WordPress Security Glossary
Key security and development concepts explained for WordPress plugin developers. Each term includes code examples and WordPress-specific context.
CSRF
Cross-Site Request Forgery (CSRF) is an attack that tricks a user's browser into making an unwanted request to a web application where they're authenticated.
Learn moreXSS
Cross-Site Scripting (XSS) is an attack where malicious scripts are injected into trusted websites, executing in victims' browsers to steal data or hijack sessions.
Learn moreSQL Injection
SQL Injection is an attack where malicious SQL code is inserted into application queries, allowing attackers to read, modify, or delete database data.
Learn moreNonce
A WordPress nonce is a one-time token used to verify that a request originated from the expected source, protecting against Cross-Site Request Forgery attacks.
Learn morePHPCS
PHP_CodeSniffer (PHPCS) is a tool that detects violations of coding standards in PHP code, with WordPress-specific rulesets that enforce security and style conventions.
Learn morePHPStan
PHPStan is a static analysis tool for PHP that finds bugs and type errors without running the code, with WordPress-specific extensions that understand the WordPress API.
Learn moreGDPR
The General Data Protection Regulation (GDPR) is an EU law that governs how personal data is collected, processed, and stored, with significant implications for WordPress plugins.
Learn moreEAA
The European Accessibility Act (EAA) is EU legislation requiring digital products and services to meet WCAG 2.1 Level AA accessibility standards, effective June 28, 2025.
Learn moreCRA
The Cyber Resilience Act (CRA) is EU legislation requiring all software products to meet cybersecurity requirements, including vulnerability handling and security documentation.
Learn moreCapability Check
A capability check verifies that the current user has permission to perform a specific action, using WordPress's role-based access control system via current_user_can().
Learn morePrepared Statement
A prepared statement separates SQL query structure from data values, preventing SQL injection by ensuring user input cannot alter the query's logic.
Learn moreData Sanitization
Data sanitization is the process of cleaning user input to ensure it's safe for storage and processing, removing potentially dangerous content.
Learn moreEscaping
Escaping converts special characters in output to their safe HTML entity equivalents, preventing browsers from interpreting data as executable code.
Learn moreREST API Permissions
The permission_callback is a required parameter in WordPress REST API route registration that determines whether a request should be processed based on the user's identity and capabilities.
Learn moreAutoload
WordPress autoloading is a mechanism that loads all options marked as 'autoload' into memory on every page request, which can cause performance issues if overused.
Learn moreStored XSS
A persistent cross-site scripting attack where malicious script is saved to the server and served to other users.
Learn moreReflected XSS
A non-persistent XSS attack where malicious script is reflected off a web server via URL parameters or form submissions.
Learn moreSSRF
Server-Side Request Forgery where the server is tricked into making requests to unintended internal or external resources.
Learn moreRemote Code Execution
A critical vulnerability allowing an attacker to run arbitrary code on the server.
Learn moreLocal File Inclusion
A vulnerability where an attacker can read arbitrary files from the server by manipulating file path parameters.
Learn moreInsecure Direct Object Reference
Accessing resources by manipulating identifiers without proper authorization checks.
Learn morePrivilege Escalation
An attack where a user gains higher access privileges than intended, such as a subscriber becoming an administrator.
Learn moreAuthentication Bypass
A vulnerability that allows accessing protected resources without valid credentials.
Learn moreDirectory Traversal
An attack using ../ sequences to access files outside the intended directory.
Learn moreClickjacking
Tricking users into clicking hidden elements by overlaying a transparent iframe on a legitimate page.
Learn moreOpen Redirect
A vulnerability where a web application redirects users to an attacker-controlled URL without validation.
Learn moreSupply Chain Attack
Compromising software by targeting its dependencies, build tools, or distribution channels.
Learn moreZero-Day Vulnerability
A vulnerability exploited before the vendor is aware of it or has released a patch.
Learn moreCVE
Common Vulnerabilities and Exposures, a standardized identifier for publicly known security vulnerabilities.
Learn moreCVSS Score
Common Vulnerability Scoring System, a standardized framework for rating vulnerability severity on a 0-10 scale.
Learn moreOWASP Top 10
A regularly updated list of the ten most critical web application security risks.
Learn moreWeb Application Firewall
A security layer that filters and monitors HTTP traffic to protect web applications from attacks.
Learn moreContent Security Policy
An HTTP header that controls which resources a browser is allowed to load, preventing XSS and data injection.
Learn moreHTTP Strict Transport Security
A header that forces browsers to only connect via HTTPS, preventing downgrade attacks.
Learn moreCross-Origin Resource Sharing
A mechanism that controls which domains can make requests to your API.
Learn moreHMAC
Hash-based Message Authentication Code for verifying both data integrity and authentication using a cryptographic hash.
Learn moreBrute Force Attack
An attack that systematically tries all possible passwords until the correct one is found.
Learn moreMalware
Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems.
Learn moreBackdoor
Hidden code that provides unauthorized remote access to a system, often surviving normal security measures.
Learn moreCode Obfuscation
Deliberately making code difficult to understand, often used to hide malicious intent.
Learn moreWordPress Hooks
The event system that allows plugins to modify WordPress behavior through actions and filters.
Learn morewp_ajax Hooks
WordPress AJAX hook system for handling asynchronous requests from the browser.
Learn moreWP-Cron
WordPress pseudo-cron system that executes scheduled tasks on page load rather than using system-level cron.
Learn moreesc_html()
WordPress function that escapes HTML entities in a string, preventing XSS when outputting text content.
Learn moreesc_attr()
WordPress function that escapes a string for safe use inside HTML attributes.
Learn moreesc_url()
WordPress function that validates and sanitizes URLs, removing dangerous protocols and characters.
Learn morewp_kses_post()
WordPress function that filters HTML content allowing only a safe subset of HTML tags and attributes.
Learn moresanitize_text_field()
WordPress function that sanitizes a string by removing HTML tags, encoding special characters, and stripping unwanted data.
Learn morewp_unslash()
WordPress function that removes backslashes added by PHP magic quotes from superglobal data.
Learn moreabsint()
WordPress function that converts a value to a non-negative integer, combining abs() and intval().
Learn more$wpdb->prepare()
WordPress database query preparation method that safely parameterizes SQL queries.
Learn moreABSPATH Guard
WordPress constant defining the absolute path to the installation directory, used to prevent direct file access.
Learn moreHPOS
High-Performance Order Storage in WooCommerce, using custom database tables for orders instead of post meta.
Learn moreFull Site Editing
WordPress block-based approach to building entire websites including headers, footers, and templates.
Learn moreWordPress REST API
WordPress built-in JSON-based API for creating, reading, updating, and deleting content programmatically.
Learn moreTransients API
WordPress temporary data caching system that stores data with an expiration time.
Learn moreMust-Use Plugins
WordPress plugins that are automatically activated and cannot be deactivated through the admin interface.
Learn moreWP-CLI
The official command-line interface for WordPress, allowing site management and plugin operations from the terminal.
Learn moreXML-RPC
WordPress legacy remote procedure call interface, largely replaced by the REST API.
Learn moreGutenberg
The block-based content editor introduced in WordPress 5.0, replacing the classic TinyMCE editor.
Learn moretheme.json
Configuration file for block themes that defines global styles, settings, and design tokens.
Learn morePsalm
A PHP static analysis tool with taint analysis for tracking data flow from user input to dangerous sinks.
Learn moreSemgrep
An open-source static analysis tool that matches code patterns using customizable rules.
Learn moreSAST
Static Application Security Testing analyzing source code for vulnerabilities without executing the program.
Learn moreCI/CD
Continuous Integration and Continuous Deployment pipelines that automate building, testing, and deploying code.
Learn moreComposer
PHP dependency manager used to install and manage third-party libraries and their versions.
Learn moreSemantic Versioning
A versioning scheme (MAJOR.MINOR.PATCH) where version numbers convey meaning about changes.
Learn moreModel Context Protocol
A standard for connecting AI assistants to external tools and data sources.
Learn morePHP Namespaces
A PHP feature for organizing code into logical groups preventing naming conflicts between packages.
Learn moreType Safety
Using PHP type declarations to catch type-related bugs at analysis time rather than runtime.
Learn moreCCPA
California Consumer Privacy Act giving consumers rights over their personal data collected by businesses.
Learn morePCI DSS
Payment Card Industry Data Security Standard for organizations handling credit card data.
Learn moreSBOM
Software Bill of Materials listing all components, libraries, and dependencies in a software product.
Learn moreResponsible Disclosure
A security practice where vulnerabilities are reported privately and given time to patch before public disclosure.
Learn moreData Minimization
A privacy principle requiring only the minimum necessary personal data be collected and retained.
Learn moreCookie Consent
The requirement to obtain user permission before storing non-essential cookies.
Learn moreGPL License
GNU General Public License used by WordPress, requiring derivative works to also be GPL-licensed.
Learn moreSession Fixation
An attack where the attacker sets a user's session ID to a known value, then waits for the user to authenticate.
Learn moreXML External Entity (XXE)
An attack that exploits XML parsers to read local files, perform SSRF, or cause denial of service.
Learn moreInsecure Deserialization
A vulnerability where untrusted data is used to instantiate objects, potentially leading to remote code execution.
Learn moreTiming Attack
A side-channel attack that exploits time differences in cryptographic comparisons to guess secret values.
Learn moreCredential Stuffing
An automated attack using stolen username/password pairs from data breaches to access accounts.
Learn moreRainbow Table
A precomputed table for reversing cryptographic hash functions, used to crack password hashes.
Learn moreCertificate Pinning
A security mechanism that associates a host with its expected SSL certificate to prevent man-in-the-middle attacks.
Learn moreSubresource Integrity (SRI)
A browser feature that verifies fetched resources match expected hashes, preventing CDN tampering.
Learn moreRate Limiting
Restricting the number of requests a client can make in a given time period to prevent abuse.
Learn moreInput Validation
Verifying that user input meets expected format, type, and range before processing it.
Learn moreOutput Encoding
Converting special characters to safe equivalents before inserting data into HTML, URLs, or other contexts.
Learn morePrinciple of Least Privilege
Granting users and processes only the minimum permissions needed to perform their tasks.
Learn moreDefense in Depth
A security strategy using multiple layers of protection so that if one layer fails, others still protect the system.
Learn moreShortcodes
WordPress macro codes enclosed in square brackets that plugins can register to output dynamic content.
Learn moreWordPress Widgets
Modular content blocks that can be placed in widget areas defined by themes.
Learn moreCustom Post Types
Developer-defined content types beyond the default posts and pages, extending WordPress as a CMS.
Learn moreTaxonomies
Classification systems for grouping WordPress content, like categories and tags, with support for custom taxonomies.
Learn moreMeta Boxes
Admin interface panels for adding custom fields to post editing screens.
Learn moreOptions API
WordPress database API for storing and retrieving site-wide settings using key-value pairs.
Learn moreUser Meta
Custom data fields stored per WordPress user, accessible via get_user_meta() and update_user_meta().
Learn moreRewrite Rules
URL routing rules that map pretty permalinks to WordPress query variables.
Learn moreObject Cache
WordPress caching layer that stores database query results in memory for faster subsequent access.
Learn moreWordPress Multisite
A WordPress feature allowing multiple sites to be managed from a single installation.
Learn morewp-config.php
The main WordPress configuration file containing database credentials, secret keys, and site settings.
Learn moreWP_DEBUG
WordPress constant that enables debug mode, showing PHP errors and notices.
Learn moreDISALLOW_FILE_EDIT
WordPress constant that disables the built-in theme and plugin file editors in the admin dashboard.
Learn morePHPCBF
PHP Code Beautifier and Fixer, the automatic code fixer companion to PHP_CodeSniffer.
Learn moreRector
A PHP refactoring tool that performs automated code transformations using AST manipulation.
Learn morePHP CS Fixer
A tool to automatically fix PHP coding standards issues, supporting PSR and custom rule sets.
Learn moreGit Hooks
Scripts that run automatically at specific points in the Git workflow, like pre-commit or pre-push.
Learn moreCode Review
The systematic examination of source code by peers to find bugs, security issues, and improve quality.
Learn morePenetration Testing
Authorized simulated attacks on a system to evaluate its security by finding exploitable vulnerabilities.
Learn moreDependency Scanning
Analyzing third-party libraries and packages for known vulnerabilities.
Learn morePSR-4 Autoloading
A PHP standard for automatically loading class files based on namespace and class name without manual require statements.
Learn moreOPcache
PHP bytecode cache that stores precompiled script bytecode in memory, eliminating the need to parse PHP files on each request.
Learn morePHP 8.x Features
Modern PHP features including named arguments, match expressions, enums, fibers, readonly properties, and intersection types.
Learn moreError Handling
Strategies for gracefully managing and recovering from errors, exceptions, and unexpected conditions in code.
Learn moreLogging
Recording application events, errors, and debug information for monitoring and troubleshooting.
Learn morePECR
Privacy and Electronic Communications Regulations, UK law governing electronic marketing and cookies.
Learn moreePrivacy Directive
EU directive governing privacy in electronic communications, including the cookie consent requirement.
Learn moreISO 27001
International standard for information security management systems, defining requirements for managing security risks.
Learn moreSOC 2
Service Organization Control 2, a framework for managing customer data based on five trust service criteria.
Learn moreData Processing Agreement
A legally binding contract between data controllers and processors, required under GDPR.
Learn moreRight to Erasure
GDPR right allowing individuals to request deletion of their personal data.
Learn moreData Portability
GDPR right allowing individuals to receive their personal data in a machine-readable format.
Learn morePrivacy by Design
An approach to system design that embeds privacy protections from the start rather than adding them later.
Learn moreVulnerability Disclosure Policy
A published policy describing how an organization receives and handles security vulnerability reports.
Learn moreLicense Compliance
Ensuring that all software components are used in accordance with their license terms.
Learn morewp_nonce_field()
WordPress function that outputs a hidden form field containing a nonce for CSRF protection.
Learn morecheck_admin_referer()
WordPress function that verifies a nonce was included in the request, dying with an error if invalid.
Learn morewp_die()
WordPress function that terminates execution and displays an error message, used for access control.
Learn morewp_safe_redirect()
WordPress function that redirects to a URL only if it is on an allowed host, preventing open redirect attacks.
Learn more$wpdb Class
WordPress database abstraction class providing methods for safe database interaction.
Learn moreWalker Class
WordPress abstract class for rendering hierarchical data structures like menus and comment trees.
Learn moreWP_Filesystem
WordPress filesystem abstraction API that provides safe methods for reading and writing files.
Learn moreWP HTTP API
WordPress HTTP request API (wp_remote_get, wp_remote_post) for making external HTTP calls safely.
Learn morePlugin Activation Hook
WordPress hook that fires when a plugin is activated, used for setup tasks like creating database tables.
Learn morePlugin Deactivation Hook
WordPress hook that fires when a plugin is deactivated, used for cleanup tasks.
Learn moreScript & Style Enqueueing
WordPress system for properly loading JavaScript and CSS files with dependency management.
Learn morewp_localize_script()
WordPress function that passes PHP data to JavaScript by creating a global variable.
Learn moreHeartbeat API
WordPress API for periodic AJAX communication between the browser and server.
Learn moreCron Schedules
WordPress system for registering custom intervals for WP-Cron recurring tasks.
Learn moreAdmin Notices
WordPress system for displaying messages in the admin dashboard header area.
Learn moreSettings API
WordPress API for creating admin settings pages with automatic nonce verification and sanitization.
Learn moreBlock Patterns
Predefined block layouts that users can insert into the block editor with a single click.
Learn moreTemplate Hierarchy
WordPress system that determines which template file is used to render a specific page based on a priority order.
Learn moreWP_Query
WordPress class for querying posts with custom parameters, supporting complex filtering and pagination.
Learn morePost Meta
Custom data fields associated with WordPress posts, stored as key-value pairs in the postmeta table.
Learn moreREST API Schema
JSON Schema definitions for WordPress REST API endpoints, enabling validation and documentation.
Learn more