Chapter 8: WordPress Security
Chapter 8 of 15
Chapter 8: WordPress Security
8.1 Security Best Practices
Protect WordPress sites from common vulnerabilities.
- Keep Updated: WordPress, themes, plugins
- Strong Passwords: Use complex passwords
- Limit Login Attempts: Prevent brute force attacks
- Use HTTPS: Encrypt data transmission
- Security Plugins: Wordfence, Sucuri, iThemes Security
8.2 Input Sanitization
Sanitize all user input to prevent XSS attacks.
// Sanitize text input
$sanitized = sanitize_text_field($_POST['input']);
// Sanitize email
$email = sanitize_email($_POST['email']);
// Sanitize URL
$url = esc_url_raw($_POST['url']);
// Sanitize textarea
$textarea = sanitize_textarea_field($_POST['textarea']);8.3 Output Escaping
Escape all output to prevent XSS attacks.
// Escape HTML
echo esc_html($variable);
// Escape attributes
echo '<div class="' . esc_attr($class) . '">';
// Escape URLs
echo '<a href="' . esc_url($url) . '">';
// Escape JavaScript
echo '<script>var data = ' . wp_json_encode($data) . ';</script>';8.4 Nonces for Security
Use nonces to verify form submissions.
// Create nonce field
wp_nonce_field('my_action', 'my_nonce');
// Verify nonce
if (isset($_POST['my_nonce']) && wp_verify_nonce($_POST['my_nonce'], 'my_action')) {
// Process form
}8.5 File Upload Security
Secure file uploads in WordPress.
// Validate file type
$allowed_types = array('jpg', 'jpeg', 'png', 'gif');
$file_ext = strtolower(pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION));
if (!in_array($file_ext, $allowed_types)) {
wp_die('Invalid file type');
}
// Use wp_handle_upload
$upload = wp_handle_upload($_FILES['file'], array('test_form' => false));