Become an Affiliate

5 Points towards developing a Secure WordPress Theme

  • Kinjal
  • 05/11/2015

Has your website ever been hacked?

Has any of your clients been a victim of malicious attacks?

If you’ve answered in the negative, you’re either lucky or you have chosen a good theme. If you have said a quiet “yes”, then this post will ensure it doesn’t happen again.

When you work online, chances of your website being subject to hacker attacks are high. Your site may get hacked when least expected and catch you completely unaware. By the time you actually find out that your site is being breached, it’s often too late to do anything about it.

Why not take precautionary steps while you’re creating the WordPress theme? In the previous blog post, we spoke about securing your WordPress theme. With this post, you will take a deeper look at the topic and learn about basic aspects of securing your WordPress site.

WordPress Security

1) Sanitize your inputs:

Sanitize refers to cleaning of user input. It’s the process of removing all text, characters or code from input that aren’t allowed. You never know what the user will input, hence to lower the risk always sanitize the input.

For e.g: sanitize_text_field() function helps you remove invalid UTF-8 characters, converts HTML specific characters to entities, strips all tags, removes line breaks, tabs and extra whitespace.

Along with sanitizing, validating the input is equally important. WordPress provides you with many validating functions such as is_email() function, which checks whether the value entered is actually an email address or not. If the mail address isn’t valid, it will be rejected.

WordPress provides many other sanitizing and validation functions that can be found here.

2) Escaping the outputs:

You’ve taken care of input data by sanitizing it, but what about output data that comes from third party sites or your own database? You need to escape it and make sure that output data is clean and valid. Escaping means securing output data. Along with sanitize functions, WordPress provides many functions to escape outputs.

For e.g: esc_url(), which correctly encodes URLs and rejects invalid ones and wp_kses() which strips off untrusted HTML.

Various other functions provided by WordPress are found here.

3) Using Nonce:

Nonce means Number used ONCE. Nonce comes in play when you need protection against malicious actions. One such action is tricking users and making them click on a harmful link.

For e.g: This is what happens you want to delete a post and click on trash. WordPress automatically add a nonce value to the URL. The value will be a hash made up of numbers and alphabets — something like _wpnonce=3a6dc727bv and be valid for 24 hours. When the user clicks on trash or delete, WordPress will do some backend checks to verify the validity of “_wpnonce” parameter and will process the request only when the said parameter is valid.

You can get an in depth view by referring to WordPress codex for nonce.

4) Secure database Queries:

Once your site is live, it’s prone to SQL Injection attack. WordPress provides a way to query your database securely with $wpdb. Any database interaction should be done by querying it via $wpdb.

For e.g: Inserting data into database can be safely done using the insert() function provided by $wpdb.

To know more about securing your database queries, you can go through this.

5) Keep debugging ON:

WordPress provides new and improved features through frequent updates and new versions. Several functions however get deprecated due to new versions and require to be changed. To avoid this scenario, the best practice is to develop your theme with the debugging mode ON.

You can turn debugging mode ON by changing define(WP_DEBUG, false) to define(WP_DEBUG, true) in wp-config file. When you turn it on, all the deprecated notices, warnings and fatal errors that your theme has encountered become visible. You can then solve them and protect your theme.

Wrapping Up:

Security is a crucial and important aspect of websites and has to be a priority for theme developers. If you don’t use security precautions for your website, your site faces constant risk of being hacked.

Were these points on website security helpful?

Are you following them?

Post your suggestions in the comment box.