As a global leader in WordPress backups and security, our job involves receiving mails from distraught customers who have been hacked. Maintaining a completely secure WordPress site isn't practical, but there are ways to make things harder for hackers. Here are a few essential practices to follow to harden your WordPress site's security.
11. ◦ WP assigns every user a role
◦ Every role has specific set of capabilities
◦ Restrict plugin actions to specific capability
Checking user capabilities
13. ◦ Check that required fields have not been left
blank, and values match type, etc.
◦ Data validation should be performed as early as
possible
◦ Validate Javascript in the front end, and PHP in
the back end
◦ Built-in PHP functions + Core WordPress
functions.
Data Validation
14. ◦ Input data should be sanitized when you don't
know what to expect in inputs, or you don't
want to be strict with data validation
◦ Use built-in WP helper functions - sanitize_*()
series
Sanitize Input Data
15. ◦ Whenever you’re rendering data, make sure to
properly escape it.
◦ Escaping output prevents XSS (Cross-site
scripting) attacks.
◦ Use built-in WP helper functions - esc_*() series
Sanitize Output Data
16. ◦ Use nonces to check that the current user
actually intends to perform the action.
◦ Use wp_create_nonce() function to add nonce
Use nonces