esdecode
WordPress· 6 min read

WordPress Plugin Security Checklist

By The esdecode editorial team·Published

Every plugin you install runs with your site's privileges, so a single insecure plugin can compromise the whole site. Before you activate a premium WordPress plugin, run through this security checklist. It pairs with our guide on how to choose a WooCommerce plugin and the best WooCommerce plugins pillar.

1. Capability checks on every action

Privileged actions must verify the user is allowed to perform them with current_user_can() — for example manage_options for settings or manage_woocommerce for store actions. Hiding a button in the UI is not security; the server must enforce it.

2. Nonces on state-changing requests

Forms and AJAX endpoints that change data should use nonces (wp_nonce_field() / check_admin_referer() / check_ajax_referer()) to prevent CSRF. A plugin that updates options or deletes records without a nonce is a red flag.

3. Input sanitisation and output escaping

Input should be sanitised (sanitize_text_field(), absint(), sanitize_email()) and output escaped at the point of rendering (esc_html(), esc_attr(), esc_url()). This is how WordPress plugins avoid stored XSS. Ask the author, or check the demo source if available.

4. Safe database access

Any custom queries must use $wpdb->prepare() with placeholders — never string-concatenated SQL. Most plugins should lean on the WordPress data APIs (WP_Query, options, meta) rather than raw SQL at all.

5. Direct-access guard and safe uninstall

PHP files should bail early with if ( ! defined( 'ABSPATH' ) ) exit;. Check the uninstall behaviour too: an uninstall.php should remove only the plugin's own data, and must never delete shared content like Media Library attachments used elsewhere. Treat any bulk-delete feature with extra care — it should offer a confirmation and ideally a dry run.

Quick checklist

  • Capability checks on privileged actions
  • Nonces on every state-changing request
  • Input sanitised, output escaped
  • $wpdb->prepare() for any custom SQL
  • ABSPATH guard; safe, scoped uninstall
  • Recent changelog and a stated tested-up-to version

A plugin that ticks these boxes is far less likely to become a liability. Understand what you're licensed to do with it in WordPress plugin licensing explained, then browse vetted options in WordPress and eCommerce plugins.