With 27% of the web using WordPress, security is the #1 concern for anyone running their website on this mega popular open source platform. Although the security of WordPress core is looked after by a dedicated team of developers, the same cannot be said of all the thousands of third-party plugins and themes that extend WordPress to make it do pretty much anything you want. Just one vulnerable plugin or theme can represent a high risk for millions of sites.

In this article, I'm going to introduce a few guidelines and WordPress functions you can apply in your WordPress theme development to ensure your products are coded with users' security at their very core.

For dedicated WordPress plugin and theme developers, security is at the top of their mind in every line of code they write.

A serious overall approach to coding safe WordPress themes includes paying attention to the following general principles:

The most common threats you need to watch out for are:

Web security is always evolving, therefore it's important to stay current on the latest threats. Where WordPress is concerned, the Sucuri blog is a great place to learn about vulnerabilities and attacks.

Before accepting any input data from any source, e.g., users, web services, APIs, etc., you must check that it is what you expect it to be and that it's valid. This task is called validation.

For instance, if you collect users' emails via a form on your website, your code needs to check if users have entered some text input (not some number or nothing at all, for example) and that the input corresponds to a valid email address before entering that data into the database.

You might think this kind of check would hardly be required in a theme. In fact, forms are better included using a plugin rather than a theme. However, this is not entirely the case. If you plan on adding theme options via the Customizer, for example, you might need to perform some data validation on users' input.

Sanitizing consists in filtering or cleaning data coming from users, web services, etc., that it's about to be stored in the database. During this process, you can remove anything that could be harmful or undesired from the data, e.g., JavaScript statements, special characters, etc.

Escaping consists in making sure the data is safe to display, e.g., removing special characters, encoding HTML characters, etc. The recommended practice here is to escape as late as possible, just before displaying the data on the screen.

You'll need to do a lot of sanitization and escaping in WordPress themes. In fact, to be on the safe side, the best bet is to sanitize/escape all dynamic data, i.e., any data that is not hard-coded in the HTML source.

You can perform basic validation using a number of handy PHP functions.

For instance, to check if a variable doesn't exist or has a value set to false, you can use empty().

However, to make validation a breeze, WordPress offers these useful functions.