I have built an own/custom WordPress theme. It is my second theme. My goal is not to release the theme for the public to use, so therefore I will not add it to the Theme Repository. However, I obviously want to make sure that my theme meets the standard (or higher) security level, so that the theme itself does not constitute a security issue for hackers to exploit.
I have read the following page: / , and I think it seems pretty straightforward:
Never trust user input.
Escape as late as possible.
Escape everything from untrusted sources (e.g., databases and users), third-parties (e.g., Twitter), etc.
Never assume anything.
Sanitation is okay, but validation/rejection is better.
I will within shortly read through the sections inside the Security chapter (Sanitizing Data, Validating Data, Escaping data, etc.).
Now, considering me not being an expert in these security techniques (escaping data, sanitization, validation/rejection), I am curious as to for what parts of the website this is already "taken care of by WordPress", if you will.
For example, by implementing WordPress's built in comment functionality into my site, does it require any extra data escaping/sanitation/validation/rejetion on the comment inputs or is the input security actions for these already "secure enough" given that it is default "WordPress code" and I have not changed other things than styling for the form and containing elements/inputs? Specifically, the comment fields/inputs in use on the site per now is the default ones: textarea (#comment), name input (#author), email input (#email), web address input (#url) and consent input (#wp-comment-cookies-consent).
Furthermore, I have one more form input on the site, which is delivered by the service Brevo and its WP plugin. It is an email subscription form. How can I check that this service is correctly performing escaping/sanitation/validation/rejetion on the user inputed data? I could ask the supplier directly, but I would in any case like to confirm this from a technical standpoint myself. I just do not know exactly where to look, although I suppose I will have to look in the plugin files handling the form/input requests for this.
Are there any tool with which I can expose the theme's possible security vulnerabilities by subjecting it to an artificial modern hacker attack, giving a report on passed/failed tests, or the like? I have noted that overall site security also depends on many other factors such as themes and plugins being updated, hiding login URL, etc.
Thank you for reading this long post, I hope my ambition with this came across as clear and that the question(s) is somewhat clear.
With regards,
Daniel
I have built an own/custom WordPress theme. It is my second theme. My goal is not to release the theme for the public to use, so therefore I will not add it to the Theme Repository. However, I obviously want to make sure that my theme meets the standard (or higher) security level, so that the theme itself does not constitute a security issue for hackers to exploit.
I have read the following page: https://developer.wordpress.org/apis/security/ , and I think it seems pretty straightforward:
Never trust user input.
Escape as late as possible.
Escape everything from untrusted sources (e.g., databases and users), third-parties (e.g., Twitter), etc.
Never assume anything.
Sanitation is okay, but validation/rejection is better.
I will within shortly read through the sections inside the Security chapter (Sanitizing Data, Validating Data, Escaping data, etc.).
Now, considering me not being an expert in these security techniques (escaping data, sanitization, validation/rejection), I am curious as to for what parts of the website this is already "taken care of by WordPress", if you will.
For example, by implementing WordPress's built in comment functionality into my site, does it require any extra data escaping/sanitation/validation/rejetion on the comment inputs or is the input security actions for these already "secure enough" given that it is default "WordPress code" and I have not changed other things than styling for the form and containing elements/inputs? Specifically, the comment fields/inputs in use on the site per now is the default ones: textarea (#comment), name input (#author), email input (#email), web address input (#url) and consent input (#wp-comment-cookies-consent).
Furthermore, I have one more form input on the site, which is delivered by the service Brevo and its WP plugin. It is an email subscription form. How can I check that this service is correctly performing escaping/sanitation/validation/rejetion on the user inputed data? I could ask the supplier directly, but I would in any case like to confirm this from a technical standpoint myself. I just do not know exactly where to look, although I suppose I will have to look in the plugin files handling the form/input requests for this.
Are there any tool with which I can expose the theme's possible security vulnerabilities by subjecting it to an artificial modern hacker attack, giving a report on passed/failed tests, or the like? I have noted that overall site security also depends on many other factors such as themes and plugins being updated, hiding login URL, etc.
Thank you for reading this long post, I hope my ambition with this came across as clear and that the question(s) is somewhat clear.
With regards,
Daniel
plugins
forms
security
sql
input
Share
Improve this question
edited Dec 30, 2024 at 13:39dfr
asked Dec 30, 2024 at 13:30
dfrdfr3588 bronze badges3
1Configure PHPCS with the WordPress coding standards & consider using a tool like sonarqube
– admcfajn
CommentedDec 31, 2024 at 1:16
Thank you for this. Would you say it is advisable to configure/test PHPCS on a live server or should it be performed locally? Or doesn't matter?
– dfr
CommentedDec 31, 2024 at 14:55
2It's just lint and static analysis I think, not a pen test, so it shouldn't matter where you run it.
– Rup
CommentedDec 31, 2024 at 15:04
Add a comment
|
1 Answer
1
Reset to default
3
Theme Check is a tool published by the WP.org Themes team to scan your theme against the wp.org security standards. There's also one for plugins.
Any default functionality like comment forms will already be escaped/sanitized.
