Development Note

WordPress Security: OWASP 2017 – A2 Broken Authentication

Authentication allow users to access their data using their own credentials. In web application this is one of major risks. Web application which have broken authentication can allow users access data of other users which they are not supposed to have access. Web application with broken authentication can be e through several ways, such as…

Read More »

WordPress Security: OWASP 2017 – A1 Injection

WordPress, as any kind of web application, can have security risks. One of it is an injection of malicious code which is not intended by the WordPress owner to be executed. This type of security risk has been defined by OWASP. Injection can happen because of several things: There is no validation, sanitation, or filtering…

Read More »

WordPress Plugin Security: Preventing SQL Injection

SQL Injection is code injection on SQL queries used in an application using SQL database. WordPress uses MySQL so it has risks getting an attack through SQL Injection. In OWASP (Open Web Application Security Project) Injection is listed as the top threat in web-based applications, SQL Injection is a part of it. We can prevent…

Read More »

Chrome DevTools: Empty Cache and Hard Reload

When I wrote plugins and themes I sometimes have a peculiarity when loading them in browsers. When I made changes in styles, the changes are not loaded even though I have saved them and there is no error. At first when I got this peculiarity I was frustrated searching for the errors in my codes.…

Read More »

WordPress Plugin Security: Prevent Directory Listing

PHP based applications can have its structures exposed to the public. WordPress is also the same. This can have potential security risks if not taken care of properly. The agreed best practice is to configure the server, where the WordPress live, to prevent its directory structures. However, for average users, this might not be feasible.…

Read More »

WordPress Plugin Security: Preventing Direct Access

In plugin development, we will create PHP files which can be accessed and/or executed. These files need to be protected from unauthorized access. This is done by doing a check if the file is accessed directly. There are two approaches which we can implement. if ( ! defined(‘ABSPATH) ) exit; if ( ! defined(‘WPINC’) )…

Read More »

WordPress Plugin Security: Nonces

Data submission or request in WordPress can be a source of risk. We need to make sure that the data or request is submitted by the correct user with the necessary capabilities. Nonces are a generated number which only works once, this is used to verify the origin and intent for the requests done by the…

Read More »

WordPress Plugin Security: Sanitizing Output

Sanitizing output for plugin security is the process of stripping unwanted data which will be rendered to users. The unwanted data can be incorrect HTML or script tags. This process usually called escaping data. Escaping data can help in preventing Cross-Site Scripting. For the most common scenarios, these functions can be help securing WordPress: esc_html()…

Read More »

WordPress Plugin Security: Sanitazing Input

WordPress offer a variety of functions to sanitize input. Sanitizing is a process of formatting input into a standardized formats. This can help mitigate potentially unsafe data and convert them into safe ones. Functions which goes in sanitize_*() series can do many of sanitizing process. One example is the sanitize_email(). This functions will do validation on several things…

Read More »