| name | wp-security-audit |
| description | Review code for WordPress security vulnerabilities. |
WP Security Audit
Instructions
When reviewing or creating plugin code for security:
- Check input sanitization - All user input must be cleaned
- Check output escaping - All output must be escaped
- Verify nonce usage - Forms need CSRF protection
- Check capabilities - Admin actions need permission checks
- Verify ABSPATH check - All PHP files must have it
- Check database queries - Use prepared statements
Security Checklist
- All
$_GET,$_POST,$_COOKIEsanitized - All output uses
esc_*functions - Forms use nonces (
wp_nonce_field) - Nonces verified before processing
- Capability checks on admin actions (
current_user_can) -
ABSPATHcheck in all PHP files - No direct SQL without
$wpdb->prepare() - No
eval()or dynamic code execution - No sensitive data in URLs or logs
Common Security Functions
Sanitization
sanitize_text_field() // General text
sanitize_email() // Email addresses
absint() // Positive integers
esc_url_raw() // URLs
Escaping
esc_html() // HTML content
esc_attr() // HTML attributes
esc_url() // URLs
esc_textarea() // Textarea content
Nonces
wp_nonce_field('action', 'nonce') // Generate
wp_verify_nonce($_POST['nonce'], 'action') // Verify
Example Audit Flow
// BAD: No sanitization
$name = $_POST['name'];
// GOOD: Sanitized
$name = sanitize_text_field($_POST['name']);
// BAD: No escaping
echo $user_input;
// GOOD: Escaped
echo esc_html($user_input);