How does this skill prevent XSS in WordPress?

It provides a comprehensive guide for context-specific escaping functions like esc_html(), esc_attr(), and wp_kses(), ensuring data is safely rendered based on where it appears in the DOM.

Does it support WordPress capability checks?

Absolutely. It promotes using current_user_can() with specific capabilities rather than roles to ensure precise and secure access control.

How are nonces handled by this skill?

The skill provides patterns for creating nonces in forms and URLs, and verifying them in processing scripts to protect against Cross-Site Request Forgery (CSRF).

Does it cover WordPress AJAX and REST API security?

Yes, it includes specific patterns for check_ajax_referer and REST API permission_callback requirements to secure all entry points.

Does this skill help with database security?

Yes, it enforces the use of $wpdb->prepare() for all queries and provides patterns for using proper placeholders to prevent SQL injection attacks.

WordPress Security Standards

Name: WordPress Security Standards
Author: peixotorms

bypeixotorms

0•

Content Management

Enforces secure WordPress development practices through context-aware escaping, sanitization, and robust database protection patterns.

This skill provides Claude with comprehensive knowledge of WordPress security protocols to ensure all generated or refactored code is production-ready and secure. It focuses on the core 'sanitize on input, escape on output' philosophy, covering essential protections against Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and SQL injection. By implementing specific WordPress patterns like nonces, $wpdb->prepare, and capability-based authorization, this skill helps developers avoid common vulnerabilities and align with official WordPress Coding Standards (WPCS).

Key Features

01Granular capability-based authorization checks using current_user_can()

02Context-aware output escaping for HTML, attributes, JS, and URLs

03SQL injection prevention using $wpdb->prepare and identifier placeholders

04Comprehensive nonce implementation for CSRF protection in forms and AJAX

05Strict input validation and sanitization workflows for superglobals

060 GitHub stars

Use Cases

01Securing custom WordPress forms and AJAX endpoints against common web attacks

02Implementing secure REST API endpoints with proper permission callbacks

03Hardening legacy WordPress plugins by refactoring unescaped outputs and raw SQL

What are Skills?·How to Install

Install with 🐟 Skill.Fish

npx skillfish add peixotorms/odinlayer-skills wp-security

For use in Claude.ai and ChatGPT

Download Skill