Secure WordPress Development: Best Practices for 2024

## The Threat Landscape

WordPress powers over 43% of the web, making it the #1 target for automated attacks. Security cannot be an afterthought; it must be baked into your development lifecycle.

### Common Vulnerabilities (OWASP Top 10 Context)

| Vulnerability | WordPress Context | Prevention |
| :--- | :--- | :--- |
| **SQL Injection** | Improper use of `$wpdb` | Prepared Statements |
| **XSS (Cross-Site Scripting)** | Unescaped output | `esc_html()`, `esc_attr()` |
| **CSRF** | Missing nonce checks | `wp_verify_nonce()` |
| **Broken Access Control** | Missing capability checks | `current_user_can()` |

## 1. Input Sanitization & Output Escaping

This is the golden rule of WordPress security: **Trust no one.**

### Sanitization (Input)

Clean data *before* it enters your database.

```php
// Text Field
$title = sanitize_text_field( $_POST['title'] );

// Email
$email = sanitize_email( $_POST['email'] );

// HTML Content (allows safe tags)
$content = wp_kses_post( $_POST['content'] );

// Custom Keys
$key = sanitize_key( $_POST['key'] );
```

### Escaping (Output)

Clean data *before* it is rendered to the browser.

```php
// HTML Body
echo esc_html( $user_input );

// HTML Attributes
echo '';

// URLs
echo 'Link';

// JavaScript Variables
echo '';
```

## 2. Nonces and Permissions

Never perform an action without verifying intent and authority.

```php
function handle_form_submission() {
// 1. Verify Nonce (Intent)
if ( ! isset( $_POST['my_nonce'] ) || ! wp_verify_nonce( $_POST['my_nonce'], 'my_action' ) ) {
wp_send_json_error( 'Invalid nonce' );
}

// 2. Verify Permissions (Authority)
if ( ! current_user_can( 'edit_posts' ) ) {
wp_send_json_error( 'Unauthorized' );
}

// 3. Process Data
// ...
}
```

## 3. Hardening Headers

Security headers instruct the browser on how to behave, preventing many classes of attacks.

### Recommended Headers

Add these to your `.htaccess` or Nginx config.

```nginx
# Content Security Policy (CSP)
add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://www.google-analytics.com; object-src 'none';";

# X-Frame-Options (Prevent Clickjacking)
add_header X-Frame-Options "SAMEORIGIN";

# X-Content-Type-Options
add_header X-Content-Type-Options "nosniff";

# Referrer Policy
add_header Referrer-Policy "strict-origin-when-cross-origin";
```

## 4. File System Security

### Disable File Editing

Prevent admins from editing PHP files via the dashboard.

```php
// wp-config.php
define( 'DISALLOW_FILE_EDIT', true );
```

### Protect Sensitive Files

Block access to `wp-config.php` and `.htaccess`.

```apache

order allow,deny
deny from all

```

## Security Checklist for 2024

1. [ ] **Updates**: Enable auto-updates for minor versions.
2. [ ] **Auth**: Enforce 2FA for all administrator accounts.
3. [ ] **Salts**: Rotate authentication keys and salts regularly.
4. [ ] **XML-RPC**: Disable XML-RPC if not used.
5. [ ] **Rest API**: Restrict REST API access to authenticated users where possible.

## Conclusion

Security is a continuous process. By implementing these layers of defense—sanitization, validation, nonces, headers, and server hardening—you drastically reduce your attack surface.