Enterprise Security Interview Questions

Sanitization, Validation, Nonces, and Hardening techniques.

Security is non-negotiable. These questions ensure a candidate knows how to write secure code and protect a WordPress installation.

1. What is the difference between Sanitization and Validation?

Answer:

  • Sanitization (Cleaning): Happens on Input (saving data). It cleans data to make it safe for the database. E.g., `sanitize_text_field()`, `sanitize_email()`.
  • Escaping (Output): Happens on Output (displaying data). It ensures data is safe to render in the browser. E.g., `esc_html()`, `esc_attr()`.
  • Validation (Checking): Checking if data meets criteria. E.g., `is_email()`.

Mantra: "Sanitize early, Escape late."

2. What is a Nonce and why is it important?

Answer: "Number used ONCE". It protects against CSRF (Cross-Site Request Forgery) attacks.

It ensures that a request (like submitting a form or clicking a link) originated from a user who intended to perform that action on your site, not from a malicious script on another site.

// Creating
wp_nonce_field('my_action', 'my_nonce_name');

// Verifying
if (!isset($_POST['my_nonce_name']) || !wp_verify_nonce($_POST['my_nonce_name'], 'my_action')) {
    die('Security check failed');
}

3. How do you prevent SQL Injection in WordPress?

Answer:

  • Never use raw variables in SQL queries.
  • Use the `wpdb->prepare()` method. It mimics `sprintf()` and safely quotes data.
global $wpdb;
// ❌ Bad
$wpdb->query("SELECT * FROM wp_users WHERE user_login = '$username'");

// ✅ Good
$wpdb->query(
    $wpdb->prepare("SELECT * FROM wp_users WHERE user_login = %s", $username)
);

4. What are Capabilities and Roles?

Answer:

  • Role: A group of capabilities (e.g., Administrator, Editor, Subscriber).
  • Capability: A specific permission to do something (e.g., `edit_posts`, `manage_options`).

Best Practice: Always check for capabilities (`current_user_can('edit_posts')`), never check for roles (`current_user_can('administrator')` is bad practice because roles can be renamed or modified).

5. How would you harden a WordPress installation?

Answer:

  • Updates: Keep Core, Plugins, and Themes updated.
  • Passwords: Enforce strong passwords / 2FA.
  • File Permissions: Restrict write access to files (only `wp-content/uploads` should be writable by the server).
  • Disable XML-RPC: If not used, to prevent brute force attacks.
  • Limit Login Attempts: Prevent brute forcing.
  • WAF: Use a Web Application Firewall (Cloudflare, Wordfence).

6. What is the difference between `current_user_can()` and `user_can()`?

Answer:

  • `current_user_can( $capability )`: Checks the permissions of the currently logged-in user. This is the most common check used in themes and plugins.
  • `user_can( $user_id, $capability )`: Checks the permissions of a specific user (by ID). Useful for checking if an author can edit a post without logging in as them.

7. Explain Cross-Site Scripting (XSS) in the context of WordPress.

Answer: XSS occurs when an attacker injects malicious scripts into content that is viewed by other users.

WordPress Context: If a plugin saves user input (like a comment or form field) without sanitization and then outputs it without escaping, a script tag `<script>alert('hacked')</script>` could execute in the admin dashboard.

Prevention:

  • Sanitize Input: `sanitize_text_field()`, `wp_kses_post()`.
  • Escape Output: `esc_html()`, `esc_js()`, `esc_url()`.
  • Content Security Policy (CSP): HTTP headers that restrict where scripts can load from.

8. Why should you disable file editing in the dashboard?

Answer: The built-in Theme and Plugin Editor allows admins to edit PHP files directly from the dashboard.

Risk: If an attacker gains admin access (via compromised password or XSS), they can use this editor to inject a backdoor or malware directly into the site code.

Fix: Add this to `wp-config.php`:

define( 'DISALLOW_FILE_EDIT', true );