It is impossible to write a code which is unhackable But there are some points that you can close the attacks. By the wordpress Theme review team ,there are six most common mistakes by developer.
Missed Data Escapes
To stop SQL injection Escaping is a way .For Escaping data we ensure that any user-provided text as string and remove any kind of Database Command and Script code. SQL injection is a most common way to hack a site. Anywhere in a site where user can input can be hack into the database.Before saving data in database we examine data and escape the data before saving. Any kind of database command and script code is removed.
Write your own function Incorrectly
Sometime wordpress theme developer write there own function to perform a function But in many cases wordpress already offers a secure version that you can use .If developers write own functions it means that they are bypassing all the wordpress security measure. Its better to use a function that has been written by experienced developers.
For security ,Developer use wordpress database prefix and this prefix is defined in config.php .But if Developer not use this prefix with function That means we are bypassing the wordpress security measure.
Sometime a script gives hackers a way to access data. That why we need to ensure that your script load only when it is needed.To do this we need to use wordpress en-queue function. This function will also ensure the compatibility with other plugins and shrink external scripts.
Ignore php errors and warnings
Sometime Developer never remove all the php issues or warning .Because a developer never insure everything in all way . This means theme have security issues you aren’t even aware. To stop this Developer needs to turned on the PHP error reporting. Then we test theme on local if error or warnings shown don’t ignore.For more you have to ensure your theme with recent versions of php.
Unused code and files
Sometime Developer write some extra code which is unnecessary.In short any code in your theme that isn’t being used and compromise the theme security.To minimize the security thread Developer needs to follow the php coding standards for wordpress, They needs to removed extra code that isn’t being used and write the code that is easy to understand.
Writing a secure code enable a developer to put safe products in WordPress theme directory.And we have six common mistakes that make theme hack-able.
- If developer miss the input data escapes
- Insecure functions are used
- Miss the data prefixes
- Do not en-queue scripts
- Ignoring PHP errors and warnings
- Include Extra Code and files