SonarCloud helps to make sure WordPress plugins are safe

Hello PHP developers and more precisely WordPress plugins developers,

It’s not always easy to follow the various documentations, blog posts available here and there to know how to deliver WordPress plugins which follow the security best practices, before making them available on the WordPress marketplace.
We developed new rules so you can automatically check if your plugins follow these security best practices:

Vulnerability Detection:

  • S6339: Secret keys and salt values should be robust

Security Hotspot Detections:

  • S6341: WordPress theme and plugin editors are security-sensitive
  • S6343: Disabling automatic updates is security-sensitive
  • S6345: Allowing all external requests from a WordPress server is security-sensitive
  • S6346: Allowing unauthenticated database repair in WordPress is security-sensitive
  • S6348: Allowing unfiltered HTML content in WordPress is security-sensitive

Code Smell Detections:

  • S6344: Constants should not be redefined
  • S6347: WordPress options should not be defined at the end of “wp-config.php”
  • S6349: WordPress option names should not be misspelled

These rules are available now on SonarCloud and will be included in SonarQube 9.1