SlideShare a Scribd company logo

WordPress Security 101

Manifest Creative, profile picture
Manifest Creative

Security 101 provides tips for improving WordPress security in 3 sentences: 1) It discusses why websites are hacked, common security issues in WordPress like outdated plugins, and recommendations for strong passwords and access controls. 2) The document recommends securing your host, backing up your site regularly, and using security plugins and tools to scan for vulnerabilities. 3) Developers are advised to follow best practices for coding securely and users are given resources for securing their WordPress installations.

Technology
1 of 24
Downloaded 19 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Security 101 ~ Improving the security of your WordPress installation ~ @manifestphil manifestbozeman.com
Why would anyone hack me? It's not personal, but there are several motivating factors… ■ For attention ■ Profit scams ■ Own one, own them all… ■ To steal information "All I wanted was to sell my cupcakes online!" Most website hacks are performed by automated computer programs, and are not directed at your website personally. However, the bigger you are, the more worthwhile it becomes for a hacker to invest time, energy and resources.
Favorite WordPress Security Breaches There are certain types of hacks that target WordPress specifically: ■ Defacement / Hacktavism ■ SEO Hijacking ■ Affiliate/Malicious Redirects ■ Backdoors ■ Drive-by Downloads Don't become a Canadian pharmacy!
What is security, exactly? ■ Security is about risk reduction. There is no silver bullet. ■ Security is never absolute. ■ To think you will never be Security is all about not being an easy target. infected is like saying you'll never be sick. ■ Detection is the key! Sometimes security means simply having a plan for what we will do in a worst case scenario… Play "what if?" Security means different things for different types of organizations. Like tourists, it's best avoid being "that guy".
So what's the problem? ■ The ecosystem/environment ■ Access control ■ Software vulnerabilities ■ Extensibility Keeping your installation current is the easiest security improvement you can make. Feature The Wordpress core is in fact very v3.5.1 Security secure. When an issue arises, the core team is quick to patch the vulnerability, and push that to end Major users.
Start by securing your own computer… ■ Good, up-to-date antivirus software ■ Keep your own software up to date ■ Know where you're surfing the web And getting a good web host. ■ Not much you can do if you're using a shared host. ■ Consider a dedicated / VPS environment or go with a managed host. ● What security does my host use? ● What kind of reputation do they have? ● What will they do if you get hacked? A managed WordPress host doesn't mean you'll be any safer, but it does mean you'll have resources to lean on.
Change your passwords… like yesterday. ■ Hard to guess. Hard for a brute force attack to succeed. ■ Avoid any combination of your name, company name, username, etc. ■ Don't use dictionary words; in any language. ■ Stop using the same password for everything. Email, DB, Admin, FTP. My daughter is Emery. 07152013 She likes dogs! MdiE.07152013Sld! 1Password KeyPassX
You need a backup plan. Or two. ■ Clean backups mean you never need to start from scratch. ■ Backup your database, content, themes. ○ Specialized installations may need more, e.g. custom plugins, .htaccess, etc. ■ Backup to multiple locations. ○ Backups stored on your primary server cannot be trusted. ○ Hard drives fail. Homes burn down. Offices are burglarized. ■ Backup frequency ○ Depends on how much work or information you stand to lose. ■ Manual vs. Automatic Backup Buddy - $75 VaultPress - $15/mo. WP to Dropbox - FREE
Control the access to your site. ■ Connect using sFTP, SSH or FTP-SSL. ■ Login to wp-admin using SSL (https: Reading //mydomain.com/wp-admin) Recommendation ■ Your FTP username/password should Check out the eBook, Locking Down not be the same as your WordPress WordPress, by Michael admin username/password. Pick. ■ Least Privileged It's available as a free download at CodePoet. ○ Everyone doesn't need to be an admin. com ○ Every user should have own access. What's in a free ○ You don't need to log in as admin theme? ○ The focus is on the role, not their name When you search Google ○ Kill generic accounts for free or cheap themes you're probably going to ■ Blacklist known bad bots and users create a security vulnerability. Go with more reputable sources.
Setting up your WordPress installation ■ Turn off directory listings Maintainability Tips ■ Kill PHP execution If you have plugins installed that you do not use, delete them! ■ Deny access to wp-config.php Did you purchase or download ■ Ensure file permissions are correct a theme? Use child themes to allow the main theme to be updated without breaking your ○ Directories should be 755 layout. ○ Files should be 644 ■ Properly configure wp-config Developer Tips ○ Disable theme/plugin editing via admin Following WordPress code standards when developing a ○ Force SSL for admin login and use theme will ensure that client updates don't break the site. ○ Add secret keys Because you're a ninja-coder, ■ Remove the admin account you can confidently allow your customer access to keep WordPress updated. ■ Change the database table prefix Help your clients setup ■ Use trusted sources for themes and plugins automatic backups, please!
Turn off Directory Listings Where does it go? What does it do? /.htaccess Prevents the Apache web server from displaying a list of all the files in a directory. Should be added to the . htaccess file in your WordPress root directory.
Kill PHP Execution Where does it go? What does it do? /wp-content/uploads/.htaccess Prevents PHP code from being executed in these two /wp-includes/.htaccess directories. Many backdoor access scripts disguise themselves in these locations. If neither of these locations has an existing .htaccess file, you may need to create it. Full instructions »
Deny access to wp-config.php Where does it go? What does it do? /.htaccess Prevents any direct access by users to the wp-config.php file. Full instructions » For the extra cautious You can also use Apache's .htaccess file to "whitelist" only certain IP addresses that should be allowed to access your /wp-admin directory. Here's directions on how!
Disable editing via WP admin Where does it go? What does it do? /wp-config.php Removes the ability to edit theme or plugin files via the WordPress admin panel.
Setup Unique Keys & Salts Where does it go? What does it do? /wp-config.php Ensures better encryption of information stored in your browser's cookies. How do I get these keys? Use the online generator and copy-paste them into your file.
Force SSL use for wp-admin Where does it go? What does it do? /wp-config.php Forces all WP Admin connections to be routed through SSL.
Hide login error messages Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Prevents hackers from seeing whether the username or password is incorrect.
Remove the WP version number Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Removes the WordPress version number from the HTML generated by your website. (And the RSS feed too!) While you're at it… Delete the readme.txt file and wp-config-sample.php files in your WordPress root directory. You can safely delete the install.php file located in your wp-admin folder as well.
Remove author username from comments Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Prevents hackers from seeing the username of the post author.
Remove the admin account Steps 1. Create a new user. The e-mail address associated with each user must be unique. 2. Click delete on the admin account. You'll be presented with this screen. 3. Assign all of the posts to the new user that you created and confirm the deletion. 4. If needed, change your email address back to your primary contact. Not geeky enough? Alternatively, create a new user and run the following SQL command.
Change your database table prefix Why you should care Many SQL injection attacks assume that your database prefix will be wp_ Don't make the hacker's job easy! On a new installation WordPress allows you to set the table prefix when installing a new site. On existing sites You'll either need to change things in the database and wp-config.php directly, or use a plugin to help you. For heaven's sake Make a backup of your site database before trying to change table prefix names.
WordPress powers 22% of new active websites, in the U.S. It powers 17% of the top million websites in the world. Use the power of this vast community and keep WordPress updated! @manifestphil manifestbozeman.com
Site Security Tools Documentation, etc. ■ Securi Site Scanner ■ WP Codex ■ Google Safe Browsing ■ Perishable Press 5G Blacklist ■ Bots vs. Browsers ■ How anyone can hack your WP site in less than 5 minutes ■ iSecLab.org - Wepawet (and what you can do…) ■ Unmask Parasites ■ Protecting /wp-admin using Apache ■ Smashing Magazine ■ What to do if you're hacked Plugin Recommendations ■ Limit Login Attempts ■ WP Security Scan ■ Duo Two-Factor Authentication ■ WP File Monitor Plus ■ Theme Check ■ Akismet
Resources for theme and plugin developers ■ Data validation and sanitization in WordPress ■ Andrew Nacin: Y U No Code Well ■ Understanding WordPress Capabilities and Nonces ■ WordPress Plugin Development Best Practices ■ StackExchange: WordPress Answers ■ WP Hackers Mailing List

More Related Content

PPTX
Webinar - Tips and Tricks on Website Security
StopTheHacker
 
PPTX
Thoughts on Defensive Development for Sitecore
PINT Inc
 
PDF
Joomla! security jday2015
kriptonium
 
PDF
WordPress Security Best Practices 2019 Update
Zero Point Development
 
PPTX
Understanding word press security wwc-4-7-17
Nicholas Batik
 
PPTX
WordPress Security Best Practices
Zero Point Development
 
PDF
Top Ten WordPress Security Tips for 2012
Brad Williams
 
PPTX
WordPress Security - WordCamp phoenix 2013
Dre Armeda
 
Webinar - Tips and Tricks on Website Security
StopTheHacker
 
Thoughts on Defensive Development for Sitecore
PINT Inc
 
Joomla! security jday2015
kriptonium
 
WordPress Security Best Practices 2019 Update
Zero Point Development
 
Understanding word press security wwc-4-7-17
Nicholas Batik
 
WordPress Security Best Practices
Zero Point Development
 
Top Ten WordPress Security Tips for 2012
Brad Williams
 
WordPress Security - WordCamp phoenix 2013
Dre Armeda
 

Viewers also liked (9)

PPT
Taller De Blogs
Aster
 
PPT
QuiéN Soy
Aster
 
PPS
Las mejores fotos del 2007
nicoh
 
PPT
Ma
Aster
 
PPT
Subiendo ImáGenes A Una Entrada
Aster
 
PPS
Las Mejores Fotos
Promociones Mexico Marketing
 
PPT
Creando Un Blog
Aster
 
PPT
Elliot standard presentation
elliotproject
 
PDF
Gem fall 2016 (2)
Beatrice Watson
 
Taller De Blogs
Aster
 
QuiéN Soy
Aster
 
Las mejores fotos del 2007
nicoh
 
Ma
Aster
 
Subiendo ImáGenes A Una Entrada
Aster
 
Las Mejores Fotos
Promociones Mexico Marketing
 
Creando Un Blog
Aster
 
Elliot standard presentation
elliotproject
 
Gem fall 2016 (2)
Beatrice Watson
 
Ad

Similar to WordPress Security 101 (20)

PDF
Secure wordpress
Prabesh Thapa
 
PDF
Introduction to WordPress Security
Nile Flores
 
PPTX
Protect Your WordPress From The Inside Out
SiteGround.com
 
PDF
Introduction to WordPress Security
Nile Flores
 
PPTX
WordPress Security Best Practices
Zero Point Development
 
PDF
Keep Your SIte Secure
Michele Butcher-Jones
 
PDF
Why WordPress Works
bekee
 
PPTX
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
Bastian Grimm
 
PPTX
Care and feeding of your website
Shawn DeWolfe
 
PDF
I Have My WordPress Site Now What?
Michele Butcher-Jones
 
PDF
Word press beirut 9th meetup march
Fadi Nicolas Zahhar
 
PPTX
WordPress Plugins and Security
Think Media Inc.
 
PPTX
INTERNET SAFETY FOR KIDS
Camille Hazellie
 
PDF
WordPress security & sanitation for beginners
D'nelle Dowis
 
PPTX
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
Bastian Grimm
 
PDF
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
Otto Kekäläinen
 
PDF
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
PDF
Seravo.com: WordPress Security 101
Seravo
 
PPTX
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
PPTX
WordPress Optimization & Security - LAC 2013, London
Bastian Grimm
 
Secure wordpress
Prabesh Thapa
 
Introduction to WordPress Security
Nile Flores
 
Protect Your WordPress From The Inside Out
SiteGround.com
 
Introduction to WordPress Security
Nile Flores
 
WordPress Security Best Practices
Zero Point Development
 
Keep Your SIte Secure
Michele Butcher-Jones
 
Why WordPress Works
bekee
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
Bastian Grimm
 
Care and feeding of your website
Shawn DeWolfe
 
I Have My WordPress Site Now What?
Michele Butcher-Jones
 
Word press beirut 9th meetup march
Fadi Nicolas Zahhar
 
WordPress Plugins and Security
Think Media Inc.
 
INTERNET SAFETY FOR KIDS
Camille Hazellie
 
WordPress security & sanitation for beginners
D'nelle Dowis
 
WordPress Optimization & Security - ThinkVisibility 2012, Leeds
Bastian Grimm
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
Otto Kekäläinen
 
WordPress Security Essentials WordCamp Denver 2012
Angela Bowman
 
Seravo.com: WordPress Security 101
Seravo
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
WordPress Optimization & Security - LAC 2013, London
Bastian Grimm
 
Ad

Recently uploaded (20)

PDF
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
NewMind AI Monthly Chronicles - July 2025
NewMind AI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Cloud computing and distributed systems.
kkkkkhan
 
Approach and Philosophy of On baking technology
30anthuong17
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Teaching material agriculture food technology
LiaRayya
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
A Presentation on Artificial Intelligence
memembruh336
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 

WordPress Security 101

  • 1. Security 101 ~ Improving the security of your WordPress installation ~ @manifestphil manifestbozeman.com
  • 2. Why would anyone hack me? It's not personal, but there are several motivating factors… ■ For attention ■ Profit scams ■ Own one, own them all… ■ To steal information "All I wanted was to sell my cupcakes online!" Most website hacks are performed by automated computer programs, and are not directed at your website personally. However, the bigger you are, the more worthwhile it becomes for a hacker to invest time, energy and resources.
  • 3. Favorite WordPress Security Breaches There are certain types of hacks that target WordPress specifically: ■ Defacement / Hacktavism ■ SEO Hijacking ■ Affiliate/Malicious Redirects ■ Backdoors ■ Drive-by Downloads Don't become a Canadian pharmacy!
  • 4. What is security, exactly? ■ Security is about risk reduction. There is no silver bullet. ■ Security is never absolute. ■ To think you will never be Security is all about not being an easy target. infected is like saying you'll never be sick. ■ Detection is the key! Sometimes security means simply having a plan for what we will do in a worst case scenario… Play "what if?" Security means different things for different types of organizations. Like tourists, it's best avoid being "that guy".
  • 5. So what's the problem? ■ The ecosystem/environment ■ Access control ■ Software vulnerabilities ■ Extensibility Keeping your installation current is the easiest security improvement you can make. Feature The Wordpress core is in fact very v3.5.1 Security secure. When an issue arises, the core team is quick to patch the vulnerability, and push that to end Major users.
  • 6. Start by securing your own computer… ■ Good, up-to-date antivirus software ■ Keep your own software up to date ■ Know where you're surfing the web And getting a good web host. ■ Not much you can do if you're using a shared host. ■ Consider a dedicated / VPS environment or go with a managed host. ● What security does my host use? ● What kind of reputation do they have? ● What will they do if you get hacked? A managed WordPress host doesn't mean you'll be any safer, but it does mean you'll have resources to lean on.
  • 7. Change your passwords… like yesterday. ■ Hard to guess. Hard for a brute force attack to succeed. ■ Avoid any combination of your name, company name, username, etc. ■ Don't use dictionary words; in any language. ■ Stop using the same password for everything. Email, DB, Admin, FTP. My daughter is Emery. 07152013 She likes dogs! MdiE.07152013Sld! 1Password KeyPassX
  • 8. You need a backup plan. Or two. ■ Clean backups mean you never need to start from scratch. ■ Backup your database, content, themes. ○ Specialized installations may need more, e.g. custom plugins, .htaccess, etc. ■ Backup to multiple locations. ○ Backups stored on your primary server cannot be trusted. ○ Hard drives fail. Homes burn down. Offices are burglarized. ■ Backup frequency ○ Depends on how much work or information you stand to lose. ■ Manual vs. Automatic Backup Buddy - $75 VaultPress - $15/mo. WP to Dropbox - FREE
  • 9. Control the access to your site. ■ Connect using sFTP, SSH or FTP-SSL. ■ Login to wp-admin using SSL (https: Reading //mydomain.com/wp-admin) Recommendation ■ Your FTP username/password should Check out the eBook, Locking Down not be the same as your WordPress WordPress, by Michael admin username/password. Pick. ■ Least Privileged It's available as a free download at CodePoet. ○ Everyone doesn't need to be an admin. com ○ Every user should have own access. What's in a free ○ You don't need to log in as admin theme? ○ The focus is on the role, not their name When you search Google ○ Kill generic accounts for free or cheap themes you're probably going to ■ Blacklist known bad bots and users create a security vulnerability. Go with more reputable sources.
  • 10. Setting up your WordPress installation ■ Turn off directory listings Maintainability Tips ■ Kill PHP execution If you have plugins installed that you do not use, delete them! ■ Deny access to wp-config.php Did you purchase or download ■ Ensure file permissions are correct a theme? Use child themes to allow the main theme to be updated without breaking your ○ Directories should be 755 layout. ○ Files should be 644 ■ Properly configure wp-config Developer Tips ○ Disable theme/plugin editing via admin Following WordPress code standards when developing a ○ Force SSL for admin login and use theme will ensure that client updates don't break the site. ○ Add secret keys Because you're a ninja-coder, ■ Remove the admin account you can confidently allow your customer access to keep WordPress updated. ■ Change the database table prefix Help your clients setup ■ Use trusted sources for themes and plugins automatic backups, please!
  • 11. Turn off Directory Listings Where does it go? What does it do? /.htaccess Prevents the Apache web server from displaying a list of all the files in a directory. Should be added to the . htaccess file in your WordPress root directory.
  • 12. Kill PHP Execution Where does it go? What does it do? /wp-content/uploads/.htaccess Prevents PHP code from being executed in these two /wp-includes/.htaccess directories. Many backdoor access scripts disguise themselves in these locations. If neither of these locations has an existing .htaccess file, you may need to create it. Full instructions »
  • 13. Deny access to wp-config.php Where does it go? What does it do? /.htaccess Prevents any direct access by users to the wp-config.php file. Full instructions » For the extra cautious You can also use Apache's .htaccess file to "whitelist" only certain IP addresses that should be allowed to access your /wp-admin directory. Here's directions on how!
  • 14. Disable editing via WP admin Where does it go? What does it do? /wp-config.php Removes the ability to edit theme or plugin files via the WordPress admin panel.
  • 15. Setup Unique Keys & Salts Where does it go? What does it do? /wp-config.php Ensures better encryption of information stored in your browser's cookies. How do I get these keys? Use the online generator and copy-paste them into your file.
  • 16. Force SSL use for wp-admin Where does it go? What does it do? /wp-config.php Forces all WP Admin connections to be routed through SSL.
  • 17. Hide login error messages Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Prevents hackers from seeing whether the username or password is incorrect.
  • 18. Remove the WP version number Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Removes the WordPress version number from the HTML generated by your website. (And the RSS feed too!) While you're at it… Delete the readme.txt file and wp-config-sample.php files in your WordPress root directory. You can safely delete the install.php file located in your wp-admin folder as well.
  • 19. Remove author username from comments Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Prevents hackers from seeing the username of the post author.
  • 20. Remove the admin account Steps 1. Create a new user. The e-mail address associated with each user must be unique. 2. Click delete on the admin account. You'll be presented with this screen. 3. Assign all of the posts to the new user that you created and confirm the deletion. 4. If needed, change your email address back to your primary contact. Not geeky enough? Alternatively, create a new user and run the following SQL command.
  • 21. Change your database table prefix Why you should care Many SQL injection attacks assume that your database prefix will be wp_ Don't make the hacker's job easy! On a new installation WordPress allows you to set the table prefix when installing a new site. On existing sites You'll either need to change things in the database and wp-config.php directly, or use a plugin to help you. For heaven's sake Make a backup of your site database before trying to change table prefix names.
  • 22. WordPress powers 22% of new active websites, in the U.S. It powers 17% of the top million websites in the world. Use the power of this vast community and keep WordPress updated! @manifestphil manifestbozeman.com
  • 23. Site Security Tools Documentation, etc. ■ Securi Site Scanner ■ WP Codex ■ Google Safe Browsing ■ Perishable Press 5G Blacklist ■ Bots vs. Browsers ■ How anyone can hack your WP site in less than 5 minutes ■ iSecLab.org - Wepawet (and what you can do…) ■ Unmask Parasites ■ Protecting /wp-admin using Apache ■ Smashing Magazine ■ What to do if you're hacked Plugin Recommendations ■ Limit Login Attempts ■ WP Security Scan ■ Duo Two-Factor Authentication ■ WP File Monitor Plus ■ Theme Check ■ Akismet
  • 24. Resources for theme and plugin developers ■ Data validation and sanitization in WordPress ■ Andrew Nacin: Y U No Code Well ■ Understanding WordPress Capabilities and Nonces ■ WordPress Plugin Development Best Practices ■ StackExchange: WordPress Answers ■ WP Hackers Mailing List