Files
hub-insurance/.agents/skills/wp-plugin-development/references/security.md
T
2026-07-02 15:54:39 -06:00

30 lines
787 B
Markdown

# Security guardrails (plugin work)
Use this file when making security fixes or when handling any input/output.
## Nonces + permissions
- Nonces help prevent CSRF, not authorization.
- Always pair nonces with capability checks (`current_user_can()` or a more specific capability).
Upstream reference:
- https://developer.wordpress.org/apis/security/nonces/
## Sanitization and escaping
Golden rule:
- sanitize/validate on input, escape on output.
Practical rules:
- never process the entire `$_POST` / `$_GET` array; read explicit keys
- use `wp_unslash()` before sanitizing when needed
- use prepared statements for SQL; avoid interpolating user input into queries
Common review guidance:
- https://developer.wordpress.org/plugins/wordpress-org/detailed-plugin-guidelines/