Essential Security Measures for Sole Proprietors Who Create or Customize Their Own WordPress Themes

In this article, I’ll explain the minimum code-level security measures that sole proprietors who use custom WordPress themes (or themes custom-built by a development company) should implement.

Things to Keep in Mind When Creating Your Own Theme or Adding Features to functions.php

When adding original code to WordPress, it’s easy to overlook security considerations.
However, implementing basic security measures in your code is crucial for preventing website hacking and reducing the risk of damage from such attacks.
In this article, we’ll introduce five common code-based security measures used in WordPress.

1. Add !defined(‘ABSPATH’) at the beginning of your code

Add the following code after the ?php tag on the first line of your custom script.

if (!defined('ABSPATH')) {exit;}

This code provides a basic blocking function that ensures the code below it will only execute when the program is run through WordPress. (This improves security because the code cannot be executed by directly accessing the file.)

2. Escaping during output

WordPress output is escaped during rendering to ensure that only code intended for specific purposes can be displayed.

This makes it difficult for hackers to inject malicious code onto pages viewed by users or into arbitrary programs.

echo esc_html($title); // Limit output to HTML text

echo ' 
'; // Limit output to HTML attribute values

echo 'Link'; // Limit output to a URL

echo ' ＜script＞var name = "' . esc_js($name) . '";＜/script＞'; // Limit output to JavaScript variables (JS code cannot be output)

3. Use $wpdb->prepare()

When reading data from the database, passing SQL statements through the WordPress function $wpdb->prepare() helps prevent unauthorized database operations known as SQL injection attacks.
Use $wpdb functions as much as possible when accessing the database.

global $wpdb;
$user_id = absint($_GET['user_id']);
$results = $wpdb->get_results(
    $wpdb->prepare(
        "SELECT * FROM {$wpdb->prefix}my_table WHERE user_id = %d AND status = %s",
        $user_id,
        'active'
    ) // %d means only numbers are allowed, and %s means only strings are allowed. Text is also escaped.
);

4. Sanitize GET and POST values as much as possible

GET and POST are functions that receive submitted data, but their values may contain dangerous code used in XSS or SQL injection attacks.
Pass GET and POST values through sanitization or escaping functions whenever possible.

sanitize_textarea_field() For multi-line text (input containing line breaks)

sanitize_text_field() To remove line breaks from the input above

sanitize_key() Restricts input to lowercase letters, numbers, underscores, and hyphens only

sanitize_file_name() Removes dangerous characters (spaces, special symbols, etc.) from filenames

wp_kses_post() Allows only basic HTML tags; removes dangerous tags such as ＜script＞

wp_strip_all_tags() Removes all tags

intval() Allows only integers

sanitize_email() Allows only email addresses

5. Do not use eval()

eval() is a function that “executes” the passed string as PHP code. This function is extremely commonly used by malware.
For this reason, it may result in false positives during malware scans.
Additionally, code like the example below is extremely dangerous, as it allows hackers to execute any code on the server. (In other words, it is typical code used for backdoors.)
Since using the eval() function can inadvertently create code with vulnerable structures, you should avoid using it.

eval($_GET['code']);

You can perform WordPress security checks and implement countermeasures, including malware scans, using plugins. Please use them if you have security concerns.
[Free] WordPress: Malware Scan & Security Plugin [Malware & Virus Detection and Removal]