WordPress Plugin Security

Everything in web first important thing is the security so in plugin also the most important steps is making sure it is secure from exploits and hacks. In the plugin if it contains security holes, then a hacker can easily it opens up the entire WordPress website and this will be very harmful for you. There are some features in WordPress for built-in security tools that you should to always utilize for your plugins are as secure as can be.
Before displaying to the browser or inserting into the database always validate your data to help keep your plugins secure from exploits and hacks.


The Noces is stands for “number used once,” these are used in requests saving options, form the posts, Ajax requests, actions to stop unauthorized access by generating a secret key.  Before generating a request this secret key is generated that is form the post. The key is then passed in the request to your script and verified to be the same key before anything else is processed. Now let’s look at how you can manually create and check nonces. The following example uses a nonce in a form:

Function wp_nonce_field() must be called When creating a Plugin
Function wp_nonce_field() must be called When creating a Plugin

The function wp_nonce_field() must be called When creating a form nonce and it called inside of your <form>
tags. No parameter is required for this function to work, for the purpose of security you should to set two parameters. First will be the $action, it has a unique string that is descriptive of the action being performed. Second one is a unique name for the field, $name parameter. The field name will be _wpnonce By default, but you can define a custom unique name in this parameter.

The wp_nonce_field() function when called, A unique secret key will be generated by it that will be added as a hidden form field and passed with your form data. The first thing you need to do is check your nonce secret key using the check_admin_referer() function like so after your form is posted:

Function check for noces security.
Function check for noces security.

So verifying that the nonce is valid is as simple as calling the check_admin_referer() function and name that you defined earlier and passing it your unique nonce action.  The nonce secret key if does not match the secret key created on your form, then the WordPress will it issue an error message and stop the processing the page. This primarily protects it CSRF or from cross-site request forgery.

On the links that perform actions there Nonces can also be used. The wp_nonce_url() function you can use for create a URL nonce. With multiple query strings in your this can be used URL like so:

$link = ‘my-url.php?action=delete&ID=15’;

<a href=”<?php echo wp_nonce_url( $link, ‘prowp_nonce_url_check’ ); ?>”>Delete</a>

There are two parameters accept by this wp_nonce_url() function: the unique nonce name you are creating and the URL to add the nonce to. A link will generate by the preceding code that looks like this: http://www.webdirectors.co.uk/wp-admin/my-url.php?action=delete&ID=17&_wpnonce=e9d6673017

Have you notice that how the _wpnonce query string is appended to the link. For your URL nonce this is the secret key value that was generated. The wp_nonce_url() function will add the nonce value as the only query string being passed if your URL has no query strings. That nonce value will be added to the end of the URL if your URL contains query strings. By using the check_admin_referer() function, You can verify that the nonce is correct just as you did with your form:

Function check for noces security.
Function check for noces security.

Your action query string is set before checking your nonce value verify by this function. The script will continue once the nonce has been validated. The page execution will stop if the nonce is not validated.