I’ve come across a great post called Three links for WordPress developers, which is such a gem I thought it should be reproduced here. Here’s what the post recommends:
- WordPress Coding Standards. I used to be a big fan of the “curly bracket on it’s own line” but many years ago that was beaten out of me. Coding standards can be a subjective preference, but they’re very useful when reading code created by others.
- Data Validation. It’s vitally important that the data your web application accepts is checked for any malicious code. The new $wpdb->prepare() function is something every WordPress plugin author should be using if they have to use the database directly.
- WordPress Nonces. A nonce makes sure that a request you’re sending your blog was one you meant to send. Without a nonce, another site could have your browser load an image on it’s site pointing at your blog’s admin page to do an administrative task. You don’t want another site fooling your browser into doing something malicious do you? See Cross-site request forgery on Wikipedia for more.
If you’re a WordPress developer these tips should be basic information for you, but they consist of advice the some people neglect, to their peril. Unfortunately, the people who suffer end up being the ones running the plugins. One of the last few hacked blogs I cleaned up belonged to someone who was on holiday in one of these fancy hotels; basically his blog had been hacked through a plugin that didn’t validate input data correctly. It was a known exploit and there had been an update to the plugin, but he wasn’t aware of it and suffered the consequences. So keep these tips in mind and test, test, test
