Skip to content

Security: nftushar/DevXpert

Security

SECURITY.md

DevXpert Plugin Security Documentation

Overview

This document outlines the security measures implemented in the DevXpert WordPress plugin to ensure safe operation and protect against common vulnerabilities.

Security Measures Implemented

1. Access Control & Capability Checks

User Capability Verification

  • Primary Check: All admin functionality requires manage_options capability
  • Implementation: current_user_can('manage_options') checks throughout the plugin
  • Files: All AJAX handlers and admin pages verify user permissions

Plugin Loading Restrictions

  • Plugin only loads for administrators or when WP_DEBUG is enabled
  • Frontend assets only load for users with manage_options capability

2. Nonce Verification

AJAX Security

  • All AJAX requests require valid nonces via check_ajax_referer('devxpert_nonce', 'nonce')
  • Nonces are created with wp_create_nonce('devxpert_nonce')
  • Nonces are localized to JavaScript for frontend requests

Nonce Implementation

// Creating nonces
'nonce' => \wp_create_nonce('devxpert_nonce')

// Verifying nonces
\check_ajax_referer('devxpert_nonce', 'nonce');

3. Input Sanitization

Text Input Sanitization

  • Text Fields: sanitize_text_field() for single-line text
  • Textarea: sanitize_textarea_field() for multi-line text
  • Numbers: intval() for numeric inputs

Implementation Examples

$setting = \sanitize_text_field($_POST['setting']);
$value = \sanitize_text_field($_POST['value']);
$template_name = \sanitize_text_field($_POST['template_name']);
$hook_name = \sanitize_text_field($_POST['hook_name']);

4. Output Escaping

HTML Output Escaping

  • General HTML: esc_html() for safe HTML output
  • Attributes: esc_attr() for HTML attributes
  • URLs: esc_url() for URL outputs

Implementation Examples

echo \esc_html($theme->get('Name'));
echo \esc_attr($plugin_file);
echo \esc_html($hook_name);

5. AJAX Security

Request Validation

  • All AJAX endpoints verify nonces
  • All AJAX endpoints check user capabilities
  • No nopriv AJAX actions (admin-only access)

Error Handling

  • Proper error responses with sanitized messages
  • No sensitive information in error responses
  • Consistent error format across all endpoints

6. File System Security

Path Validation

  • All file operations use WordPress path functions
  • Directory traversal protection via ABSPATH checks
  • File existence checks before operations

Safe File Operations

$file = $base_dir . str_replace('\\', '/', $relative_class) . '.php';
if (file_exists($file)) {
    require $file;
}

7. Database Security

Option Management

  • Use WordPress options API (get_option, update_option)
  • Proper sanitization before database operations
  • No direct SQL queries (uses WordPress APIs)

Settings Security

$settings = \get_option('devxpert_settings', []);
$settings[$setting] = $value === 'true' || $value === '1';
\update_option('devxpert_settings', $settings);

8. Internationalization Security

Text Domain Usage

  • Consistent use of devxpert text domain
  • Proper escaping with translation functions
  • Localized strings for user-facing messages

Translation Functions

\esc_html__('Setting saved successfully!', 'devxpert')
\esc_attr__('Hook name copied to clipboard!', 'devxpert')
\__('Insufficient permissions.', 'devxpert')

9. JavaScript Security

Localized Data

  • All user-facing strings localized via wp_localize_script
  • No hardcoded strings in JavaScript
  • Proper escaping of localized data

AJAX Security

  • Nonces included in all AJAX requests
  • Error handling for failed requests
  • Input validation on client side

10. Plugin Structure Security

Namespace Protection

  • All classes use DevXpert\ namespace
  • Proper autoloading prevents direct file access
  • Namespace isolation from other plugins

File Access Prevention

  • index.php files in all directories prevent directory listing
  • Direct file access prevention via ABSPATH checks
  • Plugin constants for secure path references

Security Best Practices Followed

1. WordPress Coding Standards

  • Follows WordPress coding standards
  • Uses WordPress core functions and APIs
  • Proper hook usage and action/filter implementation

2. Input Validation

  • Validate all user inputs
  • Sanitize data before processing
  • Escape output before display

3. Error Handling

  • Graceful error handling
  • No sensitive information in error messages
  • Proper logging without exposing internals

4. Performance Security

  • No inline CSS or JavaScript
  • External file loading for all assets
  • Proper asset versioning and caching

Security Checklist

  • User capability checks implemented
  • Nonce verification for all AJAX requests
  • Input sanitization for all user inputs
  • Output escaping for all displayed data
  • No nopriv AJAX actions
  • Proper file system security
  • Database security via WordPress APIs
  • Internationalization with proper escaping
  • JavaScript security with localized strings
  • Plugin structure security
  • Error handling without information disclosure
  • No inline CSS/JS (external files only)

Recommendations for Deployment

  1. Environment: Test in development environment first
  2. Permissions: Ensure proper file permissions (755 for directories, 644 for files)
  3. Updates: Keep WordPress and plugins updated
  4. Monitoring: Monitor error logs for any security issues
  5. Backup: Regular backups before plugin updates

Reporting Security Issues

If you discover a security vulnerability in the DevXpert plugin, please report it responsibly:

  1. Email: [Security contact information]
  2. GitHub: Create a private security issue
  3. Response: We will respond within 48 hours
  4. Disclosure: Coordinated disclosure timeline

Last Updated: July 26, 2025
Version: 1.0.0
WordPress Version: 5.0+
PHP Version: 7.4+

There aren't any published security advisories