WordPress.org
  • News
  • Showcase
  • Hosting
    • Themes
    • Plugins
    • Patterns
    • Blocks
    • Openverse ↗︎
    • Learn WordPress
    • Documentation
    • Forums
    • Developers
    • WordPress.tv ↗︎
    • Make WordPress
    • Photo Directory
    • Five for the Future
    • Events
    • Job Board ↗︎
    • About WordPress
    • Enterprise
    • Gutenberg ↗︎
  • Get WordPress
Get WordPress
WordPress.org

WordPress Developer Resources

Plugin Security

  • Developer Blog
  • Code Reference
  • WP-CLI Commands
  • Developer Blog
  • Code Reference
  • WP-CLI Commands
HomePlugin HandbookPlugin Security

Plugin Security

↑ Back to top

This content has been moved to the Security page in the Common APIs Handbook.

First published

September 16, 2014

Last updated

December 14, 2023
Previous Uninstall Methods Previous: Uninstall Methods
Next Checking User Capabilities Next: Checking User Capabilities

Chapters

  • Plugin Handbook
  • Introduction to Plugin Development
    • What is a Plugin?
  • Plugin Basics
    • Header Requirements
    • Activation / Deactivation Hooks
    • Best Practices
    • Determining Plugin and Content Directories
    • Including a Software License
    • Uninstall Methods
  • Plugin Security
    • Checking User Capabilities
    • Data Validation
    • Nonces
    • Securing (escaping) Output
    • Securing (sanitizing) Input
  • Hooks
    • Actions
    • Filters
    • Custom Hooks
    • Advanced Topics
  • Privacy
    • Adding the Personal Data Eraser to Your Plugin
    • Adding the Personal Data Exporter to Your Plugin
    • Privacy Related Options, Hooks and Capabilities
    • Suggesting text for the site privacy policy
  • Administration Menus
    • Sub-Menus
    • Top-Level Menus
  • Shortcodes
    • Basic Shortcodes
    • Enclosing Shortcodes
    • Shortcodes with Parameters
    • TinyMCE Enhanced Shortcodes
  • Settings
    • Custom Settings Page
    • Options API
    • Settings API
    • Using Settings API
  • Metadata
    • Managing Post Metadata
    • Custom Meta Boxes
    • Rendering Post Metadata
  • Custom Post Types
    • Registering Custom Post Types
    • Working with Custom Post Types
  • Taxonomies
    • Term Splitting (WordPress 4.2)
    • Working with Custom Taxonomies
  • Users
    • Roles and Capabilities
    • Working with User Metadata
    • Working with Users
  • HTTP API
  • REST API
    • REST API Overview
    • Routes & Endpoints
    • Requests
    • Responses
    • Schema
    • Controller Classes
  • JavaScript
    • Heartbeat API
    • jQuery
    • AJAX
    • Server Side PHP and Enqueuing
    • Summary
  • Cron
    • Scheduling WP Cron Events
    • Testing of WP-Cron
    • Understanding WP-Cron Scheduling
    • Hooking WP-Cron Into the System Task Scheduler
  • Internationalization
    • How to Internationalize Your Plugin
    • Internationalization Security
    • Localization
  • The WordPress.org Plugin Directory
    • Add Your Plugin to the Block Directory
    • Alerts and Warnings
    • Block Specific Plugin Guidelines
    • Common issues
    • Compliance Disclaimers
    • Detailed Plugin Guidelines
    • How Your Plugin Assets Work
    • Managing Your Plugin’s Security
      • Reporting Plugin Security Issues
    • Planning, Submitting, and Maintaining Plugins
    • Plugin Developer FAQ
    • Plugin Readmes
    • Preventing WordPress from Updating Your External Plugin
    • Previews and Blueprints
    • Release Confirmation Emails
    • Special User Roles and Capabilities
    • Take Over an Existing Plugin
    • Transferring Your Plugin to a New Owner
    • Using Subversion
    • Using the Forums
  • Developer Tools
    • Debug Bar and Add-Ons
    • Helper Plugins
  • Creating Tables with Plugins
  • Credits
  • About
  • News
  • Hosting
  • Privacy
  • Showcase
  • Themes
  • Plugins
  • Patterns
  • Learn
  • Documentation
  • Developers
  • WordPress.tv ↗
  • Get Involved
  • Events
  • Donate ↗
  • Five for the Future
  • WordPress.com ↗
  • Matt ↗
  • bbPress ↗
  • BuddyPress ↗
WordPress.org
WordPress.org
  • Visit our Facebook page
  • Visit our X (formerly Twitter) account
  • Visit our Mastodon account
  • Visit our Instagram account
  • Visit our LinkedIn account
  • Visit our YouTube channel
Code is Poetry