The security of your content and the WordPress.com platform are matters that we take very seriously. This page provides a few notes on security at WordPress.com VIP.
Secure Code #
Your code works, but is it safe? When writing code for the WordPress.com VIP environment, you’ll need to be extra cautious of how you handle data coming into WordPress and how it’s presented to the end user. Here are some tips to get your started:
- Don’t trust user input or third-party APIs. Always make sure to validate and sanitize all data that can be populated from “outside.” Review our document on Validating, Sanitizing, and Escaping to learn how.
- Try to exploit your code with common XSS methods as a test. Visit http://ha.ckers.org/xss.html for a list of basic XSS attacks and make sure pasting these snippets to input fields or url parameters will not harm your site.
- Make sure to implement nonces to avoid duplicate submission of forms and fraud activities. See http://codex.wordpress.org/WordPress_Nonces
- When adding menus or registering your plugins, make sure that you use an unique handle or slug other than
__FILE__to ensure that you are not revealing system paths.
Security Scans #
We recognize that VIP sites may wish to perform security scans on their sites, or have 3rd parties do so on their behalf. While this is almost always okay, our systems team may block any traffic that is considered suspicious. This may affect your scan results.
If your team plans to run recurring or intense scans of your site, please open a support ticket in advance of the first scan to provide us with details such as:
- the anticipated IP or block from which the scan will originate
- the frequency and/or duration of the scan