This is the second part of our plugin development tutorial ‘WordPress plugin development for beginners’.

According to experts around 70% WordPress site is vulnerable and easy target for attackers. People will use your plugin at their site, so as a plugin developer your most important concern is plugin security. Don’t let any back door for hackers. I will mention some basic steps to secure our hello world plugin here. Don’t forget to check our complete tutorial on securing your WordPress site.

First step for your plugin security is stop direct access to those files from where you take user input or have some form field. Because attackers may try to post data directly to those files.

Now, consider our plugin files. if I don’t stop then anyone can access ‘wpc-hw-admin.php’ by go to domain/wp-content/plugins/wpc-hello-world/wpc-hw-admin.php. So, I need to stop accessing this file directly for that add the following code at the beginning of the file.

<?php if ( ! defined( 'ABSPATH' ) ) exit;?>

‘ABSPATH’ is absolute path to the WordPress installation directory which is WordPress defined constant. For that if someone try to access the script directly then the constant will not be defined and the script execution will be stopped at the very beginning.

Make it more secure by adding the following condition also

<?php if ( !is_user_logged_in() ) exit; ?>

It will check a user is logged in or not. If a user not logged in then script execution will be stopped. Now, combine both conditions.

<?php if ( ! defined( 'ABSPATH' ) || !is_user_logged_in() ) exit;?>

If you want to restrict your plugin only for an administrator user then use the condition like following

<?php if ( ! defined( 'ABSPATH' ) || ! current_user_can( 'manage_options' ) ) exit;?>

Using wp nonce field will increase your plugin security for form submission more. Add the following code inside your form, preferably before your closing form tag

<?php wp_nonce_field('wpcathreq15','wpc-nonce'); ?>

Don’t forget to change wp_nonce_field function’s parameter value. To know more about the function check http://codex.wordpress.org/Function_Reference/wp_nonce_field

Here is the sample code to check the nonce filed on form submission.

<?php
	if ( ! isset( $_POST['wpc-nonce'] ) || ! wp_verify_nonce( $_POST['wpc-nonce'], 'wpcathreq15' ) ) {
			print 'Sorry, your nonce did not verify.';
			exit;
	}
?>

Now we need one more security checking for our ‘Hello World Plugin’, validating form fields data. Here for our plugin we have just one text field and we expect only text data. So we will sanitize the data with WordPress function ‘sanitize_text_field’. That will ensure only text data from user. Check more about the function here http://codex.wordpress.org/Function_Reference/sanitize_text_field

Here is the full updated content for admin file ‘wpc-hw-admin.php’.

<?php
    global $chk;
    if(isset($_POST['wpc-hw-submit'])){
		if ( ! isset( $_POST['wpc-nonce'] ) || ! wp_verify_nonce( $_POST['wpc-nonce'], 'wpcathreq15' ) ) {
				print 'Sorry, your nonce did not verify.';
				exit;
		}
        global $chk;
		$txt = sanitize_text_field( trim($_POST['hellow-world']) );
        if( get_option('hellow-world') != $txt ){
            $chk = update_option( 'hellow-world', $txt );
        }
    }
?>
<div class="wrap">
  <h2>WPC Hello World</h2>
  <?php if(isset($_POST['wpc-hw-submit']) && $chk):?>
  <div id="message" class="updated below-h2">
    <p>Content updated successfully</p>
  </div>
  <?php endif;?>
  <div class="metabox-holder">
    <div class="postbox">
      <h3><strong>Hello World Option</strong></h3>
      <form method="post" action="">
        <table class="form-table">
          <tr>
            <td><input type="text" name="hellow-world" value="<?php if(get_option('hellow-world')){echo get_option('hellow-world');}?>" style="width:350px;" placeholder="Enter some text here" /></td>
          </tr>
          <tr>
            <td style="padding-top:10px;  padding-bottom:10px;"><input type="submit" name="wpc-hw-submit" value="Save changes" class="button-primary" /></td>
          </tr>
        </table>
        <?php wp_nonce_field('wpcathreq15','wpc-nonce'); ?>
      </form>
    </div>
  </div>
</div>

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>