Why WordPress Security Matters: Essential Tips for Developers

With WordPress powering over 40% of known websites on the Internet (W3Techs, 2024), ensuring its security is paramount. The platform’s mission to democratize content creation (WordPress.com, n.d.) conflicts with the traditional ‘walled garden’ cybersecurity approaches that rely on closed systems and controlled environments. This presents the WordPress project with a unique set of challenges.

Because WordPress provides so much power and flexibility, plugins and themes are key points of weakness. (WordPress, 2024)

The quote above highlights the significant pros and cons in the WordPress architecture. On the one hand, any developer in the world can contribute to the plugin or theme database; this supports the WordPress mission to democratize publishing and eCommerce. On the other hand, it has resulted in many plugins and themes with varying levels of code quality.

In 2022, a widely used plugin left an estimated half a million websites vulnerable to attack (TechRadar, 2024). Similarly, this year, a different plugin left more than one hundred thousand websites exposed (The Hacker News, 2024). In fact, while writing this, yet another plugin is affected, this time impacting over 6 million websites (Goodin, 2024).

Summary of Security Resources for Users & Developers

Some excellent resources are provided to assist developers in creating more secure and reliable code. Firstly, developers should make extensive use of the official developer documentation provided by WordPress (2024).

Secondly, WordPress has a plugin review process. Each plugin is checked to ensure that it at least meets some sort of minimum baseline before it is approved. Full details of this process aren’t clear, but if issues are identified, it could result in delays in getting the project published.

Finally, a number of supplementary resources exist to support individual WordPress installs (see Security on WordPress.com: A Developer’s Guide – WordPress.com Developer Resources). Options include hosted solutions, security plugins, website scanners, firewalls and much more. As plugin and theme developers, these resources are no substitute for creating high quality code.

Enhancing Code Quality

There’s a vast difference in the effort required to discover a vulnerability versus the effort to verify that a vulnerability exists. Verification is relatively straightforward, but the discovery process can be time-consuming and complex. For this reason, “prevention is better than a cure”.

To increase code quality, let’s begin by considering the Guiding Principles found in the WordPress (2024) developer handbook.

Guiding principles

  1. Never trust user input.
  2. Escape as late as possible.
  3. Escape everything from untrusted sources (e.g., databases and users), third-parties (e.g., Twitter), etc.
  4. Never assume anything.
  5. Sanitation is okay, but validation/rejection is better.

Never trust user input

When creating a form that accepts user input, such as a comment form or a contact form, never assume that the input is safe. For instance, if a user submits a form to update their profile, their inputs, such as username or email, could be manipulated. Therefore, you must always sanitize and validate these inputs before processing or storing them.

// Bad practice: trusting user input
$username = $_POST['username']; // Potential security risk

// Good practice: sanitizing user input
$username = sanitize_text_field($_POST['username']);

Escape as late as possible

Escaping should be done right before the data is output. For example, when displaying user-submitted content on a webpage, like a blog post or a comment, escape it as late as possible — just before rendering it in HTML to ensure no malicious code is executed.

// Escaping as late as possible (before output)
echo esc_html( $user_input );

Escape everything from untrusted sources (e.g., databases and users), third-parties (e.g., Twitter), etc.

Any data coming from users, third-party APIs (e.g., Twitter), or even your own database should be considered untrusted and must be escaped before displaying it. For instance, if you pull tweets from Twitter using their API, you should escape the content before rendering it on the webpage.

// Escaping third-party API content before displaying
echo esc_html( $tweet_content );

Never assume anything

Assume that all data could be manipulated. For example, when using the $_GET or $_POST superglobals, never assume the data will be in the expected format. Always validate the input against what you expect, such as checking if a supposed integer really is an integer.

// Never assume that an input is valid, always validate
$post_id = isset($_GET['post_id']) ? (int) $_GET['post_id'] : 0;

Sanitation is okay, but validation/rejection is better

While sanitation is helpful, rejecting invalid data is more secure. For instance, if you are expecting an email address, don’t just sanitize the input — validate it using functions like is_email(), and reject any data that doesn’t pass validation.

// Validation is better than sanitation
if ( ! is_email( $_POST['email'] ) ) {
    wp_die( 'Invalid email address!' );
}

Conclusion

Following WordPress’s guiding principles for input and output handling is essential for creating secure plugins and themes. The core idea behind these principles is defensive coding, where you treat all input as potentially malicious, ensuring that it’s properly validated, sanitized, and escaped as needed.

By adhering to these practices, such as never trusting user input, escaping data at the last possible moment, and validating over sanitizing, you significantly reduce the risk of common security vulnerabilities like cross-site scripting (XSS) and SQL injection.

Ultimately, these principles foster safer code, a more secure WordPress ecosystem, and a better experience for users and developers alike.

Do you want to simplify plugin security quality assurance? Sign-Up to the BlogSecurity Beta program to learn more.

References

TechRadar, 2024. WordPress plugin exposes half a million sites to attack. [online] Available at: https://www.techradar.com/news/wordpress-plugin-exposes-half-a-million-sites-to-attack [Accessed 2 October 2024].

The Hacker News, 2024. GiveWP WordPress Plugin Vulnerability Exposes 130,000 Websites to Attacks. [online] Available at: https://thehackernews.com/2024/08/givewp-wordpress-plugin-vulnerability.html [Accessed 2 October 2024].

WordPress, 2024. Common APIs Handbook: Security. [online] Available at: https://developer.wordpress.org/apis/ [Accessed 2 October 2024].

Exploit Database, 2024. Exploit Database: Search for WordPress vulnerabilities. [online] Available at: https://www.exploit-db.com/ [Accessed 2 October 2024].

WordPress.com, n.d. About. [online] Available at: https://wordpress.com/about/ [Accessed 4 October 2024].

OpenBSD Project, 2024. OpenBSD: Secure by Default. [online] Available at: https://www.openbsd.org/ [Accessed 6 October 2024].

W3Techs (2024). Usage statistics and market share of WordPress [Online]. Available at https://w3techs.com/technologies/details/cm-wordpress (Accessed 7 October 2022)

Goodin, D., 2024. Single HTTP Request Exploit Hits 6 Million WordPress Sites. Dark Reading. [online] Available at: https://www.darkreading.com/endpoint-security/single-http-request-exploit-6m-wordpress [Accessed 6 October 2024].

Read more: Why WordPress Security Matters: Essential Tips for Developers

Story added 8. October 2024, content source with full text you can find at link above.