WordPress Plugin Authors: 9 Ways to Destroy Yourself & Your Customers

As a WordPress plugin developer, it is important to remain aware of secure coding best practices when producing a plugin that will be available for individuals to download and install on their WordPress site. Many WordPress site owners don’t have the time and/or experience to thoroughly investigate a plugin’s security prior to installing it on their site, therefore, they rely on trusting that the developer has done their due diligence to put a secure product out for download. In today’s episode, we are going to cover some of the most common security related coding flaws our team frequently finds that can introduce significant risks for your customers and your brands reputation, along with providing guidance on how to avoid these mistakes.
#wordfence #wordpress #wordpressplugins
Check out Fast or Slow, the only free website speed profiler that tests your site from 18 locations worldwide.
Just getting started with Wordfence? Join us for Wordfence Office Hours. We’ll get you started securing your WordPress site – free. Upcoming sessions on Thursdays @ noon eastern time, 9 am pacific. Register here:
Wordfence is offering free site security audits and site cleanings for K-12 schools worldwide.
Have you tried Wordfence Central yet?
Check out Wordfence Central Teams! You can use Wordfence Central with your Premium AND Wordfence free sites, all for free.

Introducing Wordfence Central Teams

Sign up for the Wordfence WordPress Security mailing list. Be the first to know when there is a vulnerability in a plugin or theme you might be using.

Join the WordPress Security Mailing List

The Wordfence Learning Center has all you need to brush up on WordPress security and more:
Wordfence is the most popular choice of WordPress professionals for WordPress security. We have a number of security tutorials on our YouTube channel, including Wordfence tutorials. Wordfence security plugin is the number one choice in WordPress security plugins.
Follow us on Twitter:

Listen to the Think Like a Hacker Podcast


0:00 Introduction
3:19 Swag Question
4:39 #1 Not adding Capability Checks on functions
11:58 #2 Not adding Cross-Site Request Forgery Protection
15:30 #3 Not Properly Validating File Uploads
21:45 #4 Allowing Deserialization of User-Supplied Input
25:19 #5 Not Sanitizing or Escaping User-Supplied Inputs
31:31 #6 Using Unprepared SQL Queries with User-Supplied Inputs
34:52 #7 Usage of PHP functions with User-Supplied Inputs
38:28 #8 Allowing Sensitive Information to be Disclosed
41:45 #9 Allowing insecure access/manipulation of Files
46:54 #10 Honorable Mentions
51:19 Swag Winners
52:51 Wordfence Premium – https://www.wordfence.com/help/premium/
53:20 Wordfence Central – https://www.wordfence.com/try-central/
53:57 Wordfence Mailing List – https://www.wordfence.com/subscribe-to-the-wordfence-email-list/
54:34 We are hiring! https://www.defiant.com/employment
54:57 Free Site Cleaning & Site Security Audits for K-12 Public Schools Worldwide: https://www.wordfence.com/blog/2021/01/announcing-free-site-cleaning-site-security-audits-for-k-12-public-schools/
55:09 Wordfence Site Cleaning – https://www.wordfence.com/wordfence-site-cleanings/
55:20 “Think Like a Hacker” podcast – https://www.wordfence.com/podcast/


Leave a Reply