Website Guider

The Ultimate Resource for WPadmins and Geeks

WordPress Plugin Security: How To Create Secure Plugins

Security is the only thing a developer has a fear of. WordPress developers should always keep security in mind.

In this ultimate guide on WordPress plugin security, I will share the best practices for building secured plugins.

What Makes a Plugin Vulnerable To Attacks?

In a nutshell, weak code makes plugin vulnerable to threats and attacks.

A good developer should never blame a bad guy. Instead, he should write such code, which is at least impossible to break.

If you write a 95% safe code, try to improve it more. I always advise developers to make the code secure from the beginning.

User input is the main threat hole, such as they do SQL injection through input forms.

In the next section, I will discuss the best practices to create secure plugins.

WordPress Plugin Security Best Practices

Securing a WordPress plugin isn’t a big deal because of WordPress’s inbuilt functions. WordPress provides almost every kind of function related to the security of themes and plugins.

In this section, we will look at the functions provided by WordPress to create secure plugins.

Many functions haven’t been discussed in detail here because somebody or we have written about it.

Let’s start.

Checking User

Checking the user if he has the ability to change something is one of the basic security practices.

WordPress provides a function to check user permissions named as current_user_can().

This function helps you check whether a user has sufficient privilege to do any action.

By action, I mean to create, delete, update posts, etc. The current_user_can() function accepts roles and capabilities as its arguments. For example,

if (!current_user_can( ‘manage_options’ )) {

Another point I want to let you know is that this plugin is a pluggable function.

The pluggable function is a function in WordPress that can be replaced by plugins, and these functions are loaded after the active plugins.

You can find such functions at wp-includes/pluggable.php.

So use these kinds of functions at the right time and place.

Creating a Nonce

Nonce means “number used once”, so it is specific to one user or one action.

Checking the user permissions help administrators of the website to be safe from insufficient permitted users.

But nonce’s help users to protect from themselves.

I know you didn’t got me. Let’s take an example.

You logged into the site as a high privileged user. It means you can check the privilege of other users.

Also, you can easily delete, update any post or setting.

Now think of bad guy.

He has no authority of action on your blog, but you have because you are logged in as an administrator. He crafts a link that holds a command to delete a specific post.

When you click the link, the post gets deleted. You never intended for so much action, but you did. So bad guy was successful in the CSRF attack.

That is why we called such attacks as “Authority Intention Attacks”.

Now let’s come to the point.

Nonce’s help us to stop such attacks. They create a random number after every action and are valid for 24 hours.

Bad guys don’t have time to guess these random numbers.

If you want to create nonce, you get two options.

  • Create Nonce for form field: wp_nonce_url() the function can be used to create nonce for a form.
  • Create Nonce for URLs: wp_nonce_field() the function can be used to create nonce for URLs.

To verify a nonce, you can use check_admin_referrer().

If you want to read in-depth about WP Nonce’s, please visit WP Nonce’s Guide.

Validation and Sanitization

The code is safe only if it has been proven valid otherwise, not. Validating and sanitizing code is an example of a healthy plugin.

It is a golden rule, “Never trust user input”.

If we take example of this form.

$username = $_POST['username'];
echo $username;
<form method="post" action="index.php">
<input type="text" name="username">
<input type="submit" name="submit" value="Submit">

This form has one input. When the user enters the data, we receive that data using the $_POST[] method.

We don’t know what kind of data we are outputting using echo.

If you test this form by entering this in the input box and hit enter, you will get the result.

<script>alert("I am bad Guy);</script>

You get the result of an alert box saying, “I am bad, Guy.” These kinds of forms are vulnerable to SQL injections.

The question arises here is, “How to secure the plugins”.

WordPress also have functions related to validation and sanitization.

How will you validate an input which is age field, and you get alphabet. Let me show you how to do this.

Validating Integers

intval() or is_int() functions can be used to check the integers data type.

Validating Text

If you want to validate the pure text like your form has an input field of the country.

So you have to check the input field whether the country name is alphabetic only or not.

You can use ctype_alpha() to do so.

Validating Mixed Strings

Sometimes the user needs to enter alphabets as well as integers for username.

You can use PHP’s built to function for checking alphanumeric characters using ctype_alnum().

Validating String Patterns

You may have heard of PHP’s built-in function preg_match(). This function falls under “Regular Expressions.”

preg_match() is used to validate the pattern of a string.

Validating and Sanitising Emails

To validate the correct pattern of emails is so easy. is_email and sanitize_email() can be used to validate and sanitize emails, respectively.


You can sanitize URLs using esc_url(). But if you want to store URL in a database, you have to use esc_url_raw().

Because esc_url() the function removes unacceptable characters while the other one doesn’t.

Validating and Sanitising Database Queries

The main threat to the databases is SQL Injection. SQL Injection occurs when you don’t sanitize the user input properly.

In WordPress, you can use esc_sql() it to escape the content. Another way is to use PHP’s built-in prepared statements method.


The above methods were a few of the best security practices to keep in mind while developing a plugin.

Of course, there are many other things also which I didn’t mention here. I didn’t mention much about databases, and in the next article, I will write about that.

I hope you loved this tutorial on WordPress Plugin Security.

Please do share with your friends and comment.

Raashid Din Dar

Raashid Din Dar is a web developer and designer. He specialises in WordPress Theme and Plugin development. Also, Web Designing is what he loves.He loves to read books and play with friends.

Leave a Reply

Your email address will not be published.

Back to top