Almost every week, a new vulnerability is discovered in a popular plugin or theme, and developers have to scramble to fix it before it’s widely exploited. Surprisingly, almost every one of the most common critical vulnerabilities boils down to one of a few mistakes that are easily avoidable. In this talk, we’ll cover why the “is_admin()” and “admin_init()” functions aren’t a safe way to control access, how using “update_option()” can go disastrously wrong, how XSS (Cross-Site Scripting) can happen in the most unexpected places, why nonces are important, and more. Appropriate for beginner to advanced WordPress developers, this talk will cover currently accepted best practices for securing access control, sanitizing user input, and preventing unauthorized changes that can lead to a site takeover.