It is impossible to guarantee security for WordPress without proper dealings on the validation of data obtained from users. The issue is of utmost importance and developers in general need to take the matter most seriously.
Data validation is important and has some simple and objective rules to be followed:
- Do not rely on users and data that are delivered;
- Your code in addition to functional needs to be safe;
- Validate input data and output data;
- Make use of the native WordPress functions for data validation.
Do not rely on users and data that are delivered
Even in an environment that requires the authentication of its users, should not trust the people behind the screens that are using the interface. If a data entry requires a number and nothing else, ignore any other type of data received. Accept and move on only with the expected data.
Users can have their accounts hacked and attackers can make misuse of the system if the data is not validated as it should be. Moreover, data has different sources, each data source specific context require dealings. For example, there is data from the input of users, data captured on third party sites, data captured in the database.
Your code in addition to functional needs to be safe
Having a functional code in the theme and plugins developed for a project in WordPress is more than an obligation to any developer. Good people go further and ensure greater safety for all ecosystem through validation of consistent data.
Validate input data and output data
The validation data must be considered in two extremes: The input and output data. The type of validation to each scenario to be in accordance with context information.
Data entries in WordPress happen in different scenarios, such as themes and plugins configuration interfaces, configuration screens of WordPress users’ login, shortcode parameters, meta posts, pages and several other sources.
The data outputs need much attention as inputs, since they contribute to the XSS vulnerabilities, poorly formatted HTML tags, for example. Moreover, even if an output of information to be extracted from a database also needs to be validated, we cannot trust or ensure that they were properly validated for their input.
Make use of the native WordPress functions for data validation
WordPress and PHP provide specific functions for the validation of all kinds of data and its various contexts. It is important to know all of them and their ways of use to ensure security in their codes of plugins and themes.
The types of data that need to be validated:
- Markings HTML / XML;
- Texts and tag values;
- Tag attributes;
- SQL statements;
- System Files;
- HTTP headers;
- In general all the information of inputs and outputs.