I think that the general consensus is that WordPress is a secure platform – and in many ways, it is – but the truth is that it’s still software and that there will inevitably be bugs.
On top of that, if you’re in the business of building products – sites, themes, plugins, etc – on top of WordPress for others, then ultimately you - not the platform – become responsible for anything that goes wrong with the application or any security that arises.
But how do we know we’ve taken taken the necessary steps to make our work as secure as possible?
Sure, there are the WordPress Coding Standards but that’s obviously for coding style than anything else. Then there is the WordPress Data Validation API which helps to make sure we’re both sanitizing and validating our data while reading and writing to the database.
Is there anything else that we, as developers, can do?
Code Poet is a solid resource for anyone working with WordPress and I highly recommend checking it out. They’ve recently released an eBook - Locking Down WordPress – which takes a deep dive into securing WordPress installations and projects.
You can grab a copy of the free book here. It’s available in the following formats:
This is a great resource to have for both beginner and advanced developers to have on tap in your day-to-day work in securing WordPress.