Sixteen security tips for WordPress plugins & themes developers
One can never be too careful.
A big part of our job as developers is to make sure the sites and plugins, we are building are secure.
Businesses need faster solutions with increasingly complex functionality. While this is good progress, building complex projects also demands a proper security setup. WordPress security is one of the most important aspects of website development.
With the increasing complexity of features, many developers miss out on basic website and web application development security principles. This results in a flawed website that is open to cyber-attacks and other risks.
Hence, it is essential for you to implement some basic website and web application development security protocols while building your project.
Below are 16 security tips for web developers that will help keep your site safe and sound.
1. Figure out what data needs protection
One of the most crucial website development security principles is that you need only to store the data that is necessary.
When you are developing a project, you need to ask these three questions:
- What data does the company need to store?
- What sensitive data does the company need to encrypt?
- If, for some reason, the data is compromised, how much could it harm the company?
The more sensitive data you store, the bigger the risk of exposure. If you must store the sensitive data, you need to encrypt it so that it becomes difficult to access.
2. Implement role management & access control
While designing a website, plugin, or theme, it is important to give users the lowest privileges possible.
Privileges should be limited so that the user only gets what they need and cannot access other areas.
For example, contributors should be restricted to being able to create new posts and pages but not publishing them. Editors should be able to create new posts and publish them but not be able to change the design or plugins.
Similarly, while developing a specific functionality in your plugin or theme that you want to restrict, make sure you create new WordPress user roles during installation. Make the admins aware of them, so the right roles are assigned to the respective users who will be using the plugin or theme that you are developing.
Here’s a quick pictorial representation of how the structure looks like.
This approach minimizes problems because we can limit how much damage an intruder can do. You can also limit the damage caused by errors or mistakes by a curious user messing around in areas of a website they really shouldn’t be.
You also need to restrict access within the development team depending on their role.
3. Apply authentication
Website authentication is the security process that allows users to verify their identities to gain access to restricted areas of a website.
While developing a theme or plugin, you will have certain data that needs to be restricted while some data is visible to the users. Hence, it is important that you add checks in the code to verify if the user accessing restricted data is authenticated and has the correct user role.
Similarly, when building a website, you can implement effective account management practices such as strong password enforcement and multifactor authentication to protect user data.
Two-factor authentication is one of the most popular ways of implementing authentication.
Two-factor authentication(2FA) is a two-step process in which you need an additional code or one-time password(OTP) to log in to your site apart from your website password. This OTP is usually sent to another device through text message, phone call, or a recognized 2FA application such as Google Authenticator, Authy, Duo Security, and many more. Implementing 2FA keeps you safe from brute force attacks.
If you are building your website in WordPress, check out these incredible tools that let you secure your website.
- Limit Login Attempts: This tool keeps you safe from brute-force attacks by limiting the number of login attempts. It also includes anti-spam and automated inactive user logout.
- WP2 FA: The WP2FA plugin allows you to add two-factor authentication to your website in an instant. It also supports multiple 2FA apps such as Google Authenticator, Authy, FreeOTP, Duo Security, and several others.
- Shield Security: This plugin does not support 2FA apps such as Google Authenticator and SMS 2FA, however it is useful for those who are using YubiKey.
- Password Policy Manager for WordPress: This plugin helps you enforce strong passwords for your WordPress website, block users with too many failed login attempts and more. It integrates seamlessly with WooCommerce and other third-party plugins.
4. Check your theme or plugin before releasing it
Before a theme or plugin is released, you need to ensure that your code is as error-free as it can be. You can use certain composer dependencies to detect any vulnerability in your code.
Some of the recommended dependencies for WordPress websites are:
These coding standards have strict coding rules like always escaping the data before printing it, using nonce for all the requests, sanitizing request data before using it, providing proper user permissions, and more to help secure your code.
These tools are great if you are developing your own theme or plugin.
You should also check out WPScan Security Scanner. It is a great online website security scanner that checks your website out for any vulnerabilities.
5. Avoid Certain PHP Functions
Certain PHP functions like eval(), and unserialize(), can expose system data and can lead to exposing the server data which can cause shutting down the server or accessing all the server information from the hacker.
Here are some PHP functions that you should avoid where possible:
eval(): eval can execute arbitrary PHP code. It might expose your codes to injection attacks if not used properly.
serialize() or unserialize(): Do not use serialize() or unserialize() with user-supplied input. Attackers can exploit these functions. They can pass a string with a serialized arbitrary object to run arbitrary code.
md5(): The internet is full of reviews about md5() cryptographic weaknesses1 and is considered insecure. Use a better hashing function, such as SHA-2.
sha1(): sha1() is another hashing function that should not be used because of the fast nature of hashing algorithms. It is recommended to use the SHA-2 hashing algorithm in place of md5() in any modern framework.
6. Use linters to find issues in the code
A lint tool is a basic static code analyzer that checks your source code for programmatic and stylistic errors. Linter’s output tone of voice should be friendly to keep the project moving forward.
Lint codes are a great way to find potential vulnerabilities and reduce errors while developing a website or app. You can use certain security linters for PHP, JS, and HTML development.
Here are some notable tools for the static analysis of your PHP codes are:
Other noteworthy JS linters are:
7. Remove unused code and plugins
However, the increasing complexities of applications are a double-edged sword. While they help deliver the features users expect, they also expand the attack surface of the application. One measure to deal with such vulnerability is to remove the code that is not used.
Different users may not need all features from a website or a web application. By removing unnecessary features based on user requirements in each deployment, you can reduce attack surfaces and the associated risk.
If you love developing websites in WordPress, we recommend going with themes and plugins that fulfill your needs while being lightweight in terms of their code. They not only keep your website safe, but also help with search engine optimization. Here are some of the best lightweight and fastest WordPress themes available.
8. Use server-side and client-side validation
If you are someone who loves writing custom codes it is essential to use both client-side and server-side validation. Client-side validation helps protect against the user making common mistakes such as incorrectly entering data or forgetting fields. Such validation catches invalid data before it reaches the server, saving time and money.
Imagine, if client-side validation only occurs after a round trip to the server fails, you’ll face delays telling users what they did wrong without allowing them to fix their mistakes right away.
However, client-side validation alone is not enough as a security measure. You also need to use server-side validation. Server-side validation protects you from malicious input and other attack vectors.
9. Sanitize any user input and request data
User Input Sanitization is a cybersecurity measure of auditing, cleaning, and filtering data from users and APIs of any unauthorized or unwanted character and strings to prevent the injection of harmful code into the system.
Hackers can inject specific commands and execute actions that can compromise your website’s security. Input sanitization helps maintain data integrity and improves system security.
10. Apply permanent fixes
While performing a security check, you might notice some vulnerabilities that keep reappearing from time to time. You need to determine the root cause of the new vulnerabilities so that you can permanently eradicate them instead of adding a partial patch.
For example, very often you might come across SQL / XSS issues in the theme or plugin that you develop. In such a case, instead of building a sanitization check for each input, build a function/class and make it a policy that whenever there is user input, all the data should be passed through this class/function.
11. Avoid security misconfigurations and defaults
Security misconfigurations happen when security settings are not defined and implemented and default values are maintained. Failing to implement security controls or implementing them with errors can increase the probability of having vulnerabilities in the theme, plugin, or website that you build.
Misconfiguration often happens because a system, database administrator, or developer didn’t correctly configure an application’s framework leading to dangerous open pathways for hackers.
Make sure that the default setup is secure and do not automatically set passwords (if required). For example, if the plugin uses a directory where users can upload files, always ask users to set their passwords and directory path.
12. Keep yourself informed and updated
Cybersecurity is an ever-evolving field. You need to be aware of the latest security updates and emerging risks so you can keep up with developments and mitigate new and emerging threats into your code.
As a developer, it helps to keep yourself informed on the news and write more secure code, what are the best practices to secure coding, sanitize code better, and handle user input better.
To do this, follow experts online and keep updated with your favorite web development blog. You are already reading this one. So you are off to a good start.
Here are some of the best resources on WordPress Security.
13. Maintain the code
The code you write today might not be secure tomorrow. New vulnerability variants keep on coming up and it needs constant upgrades from a developer’s end as well.
As you add new functionalities to a plugin or theme, check that it does not affect the security of other modules or classes, or functions in the code. In case they do, you need to update the code to rectify the issues.
You can also use tools like GitHub to maintain the code of your theme or plugin. It will help you track the code and fix issues faster. Security always evolves. To keep up with the latest trends, it is essential to constantly renew your security tests so you can find vulnerabilities and improve them.
14. Update your software packages regularly
It is a no-brainer.
15. Collaborate with your team
Take note of security tickets that are raised to your support team. If your clients report any security issues, make it a priority to address them. Your end-user gives the best feedback on your work so use it well!
Discuss security issues with the development team and ensure that any patch you develop fixes the security issue and won’t break anything else before making it public. If you need to collaborate often with teammates or work with large clients who have entire departments involved with support, it’s a good idea to use webinar software to facilitate the process.
16. Prepare yourself for the worst-case scenario
You cannot be too careful. The web and anything published on the web can never be 100% secure. However, you can take steps that can help mitigate the risks.
The key is assessing potential vulnerabilities and developing an appropriate risk response with adequate security measures. New attack techniques frequently appear so best practices must also evolve as part of this process.
For example, if a WordPress website is hacked, the contingency plan should include what to do in case of a hack. That would need to contain backup methods, the cleanup process, and the steps required to rebuild the website and restore service.
Such a plan will allow all stakeholders to fix things quickly without being overwhelmed by information overload or overreacting with unnecessary actions.
What else can you do to improve the security of your theme or plugin? Well, a lot of things. You see, writing secure code is not a one-time thing. Technologies evolve and attack methods evolve with it.
The reality is that you cannot prevent all cyber-attacks or mitigate every conceivable risk. Your aim should be to do as much as you can with what you have and constantly revisit your code to improve it.
Build a well-defined security plan for your website and be prepared to face the worst. Make sure to take security-related tickets or reports as the highest priority.
Publish a blog post or announcement within your community that you have released a security fix so that all your users can update and avoid their websites being compromised.
Cyber security is not very different from a military strategy. The key is preparedness! Hopefully, this post has helped you with your preparedness. Let us know in the comments, what measures you take to improve your website security.
References used in this article
The post Sixteen security tips for WordPress plugins & themes developers appeared first on WP White Security.
*** This is a Security Bloggers Network syndicated blog from WP White Security authored by Sujay Pawar. Read the original post at: https://www.wpwhitesecurity.com/security-checklist-wordpress-plugins-themes-developers/