How to check if a WordPress plugin is secure to use

How to check if a WP plugin is secure to use

And what we did for Setka Editor

Igor Kuzntezov

Setka CTO

When you are are building a media or a brand it’s important to use secure and reliable products. We understand that interest, as the situation in the cyber world is far from calm and safe. As systems grow and become more and more complicated, it’s easier to find holes in security.

When you are building something on WordPress, you are likely to add plugins (like Setka Editor). While we think a lot about the security of our products (more on that in a minute), some plugins are not so secure. Here are a few tips to protect your company from potential attacks and breaches when using plugins.

5 best practices to ensure your WordPress plugin security

 Escape values from user’s input and untrusted sources.

 Use WordPress Nonces on the settings pages and in HTML forms.

 Use WordPress Capabilities to manage admin permissions.

 Use popular open source libraries, which are used by many people (Symfony, WordPress CLI, PHP Unit and any other framework components).

Follow WordPress official and community guidelines.

We think a lot about plugin security, too. Here’s a little bit about our approach to keeping your site safe.

Setka Editor WordPress Plugin integrates WYSIWYG alongside with default WordPress TinyMCE. It adds five links to the post edit page—editor.js, editor.css, theme.css, public.js, company.json—requesting resources from Setka CDN. The Javascript editor uses one of the elements to render itself on a user’s page. It also adds two links to the post view page: theme.css and public.js. To get these links, the plugin has to communicate with Setka Style Manager. Setka Editor post styles files (theme.css, icons, fonts) are automatically stored on your WordPress installation. This allows keeping Setka Editor post styles even after Setka Editor plugin is deleted.

Once the registration process is complete, the system generates a license key for identifying a client’s WordPress instance during communication. Token entropy prevents unauthorized users from guessing valid license keys. All requests are passed via secure https protocol.

We use Stripe, the world’s leading platform for accepting payments and storing card information, so customer payment data can’t be accessed by our team or possible attackers at all.

All requests are handled through standard WordPress endpoints. We process only our requests, leaving others untouched.

Every parameter is sanitized and carefully checked to prevent SQL injections and other potentially dangerous situations. To make it safe enough, old PHP & WordPress versions are unsupported because of well-known security holes.

To learn more about downloading the Setka Editor plugin, read our guide. If you are curious about plugin integration to a custom CMS, click here. If you encounter any problems during the setup process, please reach out to us via our support channels.