5 Points towards developing a Secure WordPress Theme.

Has your website ever been hacked?

Has any of your clients been a victim of malicious attacks?

If you've answered in the negative, you're either lucky or you have chosen a good theme. If

you have said a quiet "yes", then this post will ensure it doesn't happen again.

When you work online, chances of your website being subject to hacker attacks are high.

Your site may get hacked when least expected and catch you completely unawares. By the

time you actually find out your site being breached, it's often too late to do anything about

it.

Why not take precautionary steps while you're creating the WordPress theme? In the

previous blog post, we spoke about securing your WordPress theme. With this post, you

take a deeper look at the topic and learn about basic aspects of secuing your WordPress

site.

1) Sanitize your inputs:

Sanitize refers to cleaning of user input. It's the process of removing all text, characters or

code from input that aren't allowed. You never know what user will input, hence to lower

the risk always sanitize the input.

For eg: sanitize_text_field() function helps you remove invalid UTF-8 characters, converts

HTML specific characters to entities, strips all tags, and removes line breaks, tabs and extra

whitespace.

Along with sanitizing, validating the input is equally important. WordPress provides you with

many validating functions such as is_email() function, which checks whether the value

entered is actually an email address or not. If the mail addresss isn't valid, it will be rejected.

WordPress provides many other sanitizing and validation functions that can be found here.

2) Escaping the outputs:

You've taken care of input data by sanitizing it, but what about output data that comes from

third party sites or your own database? You need to escape it and make sure that output

data is clean and valid. Escaping means securing output data. Along with sanitize functions,

WordPress provides many functions to escape outputs.

For eg: esc_url() which correctly encodes URLs and rejects invalid ones and wp_kses() which

strips off untrusted HTML.

Various other functions provided by WordPress are found here.

3) Using Nonce:

Nonce means Number used ONCE. Nonce comes in play when you need protection against

malicious actions. One such action is tricking users and making them click on a harmful link.

For eg: This is what happens you want to delete a post and click on trash. WordPress

automatically add a nonce value to the url. The value will be a hash made up of numbers

and alphabets -- something like _wpnonce=3a6dc727bv, and be valid for 24 hours. When the

user clicks on trash or delete, WordPress will do some backend checks to verify the validity

of “_wpnonce” parameter, and will process the request only when the said parameter is

valid.

You can get an depth view by referring to WordPress codex for nonce .

4) Secure database Queries:

Once your site is live, it's prone to SQL Injection attack. WordPress provides a way to query

your database securely with $wpdb. Any database interaction should be done by querying it

via $wpdb.

For eg: Inserting data into database can be safely done using the insert() function provided

by $wpdb.

To know more about securing your database queries, you can go through this.

5) Keep debugging ON:

WordPress provides new and improved features through frequent updates and new

versions. Several functions however get deprecated due to new versions, and require to be

changed. To avoid this scenario, the best practice is to develop your theme with the

debugging mode ON.

You can turn debugging mode ON by changing define(WP_DEBUG, false) to

define(WP_DEBUG, true) in wp-config file. When you turn it on, all the deprecated notices,

warnings, fatal errors that your theme has encountered becomes visible. You can then solve

them and protect your theme.

Wrapping Up:

Security is a crucial and important aspect of websites and has to be a priority for theme

developers. If you don’t use security precautions for your website, your site faces constant

risk of being hacked.

Were these points on website security helpful?

Are you following them?

Post your suggestions in the comment box.