Developing Plug-ins for WordPress? 5 Things You Must Care of
According to survey, about 170,000 sites are hacked in 2012 through plug-ins, theme, host and end-user. Among all, approximate 22% of WP sites are hacked due to plug-in vulnerabilities and 29% due to themes, according to image show below.
Looking at such figures, we have to consider WordPress security while developing themes or plug-ins. So, to tackle this issue, here we come with some effective tricks that help users/developers while they are develop WordPress themes and plug-ins. So, what are you waiting for? Start reading this article and get to know how secure is your website?
1#. Develop with debugging ON
While developing plug-in, we don’t want to trigger by deprecated notices, warnings or fatal errors. Moreover, such type of errors unveils your server information like file paths, if your server has error reporting turned ON. With this, you are invite hackers to hack your site in better manner. If you are turning on to debug mode, it will cause such types of errors to be seen and thus, you can simply path them accordingly. It is recommended to add
define( WP_DEBUG, true ); into your
wp-config.php file to enable debugging.
If we are talking about production environment, you want such things should be hidden to end-users. However, you may want them logged, so you can track them secretly. In such situation, you can add this:
● define( 'WP_DEBUG_LOG', true ); ● define( 'WP_DEBUG_DISPLAY', false );
Such things allow you to log them inside the
2#. Avoid direct access to your files
There are many hosts allows direct accessing to the file on servers, adding those who are belonging to your plug-ins. If you are directly accessing your plug-in files, it will cause PHP errors that seem like rule #1, will also direct to confession of your WordPress install path.
If you want to avoid such types of errors, you simply have to add a simple ABSPATH check that terminates the script, if it accesses outside of WP.
( ! defined( 'ABSPATH' ) ) exit; // Exit if accessed directly.
3#. Prevent unauthorized access
Users should have to stop unauthorized users from breaking things, if functionality inside their plugin gives access or allows change of sensitive data. Users can use the handy
current_user_can() function to returns whether or not a user has access to a given capability, if he want to perform an action.
4#. Avoid CURL when posting remotely
It is one of the commonest bugbears. Using WordPress'
WP_HTTP class and wrapper functions,
wp_remote_get and wp_remote_post, one should and can easily avoid CURL directly. One of the best things about using such functions is it takes care of encoding data along with offering fallbacks while CURL is not available.
5#. Nonce your forms and urls
CSRF stands for Cross-site request forgeries, where hackers can trick a user into executing actions against their determination. Talking about the nonce (Number used ONCE), it is a unique token created to use an action name and a timestamp that you can use for checking a request. Users can able to add Nonces to both forms (using
wp_nonce_field()) and urls (using
Take your delete link and and nonce it:
<a href="<?php echo wp_nonce_url( 'delete.php?id=1', 'delete_link' ); ?>"></a>
We are verifying the nonce is valid using
wp_verify_nonce, when this is processed:
1). if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'delete_link' ) ) 2). die( 'Security check' );
So, below given are effective 5 tips that you should be aware of while developing WordPress plug-in for your site. If you want to create secure plug-in/s, then go for details of our WordPress plugins development service.Image Credit: mikejolley.com