 Hey there, and welcome to Learn WordPress. In this tutorial, you're going to learn how to secure your WordPress plugins. You will learn the benefits of ensuring your plugin's code is secure, what steps to follow to secure your plugins, and where to find more information around plugin security. Please note, this tutorial was created as an introduction to being security minded when developing plugins. The code examples used in this tutorial are very simplified examples. You should not use any of the code used in this tutorial in your plugins. Make sure to read the full documentation on security in the WordPress developer handbook at developer.wordpress.org slash apis slash security to ensure you follow the correct methods and procedures. Plugin security is the process of ensuring that your plugin code not only works, but also does not introduce any security vulnerabilities. If your plugin has vulnerabilities, it could make any WordPress site that has your plugin installed open to potential attacks and can lead to the site being compromised. When writing code, it's important to develop a security mindset and to think about how your code could be used maliciously. Don't trust any data, whether it's user input, third party API data, or even data in your database. Always be checking to make sure it's valid and safe to use. WordPress has a number of APIs that can help you with common tasks, such as sanitizing your input, validating data, and escaping output. Rely on using these APIs to help validate and sanitize your data instead of writing your own functions. And finally, keep up to date with common web vulnerabilities and make sure your code is up to date to prevent them. One of the first steps to take when developing a plugin is to ensure that any user input is sanitized. This means that any data that is being passed to your plugins from the user, such as a form submission or URL parameter, is checked to make sure it's safe to use. In this example code, the name and email fields are being posted from a form that the plugin generates and then saved to a custom database table called form submissions. As you can see, the data is being saved directly to the database without any sanitization. This means that if a user were to submit a name of John colon drop table form submissions, the SQL insert query would be run, followed by the drop query, and the table would be deleted from the database. WordPress has a sanitization API that can be used to sanitize incoming data. You can use the sanitize text field and sanitize email functions to sanitize the name and email fields before they're used in the query. Sanitize text field. Sanitize email. To read more about the available sanitization functions available to WordPress developers, check out the sanitizing page in the WordPress developer documentation. Next up is validating data. Validating data is the process of testing it against a predefined pattern or patterns with a definitive result, either valid or invalid. Untrusted data can come from many sources. Users, third-party API data, even your database data can be considered untrusted, especially if another plugin may have modified it. Even site admins can make a mistake and enter incorrect or insecure data, so it's important to always be checking. In this example, a deletion function requires that a numeric ID is posted to an admin Ajax callback. Here, the ID is being used directly in the SQL query without any validation. Again, this means if a user were to submit the ID of one semicolon drop table form submissions, the same SQL drop query would be run after the insert and the table would be dropped. To prevent this, you can use PHP's typecasting functionality to ensure that the value of ID is always an integer value. This can be done by adding int for the variable name, like so. Note that this will only work if the first character in the string passed via the post array can be cast as an integer. Otherwise, the value of ID will be zero. In that case, it's a good idea to update the code to handle this case. So we could say something like, if ID is equal to and the same type of zero, then we can return with a JSON response and pass in some kind of error message. This is only one way to validate integer data. To read more about the various ways to validate your data in your WordPress plugin, check out the section on validating data in the WordPress developer documentation. Another aspect of plugin security is to ensure that any information you output to the browser is safe, including any text, HTML, JavaScript code, or data from the database. Even if your plugin is not responsible for the source of the data being displayed, it is responsible for displaying it safely. In this example, this code fetches the form submissions from the database and then loops through the submission and outputs the submission data into an admin screen in the WordPress dashboard. Here, we have three pieces of data that need to be escaped. The submission name and submission email fields as well as the submission ID. For the name and email fields, we can use the built-in WordPress escaping function ESC underscore HTML. ESC HTML. And we can copy that with the email. The ID can be escaped by casting it to an integer, as you might have done for the data validation. Cast to an integer. Notice that this code follows a key principle of escaping data, in that you escape the data as late as possible. To read more about the various ways to escape data, check out the section on escaping outputs in the WordPress developer documentation. Whenever a request is made to functionality that your plugin provides, it's important to check that the request is valid. This means checking that the request is coming from a trusted source. For example, in your plugin code, you might have a shortcode that renders a form, where users can submit their information. The function to render the form might look something like this. When the user submits the form, the data is sent to the server. The data is then processed by the plugin, sanitized and stored in the database. Because the form might appear on any page where the shortcode is used, it's possible that a malicious user could attempt to send a post request to the form, either looking for a vulnerability in the plugin, or by sending multiple requests to the form. To prevent this, you can check that the request is coming from a trusted source. In other words, the website rendering the form. To do this, you can implement something called a NOTS or a number used once. First, in the form itself, you can add a NONS field by using the WPNONS field function and passing a NONS action and NONS name to the function. Just below the hidden field on the form, open up PHP tags and call the WPNONS field function and pass in an action name and then pass in a field name. When the form is rendered on the front end, a hidden field is added to the form using the NONS name as the ID and name attributes of the hidden field and the generated NONS as the field's value. This data is posted when the form is submitted. Then, in the function that processes the form data, you can verify that the NONS has been sent and is valid by using the WPVerifyNONS function and passing the posted NONS field and the NONS action to this function. If the result of this verification is false, you can exit early, preventing any further code execution. So before we sanitize the data, we can say if WPVerifyNONS passed in WPLearnFormNONS field posted in the form and the action name we set up, which was WPLearnFormNONS action and we specify not to say if the function returns a false value, in other words, the NONS is not verified, then we can redirect to some error page. Exit code execution. Any time your plugin code makes a web request, be it via redirection to a new URL, posting data to a form or making an Ajax request, you should check that that request is valid using NONSs. To read more about how to use NONSs in your plugins, check out the section on NONSs in the WordPress developer documentation. Depending on your plugin's functionality, it's a good idea to restrict certain features only to users with a specific permission level. For example, your plugin may have a function that deletes data from the database. While you might do your best to prevent anyone who doesn't have permission to run this function, it's still a good idea to include checks against the situation. WordPress includes a robust user roles and capability system, which allows you to either use the default user roles and capabilities or create custom ones. In this case, it could be as easy as only allowing users who have the capability to manage site options, which is a standard capability that is included with the administrator role. To do this, you can use the current user can function and check if they have the capability to manage options. Inside the form submission, nice and early, we can say, if not, current user can manage options. So in other words, if the user can't manage options, then we want to return early with some kind of response. WordPress Developer Documentation has a detailed section on user roles and capabilities, which includes a list of all the default capabilities and how to create custom ones. Finally, make sure to read the entry in the WordPress Developer Documentation on security, as it includes all of the examples in this tutorial, as well as additional information on security-based practices, common vulnerabilities, and much more example code. Happy coding!