Master plugin security best practices. Learn to prevent XSS through output escaping and apply strict file permissions to keep your WordPress site secure.
Previously in this course, we explored caching strategies to optimize our Knowledge Base plugin. Now, we shift our focus from performance to protection. Even the most efficient code is a liability if it’s vulnerable to exploitation.
In the WordPress ecosystem, security is not a "set it and forget it" feature; it is a discipline. While we have already covered sanitizing user input and verifying nonces, those are only half the battle. Today, we address the other half: ensuring that data is safe when it reaches the browser and that your plugin files remain inaccessible to unauthorized entities.
The golden rule of web development is simple: all data is guilty until proven innocent. We already know to sanitize input (cleaning data before it hits the database), but we must also practice output escaping (cleaning data before it hits the browser).
Failing to escape output is the primary cause of Cross-Site Scripting (XSS). If a malicious user injects a <script> tag into your Knowledge Base article, and you print that variable directly to the screen, that script executes in the browser of every visitor—including administrators.
WordPress provides a suite of functions specifically designed for escaping. You should choose the function based on the context of the HTML where the data will be rendered:
esc_html(): Use this for content between HTML tags (e.g., <div>...</div>). It converts characters like < and > into HTML entities.esc_attr(): Use this for content inside HTML attributes (e.g., <input value="...">).esc_url(): Use this for URLs in href or src attributes. It strips invalid characters and ensures the protocol is safe.esc_js(): Use this for inline JavaScript strings.Worked Example: Escaping in our Plugin View In our Knowledge Base plugin, imagine we are rendering an article title and a link to the author's profile.
PHP#6A9955">// Bad: Vulnerable to XSS echo '<h1>' . $article_title . '</h1>'; echo '<a href="' . $author_url . '">View Profile</a>'; #6A9955">// Good: Secured with escaping echo '<h1>' . esc_html( $article_title ) . '</h1>'; echo '<a href="' . esc_url( $author_url ) . '">View Profile</a>';
Security isn't just about code; it's about the environment. If your plugin files are world-readable or writable by the web server user, an attacker who gains a foothold on your server can modify your code to inject backdoors.
644 (owner read/write, group/others read-only) and directories 755. Never use 777..git folder, composer.json, and README.md are not publicly accessible via the web browser.Worked Example: Preventing Direct Access Add this snippet to the top of every PHP file in your plugin, including templates and classes:
PHPdefined( 'ABSPATH' ) || exit; #6A9955">// Exit if accessed directly
AdminController or your frontend template files.esc_html, esc_attr, or esc_url).defined( 'ABSPATH' ) || exit; guard clause to your main plugin file and any secondary include files.esc_html() on a variable that you intend to render as raw HTML. If you have a legitimate need to output HTML (like a WYSIWYG editor field), use wp_kses_post() instead, which strips dangerous tags while allowing safe ones.777 during development to fix "Permission Denied" errors. Always revert these to 755 before deploying to a production server.Security is a layered approach. By combining capability checks for authorization, input sanitization for data integrity, and output escaping for XSS prevention, you create a robust, professional plugin. Remember: protect your entry points, sanitize your data, and escape your output.
Up next: We will discuss how to manage third-party library dependencies using Composer to keep our plugin modern and maintainable.
Stop manually including PHP libraries. Learn how to use Composer for dependencies to streamline your WordPress plugin development and automate autoloading.
Plugin Security Best Practices
Handling Large Datasets
Error Handling and Logging