by the WordPress core contributors.
Tim thumb library is one of the best example which was used by developers for plugins and themes but since it has encountered vulnerability since that time add_image_size() one of the WordPress function have replaced it for a security purpose. Meanwhile cURL is replaced by wp_remote_get and wp_remorte_post, are used to encode the data.
It is better to use get_template_part() instead of require() and include() PHP functions. This function knows where actually your theme is located. It is best in practice as it will look for the requested file in the theme’s directory and it will not create any warning if the file which have requested is not available but, it will search for other suitable files if the requested file does not exist. It will send the child theme and the parent theme instead of not found message.
WordPress itself grasps so many scripts, so it would be best practice to use it in your plugin or themes before you seek out of the WordPress.