WPScan Plugin Security Commandments

Today we are releasing three different posters related to WPScan and WordPress security. Hopefully you find them useful enough and beautiful enough to hang on your wall.

The three posters are:

  1. WPScan CLI Cheat Sheet Poster

A cheat sheet for WPScan CLI commands.

  1. WPScan Plugin Security Commandments

A list of 10 plugin security commandments for WordPress plugin developers.

  1. WPScan WordPress Security Commandments

A list of 10 WordPress security commandments for WordPress administrators.

The posters are available in PNG, JPG and PDF formats. If you’re going to print the posters, PDF would be the best format to use. Also, before printing, please choose a printing service that uses recycled and/or recyclable paper, and supports other eco-friendly initiatives, such as being FSC Certified.

WPScan Plugin Security Commandments List

  1. Validate and sanitize user input with sanitize_*() functions.

  2. Escape data before being output with esc_*() functions.

  3. Always use $wpdb->prepare() for SQL queries.

  4. Validate data before unserializing it.

  5. Check user capabilities with current_user_can().

  6. Add CSRF nonces to forms and validate them server-side.

  7. Use HTTPS links when hard coding URLs.

  8. Validate data before passing it to update_option() or do_action().

  9. Regularly test your plugin for security issues.

  10. Ensure that security researchers are able to contact you.

Download the WPScan Plugin Security Commandments Poster

WPScan CLI Cheat Sheet Poster

  • PDF (best for printing)
  • PNG (higher quality for web)
  • JPG (less quality for web)