Please note: this post is incomplete & pending review.
More Vulnerabilities & Considerations
The top 10 list is only the tip of the security ice burg, heres a few more that apply directly to WordPress. Don’t let the small size of these fool you, each of these are just as important.
Cross-Site Request Forgery (CSRF)
CSRF attacks happen when the source of a submission or request isn’t verified. This means an attacker can send the destination data, without having the correct origin. For example, submitting a form without actually filling out a form, just sending bad data for collection or processing. To counter this WordPress uses nonce’s to ensure theres nothing malicious occurring. Think of nonce’s as a authorization token from source to destination:
wp_nonce_field()adds token to forms
wp_nonce_url()adds token to URL
wp_verify_nonce()checks the token validity server side
check_admin_referer()checks the token validity server side and came from admin screen – however, this code does not
exitif failed, only returns
false. Use carefully.
Ensure all API you’re interacting with, all CURL’s made, and that your onsite or the sites you’re working on are https://. With LetsEncrypt and hosts like netlify making SSL a breeze, there’s no reason any service should not be SSL protected.
wp_safe_redirect()should always be used in place of
wp_redirect()as if the input is not sanitized or validated it could lead to vulnerabilities.
When writing or auditing a plugin, the following functions are “red flags”, by default they will not break or open a door, but you have to be very very careful and aware of what they’re doing and why, and that they can run and execute code on the server, which if exploited could be given the attacker server access.
preg_replace()(regex modifier will cause PHP to execute the replacement value as code)