All /

Security

we understand that security is just as important as performance and usability. That’s why we’ve built the plugin to follow WordPress best practices at every level – from how user data is handled to how cookies and AJAX requests are managed.

Below is an overview of the measures we’ve implemented to keep your site and your data safe.

Input Sanitization

Every piece of input that enters the plugin is cleaned before it’s processed:

  • WordPress-native sanitization functions are used (sanitize_text_field(), sanitize_email(), esc_url_raw()).
  • All POST and GET data is sanitized before saving.
  • wp_unslash() is applied to account for WordPress’s automatic slashing.

This ensures that malicious input never makes it into your database or output.

Capability Checks

Only the right users can perform the right actions. AB Split Test respects WordPress’s role-based permissions:

  • manage_options for admin settings.
  • edit_posts for experiment creation.
  • delete_posts for variation deletion.
  • update_core for managing admin notices.

This keeps sensitive actions in the hands of the appropriate users.

Nonce Verification

To prevent cross-site request forgery (CSRF), the plugin uses nonce verification across all key operations:

  • wp_verify_nonce() checks on form submissions.
  • Nonces for license activation and AJAX requests.
  • Proper nonce generation and validation across the board.

Cookie Security

Cookies are handled carefully with fallbacks for reliability:

  • Supports multi-part TLDs (like .co.uk, .com.au).
  • Protocol-aware SameSite attributes (None for HTTPS, Lax for HTTP).
  • LocalStorage backup when cookies fail.
  • Fallback strategies ensure functionality across browsers.

CORS Handling

AJAX requests are protected from interference:

  • CORS headers are only sent when experiment data is present.
  • Other AJAX calls remain unaffected.

Output Escaping

To prevent cross-site scripting (XSS), all output is escaped properly:

  • esc_html() for admin notices.
  • HTML entities decoded safely to avoid double-encoding.

Database Security

Only the right data is exposed:

  • Experiments are retrieved only if they are in a safe status (publish or complete).
  • Draft or incomplete experiments are never shown to site visitors.

Error Handling

The plugin is built to fail safely:

  • try-catch blocks isolate errors.
  • Global variable checks prevent crashes.
  • Clear, descriptive error messages assist with troubleshooting.

You can feel confident knowing that AB Split Test is not only focused on boosting conversions, but also on keeping your WordPress environment safe.

August 28, 2025 / Tom /

Leave a Comment

You must be logged in to post a comment.