According to survey, about 170,000 sites are hacked in 2012 through plug-ins, theme, host and end-user. Among all, approximate 22% of WP sites are hacked due to plug-in vulnerabilities and 29% due to themes, according to image show below.
Looking at such figures, we have to consider WordPress security while developing themes or plug-ins. So, to tackle this issue, here we come with some effective tricks that help users/developers while they are develop WordPress themes and plug-ins. So, what are you waiting for? Start reading this article and get to know how secure is your website?
1#. Develop with debugging ON
While developing plug-in, we don’t want to trigger by deprecated notices, warnings or fatal errors. Moreover, such type of errors unveils your server information like file paths, if your server has error reporting turned ON. With this, you are invite hackers to hack your site in better manner. If you are turning on to debug mode, it will cause such types of errors to be seen and thus, you can simply path them accordingly. It is recommended to add define( WP_DEBUG, true );
into your wp-config.php
file to enable debugging.
If we are talking about production environment, you want such things should be hidden to end-users. However, you may want them logged, so you can track them secretly. In such situation, you can add this:
● define( 'WP_DEBUG_LOG', true );
● define( 'WP_DEBUG_DISPLAY', false );
Such things allow you to log them inside the wp-content/debug.log
file.
2#. Avoid direct access to your files
There are many hosts allows direct accessing to the file on servers, adding those who are belonging to your plug-ins. If you are directly accessing your plug-in files, it will cause PHP errors that seem like rule #1, will also direct to confession of your WordPress install path.
If you want to avoid such types of errors, you simply have to add a simple ABSPATH check that terminates the script, if it accesses outside of WP.
if ( ! defined( 'ABSPATH' ) ) exit; //
Exit if accessed directly.
3#. Prevent unauthorized access
Users should have to stop unauthorized users from breaking things, if functionality inside their plugin gives access or allows change of sensitive data. Users can use the handy current_user_can()
function to returns whether or not a user has access to a given capability, if he want to perform an action.
4#. Avoid CURL when posting remotely
It is one of the commonest bugbears. Using WordPress' WP_HTTP
class and wrapper functions, wp_remote_get and wp_remote_post
, one should and can easily avoid CURL directly. One of the best things about using such functions is it takes care of encoding data along with offering fallbacks while CURL is not available.
5#. Nonce your forms and urls
CSRF stands for Cross-site request forgeries, where hackers can trick a user into executing actions against their determination. Talking about the nonce (Number used ONCE), it is a unique token created to use an action name and a timestamp that you can use for checking a request. Users can able to add Nonces to both forms (using wp_nonce_field()
) and urls (using wp_nonce_url()
).
For Example:
Take your delete link and and nonce it:
<a href="<?php echo wp_nonce_url( 'delete.php?id=1', 'delete_link' ); ?>"></a>
We are verifying the nonce is valid using wp_verify_nonce
, when this is processed:1). if ( ! wp_verify_nonce( $_GET['_wpnonce'], 'delete_link' ) )
2). die( 'Security check' );
So, below given are effective 5 tips that you should be aware of while developing WordPress plug-in for your site. If you want to create secure plug-in/s, then go for details of our WordPress plugins development service.Image Credit: mikejolley.com
Author Bio:
Myself Joseph Herb. I am a WordPress designer and developer at WordPressCMSExperts since 2005. I am fond of writing and sharing knowledge through my words. I’m an active writer and speaker of WordPress related service like WordPress theme development, plugin development, etc.
There's some great resources here! I'll definitely be saving this for later so I have a variety of places to learn from.
ReplyDeleteThank you for read and share your experience. I would like to recommend you about comment is using domain name(Saas Software Technologies) instead of service name or keyword will be more benefited you.
Delete