Skip to main content
WP HealthKit

WordPress Security Glossary

Key security and development concepts explained for WordPress plugin developers. Each term includes code examples and WordPress-specific context.

CSRF

Cross-Site Request Forgery (CSRF) is an attack that tricks a user's browser into making an unwanted request to a web application where they're authenticated.

Learn more

XSS

Cross-Site Scripting (XSS) is an attack where malicious scripts are injected into trusted websites, executing in victims' browsers to steal data or hijack sessions.

Learn more

SQL Injection

SQL Injection is an attack where malicious SQL code is inserted into application queries, allowing attackers to read, modify, or delete database data.

Learn more

Nonce

A WordPress nonce is a one-time token used to verify that a request originated from the expected source, protecting against Cross-Site Request Forgery attacks.

Learn more

PHPCS

PHP_CodeSniffer (PHPCS) is a tool that detects violations of coding standards in PHP code, with WordPress-specific rulesets that enforce security and style conventions.

Learn more

PHPStan

PHPStan is a static analysis tool for PHP that finds bugs and type errors without running the code, with WordPress-specific extensions that understand the WordPress API.

Learn more

GDPR

The General Data Protection Regulation (GDPR) is an EU law that governs how personal data is collected, processed, and stored, with significant implications for WordPress plugins.

Learn more

EAA

The European Accessibility Act (EAA) is EU legislation requiring digital products and services to meet WCAG 2.1 Level AA accessibility standards, effective June 28, 2025.

Learn more

CRA

The Cyber Resilience Act (CRA) is EU legislation requiring all software products to meet cybersecurity requirements, including vulnerability handling and security documentation.

Learn more

Capability Check

A capability check verifies that the current user has permission to perform a specific action, using WordPress's role-based access control system via current_user_can().

Learn more

Prepared Statement

A prepared statement separates SQL query structure from data values, preventing SQL injection by ensuring user input cannot alter the query's logic.

Learn more

Data Sanitization

Data sanitization is the process of cleaning user input to ensure it's safe for storage and processing, removing potentially dangerous content.

Learn more

Escaping

Escaping converts special characters in output to their safe HTML entity equivalents, preventing browsers from interpreting data as executable code.

Learn more

REST API Permissions

The permission_callback is a required parameter in WordPress REST API route registration that determines whether a request should be processed based on the user's identity and capabilities.

Learn more

Autoload

WordPress autoloading is a mechanism that loads all options marked as 'autoload' into memory on every page request, which can cause performance issues if overused.

Learn more

Stored XSS

A persistent cross-site scripting attack where malicious script is saved to the server and served to other users.

Learn more

Reflected XSS

A non-persistent XSS attack where malicious script is reflected off a web server via URL parameters or form submissions.

Learn more

SSRF

Server-Side Request Forgery where the server is tricked into making requests to unintended internal or external resources.

Learn more

Remote Code Execution

A critical vulnerability allowing an attacker to run arbitrary code on the server.

Learn more

Local File Inclusion

A vulnerability where an attacker can read arbitrary files from the server by manipulating file path parameters.

Learn more

Insecure Direct Object Reference

Accessing resources by manipulating identifiers without proper authorization checks.

Learn more

Privilege Escalation

An attack where a user gains higher access privileges than intended, such as a subscriber becoming an administrator.

Learn more

Authentication Bypass

A vulnerability that allows accessing protected resources without valid credentials.

Learn more

Directory Traversal

An attack using ../ sequences to access files outside the intended directory.

Learn more

Clickjacking

Tricking users into clicking hidden elements by overlaying a transparent iframe on a legitimate page.

Learn more

Open Redirect

A vulnerability where a web application redirects users to an attacker-controlled URL without validation.

Learn more

Supply Chain Attack

Compromising software by targeting its dependencies, build tools, or distribution channels.

Learn more

Zero-Day Vulnerability

A vulnerability exploited before the vendor is aware of it or has released a patch.

Learn more

CVE

Common Vulnerabilities and Exposures, a standardized identifier for publicly known security vulnerabilities.

Learn more

CVSS Score

Common Vulnerability Scoring System, a standardized framework for rating vulnerability severity on a 0-10 scale.

Learn more

OWASP Top 10

A regularly updated list of the ten most critical web application security risks.

Learn more

Web Application Firewall

A security layer that filters and monitors HTTP traffic to protect web applications from attacks.

Learn more

Content Security Policy

An HTTP header that controls which resources a browser is allowed to load, preventing XSS and data injection.

Learn more

HTTP Strict Transport Security

A header that forces browsers to only connect via HTTPS, preventing downgrade attacks.

Learn more

Cross-Origin Resource Sharing

A mechanism that controls which domains can make requests to your API.

Learn more

HMAC

Hash-based Message Authentication Code for verifying both data integrity and authentication using a cryptographic hash.

Learn more

Brute Force Attack

An attack that systematically tries all possible passwords until the correct one is found.

Learn more

Malware

Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems.

Learn more

Backdoor

Hidden code that provides unauthorized remote access to a system, often surviving normal security measures.

Learn more

Code Obfuscation

Deliberately making code difficult to understand, often used to hide malicious intent.

Learn more

WordPress Hooks

The event system that allows plugins to modify WordPress behavior through actions and filters.

Learn more

wp_ajax Hooks

WordPress AJAX hook system for handling asynchronous requests from the browser.

Learn more

WP-Cron

WordPress pseudo-cron system that executes scheduled tasks on page load rather than using system-level cron.

Learn more

esc_html()

WordPress function that escapes HTML entities in a string, preventing XSS when outputting text content.

Learn more

esc_attr()

WordPress function that escapes a string for safe use inside HTML attributes.

Learn more

esc_url()

WordPress function that validates and sanitizes URLs, removing dangerous protocols and characters.

Learn more

wp_kses_post()

WordPress function that filters HTML content allowing only a safe subset of HTML tags and attributes.

Learn more

sanitize_text_field()

WordPress function that sanitizes a string by removing HTML tags, encoding special characters, and stripping unwanted data.

Learn more

wp_unslash()

WordPress function that removes backslashes added by PHP magic quotes from superglobal data.

Learn more

absint()

WordPress function that converts a value to a non-negative integer, combining abs() and intval().

Learn more

$wpdb->prepare()

WordPress database query preparation method that safely parameterizes SQL queries.

Learn more

ABSPATH Guard

WordPress constant defining the absolute path to the installation directory, used to prevent direct file access.

Learn more

HPOS

High-Performance Order Storage in WooCommerce, using custom database tables for orders instead of post meta.

Learn more

Full Site Editing

WordPress block-based approach to building entire websites including headers, footers, and templates.

Learn more

WordPress REST API

WordPress built-in JSON-based API for creating, reading, updating, and deleting content programmatically.

Learn more

Transients API

WordPress temporary data caching system that stores data with an expiration time.

Learn more

Must-Use Plugins

WordPress plugins that are automatically activated and cannot be deactivated through the admin interface.

Learn more

WP-CLI

The official command-line interface for WordPress, allowing site management and plugin operations from the terminal.

Learn more

XML-RPC

WordPress legacy remote procedure call interface, largely replaced by the REST API.

Learn more

Gutenberg

The block-based content editor introduced in WordPress 5.0, replacing the classic TinyMCE editor.

Learn more

theme.json

Configuration file for block themes that defines global styles, settings, and design tokens.

Learn more

Psalm

A PHP static analysis tool with taint analysis for tracking data flow from user input to dangerous sinks.

Learn more

Semgrep

An open-source static analysis tool that matches code patterns using customizable rules.

Learn more

SAST

Static Application Security Testing analyzing source code for vulnerabilities without executing the program.

Learn more

CI/CD

Continuous Integration and Continuous Deployment pipelines that automate building, testing, and deploying code.

Learn more

Composer

PHP dependency manager used to install and manage third-party libraries and their versions.

Learn more

Semantic Versioning

A versioning scheme (MAJOR.MINOR.PATCH) where version numbers convey meaning about changes.

Learn more

Model Context Protocol

A standard for connecting AI assistants to external tools and data sources.

Learn more

PHP Namespaces

A PHP feature for organizing code into logical groups preventing naming conflicts between packages.

Learn more

Type Safety

Using PHP type declarations to catch type-related bugs at analysis time rather than runtime.

Learn more

CCPA

California Consumer Privacy Act giving consumers rights over their personal data collected by businesses.

Learn more

PCI DSS

Payment Card Industry Data Security Standard for organizations handling credit card data.

Learn more

SBOM

Software Bill of Materials listing all components, libraries, and dependencies in a software product.

Learn more

Responsible Disclosure

A security practice where vulnerabilities are reported privately and given time to patch before public disclosure.

Learn more

Data Minimization

A privacy principle requiring only the minimum necessary personal data be collected and retained.

Learn more

Cookie Consent

The requirement to obtain user permission before storing non-essential cookies.

Learn more

GPL License

GNU General Public License used by WordPress, requiring derivative works to also be GPL-licensed.

Learn more

Session Fixation

An attack where the attacker sets a user's session ID to a known value, then waits for the user to authenticate.

Learn more

XML External Entity (XXE)

An attack that exploits XML parsers to read local files, perform SSRF, or cause denial of service.

Learn more

Insecure Deserialization

A vulnerability where untrusted data is used to instantiate objects, potentially leading to remote code execution.

Learn more

Timing Attack

A side-channel attack that exploits time differences in cryptographic comparisons to guess secret values.

Learn more

Credential Stuffing

An automated attack using stolen username/password pairs from data breaches to access accounts.

Learn more

Rainbow Table

A precomputed table for reversing cryptographic hash functions, used to crack password hashes.

Learn more

Certificate Pinning

A security mechanism that associates a host with its expected SSL certificate to prevent man-in-the-middle attacks.

Learn more

Subresource Integrity (SRI)

A browser feature that verifies fetched resources match expected hashes, preventing CDN tampering.

Learn more

Rate Limiting

Restricting the number of requests a client can make in a given time period to prevent abuse.

Learn more

Input Validation

Verifying that user input meets expected format, type, and range before processing it.

Learn more

Output Encoding

Converting special characters to safe equivalents before inserting data into HTML, URLs, or other contexts.

Learn more

Principle of Least Privilege

Granting users and processes only the minimum permissions needed to perform their tasks.

Learn more

Defense in Depth

A security strategy using multiple layers of protection so that if one layer fails, others still protect the system.

Learn more

Shortcodes

WordPress macro codes enclosed in square brackets that plugins can register to output dynamic content.

Learn more

WordPress Widgets

Modular content blocks that can be placed in widget areas defined by themes.

Learn more

Custom Post Types

Developer-defined content types beyond the default posts and pages, extending WordPress as a CMS.

Learn more

Taxonomies

Classification systems for grouping WordPress content, like categories and tags, with support for custom taxonomies.

Learn more

Meta Boxes

Admin interface panels for adding custom fields to post editing screens.

Learn more

Options API

WordPress database API for storing and retrieving site-wide settings using key-value pairs.

Learn more

User Meta

Custom data fields stored per WordPress user, accessible via get_user_meta() and update_user_meta().

Learn more

Rewrite Rules

URL routing rules that map pretty permalinks to WordPress query variables.

Learn more

Object Cache

WordPress caching layer that stores database query results in memory for faster subsequent access.

Learn more

WordPress Multisite

A WordPress feature allowing multiple sites to be managed from a single installation.

Learn more

wp-config.php

The main WordPress configuration file containing database credentials, secret keys, and site settings.

Learn more

WP_DEBUG

WordPress constant that enables debug mode, showing PHP errors and notices.

Learn more

DISALLOW_FILE_EDIT

WordPress constant that disables the built-in theme and plugin file editors in the admin dashboard.

Learn more

PHPCBF

PHP Code Beautifier and Fixer, the automatic code fixer companion to PHP_CodeSniffer.

Learn more

Rector

A PHP refactoring tool that performs automated code transformations using AST manipulation.

Learn more

PHP CS Fixer

A tool to automatically fix PHP coding standards issues, supporting PSR and custom rule sets.

Learn more

Git Hooks

Scripts that run automatically at specific points in the Git workflow, like pre-commit or pre-push.

Learn more

Code Review

The systematic examination of source code by peers to find bugs, security issues, and improve quality.

Learn more

Penetration Testing

Authorized simulated attacks on a system to evaluate its security by finding exploitable vulnerabilities.

Learn more

Dependency Scanning

Analyzing third-party libraries and packages for known vulnerabilities.

Learn more

PSR-4 Autoloading

A PHP standard for automatically loading class files based on namespace and class name without manual require statements.

Learn more

OPcache

PHP bytecode cache that stores precompiled script bytecode in memory, eliminating the need to parse PHP files on each request.

Learn more

PHP 8.x Features

Modern PHP features including named arguments, match expressions, enums, fibers, readonly properties, and intersection types.

Learn more

Error Handling

Strategies for gracefully managing and recovering from errors, exceptions, and unexpected conditions in code.

Learn more

Logging

Recording application events, errors, and debug information for monitoring and troubleshooting.

Learn more

PECR

Privacy and Electronic Communications Regulations, UK law governing electronic marketing and cookies.

Learn more

ePrivacy Directive

EU directive governing privacy in electronic communications, including the cookie consent requirement.

Learn more

ISO 27001

International standard for information security management systems, defining requirements for managing security risks.

Learn more

SOC 2

Service Organization Control 2, a framework for managing customer data based on five trust service criteria.

Learn more

Data Processing Agreement

A legally binding contract between data controllers and processors, required under GDPR.

Learn more

Right to Erasure

GDPR right allowing individuals to request deletion of their personal data.

Learn more

Data Portability

GDPR right allowing individuals to receive their personal data in a machine-readable format.

Learn more

Privacy by Design

An approach to system design that embeds privacy protections from the start rather than adding them later.

Learn more

Vulnerability Disclosure Policy

A published policy describing how an organization receives and handles security vulnerability reports.

Learn more

License Compliance

Ensuring that all software components are used in accordance with their license terms.

Learn more

wp_nonce_field()

WordPress function that outputs a hidden form field containing a nonce for CSRF protection.

Learn more

check_admin_referer()

WordPress function that verifies a nonce was included in the request, dying with an error if invalid.

Learn more

wp_die()

WordPress function that terminates execution and displays an error message, used for access control.

Learn more

wp_safe_redirect()

WordPress function that redirects to a URL only if it is on an allowed host, preventing open redirect attacks.

Learn more

$wpdb Class

WordPress database abstraction class providing methods for safe database interaction.

Learn more

Walker Class

WordPress abstract class for rendering hierarchical data structures like menus and comment trees.

Learn more

WP_Filesystem

WordPress filesystem abstraction API that provides safe methods for reading and writing files.

Learn more

WP HTTP API

WordPress HTTP request API (wp_remote_get, wp_remote_post) for making external HTTP calls safely.

Learn more

Plugin Activation Hook

WordPress hook that fires when a plugin is activated, used for setup tasks like creating database tables.

Learn more

Plugin Deactivation Hook

WordPress hook that fires when a plugin is deactivated, used for cleanup tasks.

Learn more

Script & Style Enqueueing

WordPress system for properly loading JavaScript and CSS files with dependency management.

Learn more

wp_localize_script()

WordPress function that passes PHP data to JavaScript by creating a global variable.

Learn more

Heartbeat API

WordPress API for periodic AJAX communication between the browser and server.

Learn more

Cron Schedules

WordPress system for registering custom intervals for WP-Cron recurring tasks.

Learn more

Admin Notices

WordPress system for displaying messages in the admin dashboard header area.

Learn more

Settings API

WordPress API for creating admin settings pages with automatic nonce verification and sanitization.

Learn more

Block Patterns

Predefined block layouts that users can insert into the block editor with a single click.

Learn more

Template Hierarchy

WordPress system that determines which template file is used to render a specific page based on a priority order.

Learn more

WP_Query

WordPress class for querying posts with custom parameters, supporting complex filtering and pagination.

Learn more

Post Meta

Custom data fields associated with WordPress posts, stored as key-value pairs in the postmeta table.

Learn more

REST API Schema

JSON Schema definitions for WordPress REST API endpoints, enabling validation and documentation.

Learn more