[theme-reviewers] Simple-Blue-Dashed 1.0

chip at chipbennett.net chip at chipbennett.net
Fri Jun 11 16:49:42 UTC 2010

> Security is a big item, themes mis-use any external data ($_GET,
> $_POST, $_REQUEST, $_COOKIE, $_SERVER) must be addressed, no two ways
> about it.  Direct DB queries must properly escape data in the query
> (and if there is a WP function to do the same thing the direct DB
> query should be replaced with the function call).  Those are the
> basic, *minimum* things that every theme needs to address security
> wise.

For those of us who are less-than-expert in the SQL aspects of theme
reviewing, can those who are more adept create a reasonably easy-to-follow
security checklist?

Or, maybe we should have some security-ninja theme reviewers, who can
focus on the security aspects of themes? If so, we could divy up the
review work, such that security concerns are handled separately - after
the theme is initially reviewed (and cleaned up, if necessary) based on
the "normal" criteria?

> Sometimes the theme author just isn't aware of specific functions or
> services in WordPress, so some hints and reference URLs for more info
> are helpful there.

Agreed. I tried to add in Codex references, where appropriate, in my first

Speaking of which: the Theme Development Checklist entry in the Codex is
sorely in need of cross-referencing to Codex entries for functions,
template tags, and hooks/filters.

More information about the theme-reviewers mailing list