[theme-reviewers] Guidance on theme security

Gene Robinson emhr at submersible.me
Wed Oct 20 16:39:15 UTC 2010


There is a definite need for more quality tutorials on security with respect to theme development. I am seeing a staggering number of tutorials for options pages many of which appear to not account security. 

Look at these results. A plethora of top tens and relevant tutorials vs. 51 results from a rare combinations of terms.

http://www.google.com/search?q=wordpress+theme+options+tutorial+-nonce+-check_admin_referer+-current_user_can

http://www.google.com/search?q=wordpress+theme+options+tutorial+nonce+check_admin_referer+current_user_can

Even Automattic recently promoted the shared release of an insecure options page:
http://publisherblog.automattic.com/2010/10/01/cheezcap-custom-wp-admin-panels/

As a community, we appear not to have caught up with the enhancements to security in the core. There is much room for improvement in this area.

-Gene


More information about the theme-reviewers mailing list