Ankit Panchal

A developer’s life beyond the screen.

Dev Tip #3: Plugin Security Basics I Never Skip

Security isn’t the flashiest part of plugin development — but it’s the part that breaks trust the fastest when ignored.

These are the basics I always keep in mind while building plugins. They’re simple, but missing even one of them can open up real problems.

1. Escape Output, Always

Whenever I print something to the screen, especially user-generated content or dynamic settings, I escape it properly:

echo esc_html( $setting_value );

Use the right escaping function for the context:

  • esc_html() for regular text
  • esc_attr() for input values
  • esc_url() for links
  • wp_kses_post() if allowing some HTML

If you forget this, it opens doors to XSS attacks.

2. Sanitize Input Before Saving

Before saving anything to the database — whether it’s from a form or a setting screen — I sanitize it.

$sanitized = sanitize_text_field( $_POST['your_field'] );

Other useful sanitizers:

  • sanitize_email()
  • sanitize_textarea_field()
  • absint()
  • esc_url_raw()

Even if it “looks safe,” I sanitize it anyway.

3. Always Use Nonces for Forms & AJAX

A nonce protects your forms and AJAX requests from being abused by external scripts or bad actors.

For forms:

wp_nonce_field( 'my_plugin_action', 'my_plugin_nonce' );

On submit:

if ( ! isset( $_POST['my_plugin_nonce'] ) || 
     ! wp_verify_nonce( $_POST['my_plugin_nonce'], 'my_plugin_action' ) ) {
    return; // Invalid request
}

For AJAX: Same logic applies — pass and verify a nonce.

4. Capability Checks Matter

Before saving data or doing anything admin-related, I make sure the current user has permission to do so.

if ( ! current_user_can( 'manage_options' ) ) {
    return;
}

I don’t rely only on menu access. I protect everything behind capability checks too.

5. Never Trust $_POST or $_GET Blindly

I treat all global inputs ($_POST, $_GET, $_REQUEST, etc.) as untrusted by default.
Even if it’s a simple text field, I treat it with caution.

Trust your logic, not the input.

Final Thought

You don’t need to be a security expert to write secure plugins.
Just follow these simple habits every time, and you’ll avoid 90% of common issues.

It’s not about fear — it’s about respect.
For your users, their data, and the trust they place in your work.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *