[theme-reviewers] Guidance on theme security
Gene Robinson
emhr at submersible.me
Wed Oct 20 16:39:15 UTC 2010
There is a definite need for more quality tutorials on security with respect to theme development. I am seeing a staggering number of tutorials for options pages many of which appear to not account security.
Look at these results. A plethora of top tens and relevant tutorials vs. 51 results from a rare combinations of terms.
http://www.google.com/search?q=wordpress+theme+options+tutorial+-nonce+-check_admin_referer+-current_user_can
http://www.google.com/search?q=wordpress+theme+options+tutorial+nonce+check_admin_referer+current_user_can
Even Automattic recently promoted the shared release of an insecure options page:
http://publisherblog.automattic.com/2010/10/01/cheezcap-custom-wp-admin-panels/
As a community, we appear not to have caught up with the enhancements to security in the core. There is much room for improvement in this area.
-Gene
More information about the theme-reviewers
mailing list