WordPress Security (For Programmers)

By: Ryan Kienstra on: October 13, 2014  in: Plugins, Programming, Security

WordPress recommends adding this line to the top of every theme file to prevent direct access:

<?php defined( 'ABSPATH' ) or die( 'No direct access!' ) ; ?>

Adam Onishi’s book Pro WordPress Theme Development recommends adding this to the functions.php file:

remove_action( 'wp_head', 'wp_generator' ) ;
remove_action( 'wp_head', 'rsd_link' ) ;
remove_action( 'wp_head', 'wlwmanifest_link' ) ;

The wp_generator lists the version of WordPresss. Bots search for this, and an old version is an invitation for attack.
The rsd_link is to edit in your browser. You can already access your files, so this link shouldn’t be in the header of every page.
The wlwmanifest_link is for Windows Live Writer.

It’s good to set up the client as an editor. I like to remove their unfiltered_html capability.

add_action( 'init' , 'ac_editor_capability' ) ;
function ac_editor_capability() {
  $editor = get_role( 'editor' ) ;
  $editor->remove_cap( 'unfiltered_html' ) ;

The free plugin White Label CMS lets you set your client’s capabilities.
You can allow them access to only the “Menus” section of the “Appearance” section, so they can’t change the theme.

Sanitization and Escaping

Some dynamic content should be sanitized or escaped before displaying. Functions like the_content() or the_ID() will do this for you, though.

Leave a comment