Azwar's Blog
Web Security Best Practices: Protecting WordPress and Laravel Applications
Hi everyone! I'm Azwar, a WordPress and Laravel developer with a strong focus on security. In this comprehensive guide, I'll share essential web security practices for protecting your applications against common vulnerabilities. Security should be a top priority in every web development project.
![Web Security Best Practices: Protecting Applications](/images/banner/posts/web-security.jpg
Web security is crucial for protecting user data, maintaining trust, and preventing costly breaches. Whether you're developing WordPress sites or Laravel applications, implementing proper security measures is essential.
Common Web Security Vulnerabilities
1. SQL Injection
SQL injection occurs when malicious SQL code is inserted into queries.
Vulnerable Code:
// WordPress - Vulnerable $user_id = $_GET['user_id']; $user = $wpdb->get_row("SELECT * FROM users WHERE id = $user_id"); // Laravel - Vulnerable $user = DB::select("SELECT * FROM users WHERE id = " . $request->user_id);
Secure Code:
// WordPress - Secure $user_id = intval($_GET['user_id']); $user = $wpdb->get_row($wpdb->prepare("SELECT * FROM users WHERE id = %d", $user_id)); // Laravel - Secure $user = User::findOrFail($request->user_id); // or $user = DB::table('users')->where('id', $request->user_id)->first();
2. Cross-Site Scripting (XSS)
XSS attacks inject malicious scripts into web pages.
Vulnerable Code:
// WordPress - Vulnerable echo "<h1>Welcome " . $_GET['name'] . "</h1>"; // Laravel - Vulnerable echo "<h1>Welcome " . $request->name . "</h1>";
Secure Code:
// WordPress - Secure echo "<h1>Welcome " . esc_html($_GET['name']) . "</h1>"; // Laravel - Secure echo "<h1>Welcome " . e($request->name) . "</h1>"; // or in Blade templates <h1>Welcome {{ $request->name }}</h1>
3. Cross-Site Request Forgery (CSRF)
CSRF attacks trick users into performing unwanted actions.
WordPress CSRF Protection:
// Add nonce to forms <form method="post" action=""> <?php wp_nonce_field('my_action', 'my_nonce'); ?> <input type="text" name="data" /> <input type="submit" value="Submit" /> </form> // Verify nonce if (!wp_verify_nonce($_POST['my_nonce'], 'my_action')) { wp_die('Security check failed'); }
Laravel CSRF Protection:
// Automatically included in forms <form method="POST" action="/submit"> @csrf <input type="text" name="data" /> <button type="submit">Submit</button> </form> // Verify CSRF token public function submit(Request $request) { // CSRF protection is automatic in Laravel $validated = $request->validate([ 'data' => 'required|string|max:255' ]); }
WordPress Security Implementation
1. Secure WordPress Configuration
// wp-config.php security settings // Disable file editing in admin define('DISALLOW_FILE_EDIT', true); // Limit post revisions define('WP_POST_REVISIONS', 5); // Set secure authentication keys define('AUTH_KEY', 'your-unique-phrase-here'); define('SECURE_AUTH_KEY', 'your-unique-phrase-here'); define('LOGGED_IN_KEY', 'your-unique-phrase-here'); define('NONCE_KEY', 'your-unique-phrase-here'); // Force SSL for admin define('FORCE_SSL_ADMIN', true); // Disable XML-RPC define('XMLRPC_ENABLED', false);
2. Secure WordPress Plugin Development
<?php /** * Plugin Name: Secure Custom Plugin * Description: A secure WordPress plugin example * Version: 1.0.0 * Author: Azwar */ // Prevent direct access if (!defined('ABSPATH')) { exit; } class Secure_Plugin { public function __construct() { add_action('init', [$this, 'init']); add_action('wp_ajax_secure_action', [$this, 'handle_ajax']); add_action('wp_ajax_nopriv_secure_action', [$this, 'handle_ajax']); } public function init() { // Add security headers add_action('send_headers', [$this, 'add_security_headers']); } public function add_security_headers() { header('X-Content-Type-Options: nosniff'); header('X-Frame-Options: SAMEORIGIN'); header('X-XSS-Protection: 1; mode=block'); header('Referrer-Policy: strict-origin-when-cross-origin'); } public function handle_ajax() { // Verify nonce if (!wp_verify_nonce($_POST['nonce'], 'secure_action')) { wp_send_json_error('Security check failed'); } // Check user capabilities if (!current_user_can('manage_options')) { wp_send_json_error('Insufficient permissions'); } // Sanitize and validate input $data = sanitize_text_field($_POST['data']); if (empty($data)) { wp_send_json_error('Data is required'); } // Process data securely $result = $this->process_data($data); wp_send_json_success($result); } private function process_data($data) { // Secure data processing return esc_html($data); } } new Secure_Plugin();
3. WordPress User Authentication Security
<?php // Custom login security class Login_Security { public function __construct() { add_filter('authenticate', [$this, 'check_attempted_login'], 30, 3); add_action('wp_login_failed', [$this, 'login_failed']); add_action('wp_login', [$this, 'login_success']); } public function check_attempted_login($user, $username, $password) { if (!empty($username)) { $attempted_login = get_transient('attempted_login'); if ($attempted_login === false) { $attempted_login = []; } $ip = $_SERVER['REMOTE_ADDR']; $attempted_login[$ip] = ($attempted_login[$ip] ?? 0) + 1; set_transient('attempted_login', $attempted_login, 300); if ($attempted_login[$ip] > 5) { return new WP_Error('too_many_attempts', 'Too many login attempts'); } } return $user; } public function login_failed($username) { $attempted_login = get_transient('attempted_login'); if ($attempted_login === false) { $attempted_login = []; } $ip = $_SERVER['REMOTE_ADDR']; $attempted_login[$ip] = ($attempted_login[$ip] ?? 0) + 1; set_transient('attempted_login', $attempted_login, 300); } public function login_success($username) { delete_transient('attempted_login'); } } new Login_Security();
Laravel Security Implementation
1. Laravel Security Configuration
<?php // config/session.php return [ 'driver' => env('SESSION_DRIVER', 'file'), 'lifetime' => env('SESSION_LIFETIME', 120), 'expire_on_close' => false, 'encrypt' => false, 'files' => storage_path('framework/sessions'), 'connection' => env('SESSION_CONNECTION'), 'table' => 'sessions', 'store' => env('SESSION_STORE'), 'lottery' => [2, 100], 'cookie' => env( 'SESSION_COOKIE', Str::slug(env('APP_NAME', 'laravel'), '_').'_session' ), 'path' => '/', 'domain' => env('SESSION_DOMAIN'), 'secure' => env('SESSION_SECURE_COOKIE'), 'http_only' => true, 'same_site' => 'lax', ];
2. Laravel Authentication Security
<?php // app/Http/Controllers/Auth/LoginController.php class LoginController extends Controller { protected $maxAttempts = 5; protected $decayMinutes = 15; public function login(Request $request) { $request->validate([ 'email' => 'required|email', 'password' => 'required|string', 'g-recaptcha-response' => 'required|recaptcha' ]); $credentials = $request->only('email', 'password'); $remember = $request->filled('remember'); if (Auth::attempt($credentials, $remember)) { $request->session()->regenerate(); // Log successful login Log::info('User logged in', [ 'user_id' => Auth::id(), 'ip' => $request->ip(), 'user_agent' => $request->userAgent() ]); return redirect()->intended('/dashboard'); } // Log failed login attempt Log::warning('Failed login attempt', [ 'email' => $request->email, 'ip' => $request->ip(), 'user_agent' => $request->userAgent() ]); return back()->withErrors([ 'email' => 'The provided credentials do not match our records.', ]); } public function logout(Request $request) { Auth::logout(); $request->session()->invalidate(); $request->session()->regenerateToken(); return redirect('/'); } }
3. Laravel Input Validation and Sanitization
<?php // app/Http/Requests/UserRequest.php class UserRequest extends FormRequest { public function authorize() { return true; } public function rules() { return [ 'name' => 'required|string|max:255|regex:/^[a-zA-Z\s]+$/', 'email' => 'required|email|unique:users,email,' . $this->user?->id, 'password' => 'required|string|min:8|confirmed|regex:/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]/', 'phone' => 'nullable|string|regex:/^\+?[1-9]\d{1,14}$/', 'avatar' => 'nullable|image|mimes:jpeg,png,jpg|max:2048', 'bio' => 'nullable|string|max:1000', 'website' => 'nullable|url|max:255', ]; } public function messages() { return [ 'name.regex' => 'Name can only contain letters and spaces.', 'password.regex' => 'Password must contain at least one uppercase letter, one lowercase letter, one number, and one special character.', 'phone.regex' => 'Please enter a valid phone number.', ]; } protected function prepareForValidation() { $this->merge([ 'name' => strip_tags($this->name), 'email' => strtolower(trim($this->email)), 'website' => $this->website ? rtrim($this->website, '/') : null, ]); } }
4. Laravel Middleware for Security
<?php // app/Http/Middleware/SecurityHeaders.php class SecurityHeaders { public function handle($request, Closure $next) { $response = $next($request); $response->headers->set('X-Content-Type-Options', 'nosniff'); $response->headers->set('X-Frame-Options', 'SAMEORIGIN'); $response->headers->set('X-XSS-Protection', '1; mode=block'); $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin'); $response->headers->set('Permissions-Policy', 'geolocation=(), microphone=(), camera=()'); // Content Security Policy $csp = "default-src 'self'; " . "script-src 'self' 'unsafe-inline' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; " . "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; " . "font-src 'self' https://fonts.gstatic.com; " . "img-src 'self' data: https:; " . "connect-src 'self'; " . "frame-src https://www.google.com/recaptcha/;"; $response->headers->set('Content-Security-Policy', $csp); return $response; } } // app/Http/Middleware/TwoFactorAuth.php class TwoFactorAuth { public function handle($request, Closure $next) { if (Auth::check() && Auth::user()->two_factor_enabled) { if (!$request->session()->has('2fa_verified')) { return redirect()->route('2fa.verify'); } } return $next($request); } }
Data Encryption and Protection
1. WordPress Data Encryption
<?php // Encrypt sensitive data function encrypt_data($data, $key = null) { if (!$key) { $key = wp_salt('auth'); } $method = 'AES-256-CBC'; $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($method)); $encrypted = openssl_encrypt($data, $method, $key, 0, $iv); return base64_encode($iv . $encrypted); } // Decrypt data function decrypt_data($encrypted_data, $key = null) { if (!$key) { $key = wp_salt('auth'); } $method = 'AES-256-CBC'; $data = base64_decode($encrypted_data); $iv_length = openssl_cipher_iv_length($method); $iv = substr($data, 0, $iv_length); $encrypted = substr($data, $iv_length); return openssl_decrypt($encrypted, $method, $key, 0, $iv); } // Usage $sensitive_data = 'credit_card_number'; $encrypted = encrypt_data($sensitive_data); $decrypted = decrypt_data($encrypted);
2. Laravel Data Encryption
<?php // Model with encrypted attributes class User extends Authenticatable { protected $fillable = [ 'name', 'email', 'password', 'ssn', 'credit_card' ]; protected $hidden = [ 'password', 'remember_token', 'ssn', 'credit_card' ]; protected $casts = [ 'email_verified_at' => 'datetime', 'ssn' => 'encrypted', 'credit_card' => 'encrypted', ]; // Custom encryption for specific fields public function setSsnAttribute($value) { $this->attributes['ssn'] = encrypt($value); } public function getSsnAttribute($value) { return decrypt($value); } }
Security Monitoring and Logging
1. WordPress Security Logging
<?php // Security event logging class Security_Logger { public function log_security_event($event_type, $details = []) { $log_entry = [ 'timestamp' => current_time('mysql'), 'event_type' => $event_type, 'user_id' => get_current_user_id(), 'ip_address' => $_SERVER['REMOTE_ADDR'], 'user_agent' => $_SERVER['HTTP_USER_AGENT'], 'details' => json_encode($details) ]; global $wpdb; $wpdb->insert( $wpdb->prefix . 'security_logs', $log_entry, ['%s', '%s', '%d', '%s', '%s', '%s'] ); } public function check_suspicious_activity() { global $wpdb; // Check for multiple failed logins $failed_logins = $wpdb->get_var($wpdb->prepare(" SELECT COUNT(*) FROM {$wpdb->prefix}security_logs WHERE event_type = 'failed_login' AND ip_address = %s AND timestamp > DATE_SUB(NOW(), INTERVAL 1 HOUR) ", $_SERVER['REMOTE_ADDR'])); if ($failed_logins > 10) { $this->log_security_event('suspicious_activity', [ 'type' => 'multiple_failed_logins', 'count' => $failed_logins ]); } } }
2. Laravel Security Monitoring
<?php // Security event logging class SecurityEvent { public static function log($event, $details = []) { Log::channel('security')->info($event, [ 'user_id' => Auth::id(), 'ip' => request()->ip(), 'user_agent' => request()->userAgent(), 'url' => request()->fullUrl(), 'method' => request()->method(), 'details' => $details ]); } } // config/logging.php 'channels' => [ 'security' => [ 'driver' => 'daily', 'path' => storage_path('logs/security.log'), 'level' => 'info', 'days' => 30, ], ], // Usage SecurityEvent::log('failed_login', ['email' => $request->email]); SecurityEvent::log('suspicious_activity', ['type' => 'multiple_requests']);
Best Practices for Web Security
- Always Validate and Sanitize Input: Never trust user input
- Use HTTPS: Encrypt all data in transit
- Implement Strong Authentication: Use multi-factor authentication
- Keep Software Updated: Regularly update WordPress, Laravel, and plugins
- Use Security Headers: Implement proper HTTP security headers
- Monitor and Log: Track security events and suspicious activity
- Backup Regularly: Maintain secure backups of your data
- Use Security Plugins: Implement security monitoring tools
- Educate Users: Train users on security best practices
- Regular Security Audits: Conduct periodic security assessments
Conclusion
Web security is an ongoing process that requires constant vigilance and regular updates. By implementing these security practices in your WordPress and Laravel applications, you can significantly reduce the risk of security breaches and protect your users' data.
Remember that security is not a one-time implementation but a continuous effort to stay ahead of evolving threats.