Security

Security is the foundation of Tofido Code Manager. When a plugin allows executing custom code, every layer of protection matters. This document explains the security architecture and how to use it effectively.

Safe Mode for PHP Snippets

Safe Mode is the most important security feature for PHP snippets. It creates an isolated execution environment where you can test code without risking your live site.

How Safe Mode Works

When you enable Safe Mode for a PHP snippet:

  1. The snippet executes in a separate PHP process with limited scope
  2. All output is captured and displayed for review
  3. If a fatal error occurs, the snippet is automatically disabled
  4. No changes are made to the database or filesystem during testing
  5. The execution timeout is limited to prevent infinite loops

Using Safe Mode

  1. Create or edit a PHP snippet
  2. Write your code in the editor
  3. Click Test in Safe Mode before publishing
  4. Review the output and any warnings
  5. If successful, publish the snippet
Critical

Never publish a PHP snippet without testing in Safe Mode first. Even experienced developers can make mistakes that cause fatal errors. Safe Mode is your safety net.

Dangerous Function Scanning

The plugin automatically scans PHP snippets for functions that could compromise site security or stability.

Scanned Function Categories

  • File System: eval(), exec(), system(), passthru(), shell_exec(), proc_open()
  • Database: Raw SQL execution without preparation
  • Network: Unrestricted external requests
  • Code Injection: create_function(), assert()

Warning Levels

  • Block: The snippet cannot be published until the function is removed or replaced
  • Warning: The snippet can be published, but a prominent warning is displayed
  • Info: Informational notice about potential risks

If you believe a warning is a false positive for your use case, you can add an inline comment explaining the necessity:

PHP 
// tofido-allow: shell_exec
// Required for server-side image optimization
$output = shell_exec('optipng -o2 image.png');

Capability Checks

Every management action in Tofido Code Manager requires explicit WordPress capabilities. The minimum required capability is manage_options, which is only granted to administrators by default.

Protected Actions

  • Creating, editing, or deleting snippets
  • Changing snippet status (draft/published)
  • Importing or exporting snippets
  • Modifying plugin settings
  • Restoring revisions

Custom Capability Filter

Developers can customize the required capability using the filter:

PHP 
// Require custom capability for snippet management
add_filter('tofido_code_manager_capability', function($cap) {
    return 'custom_snippet_capability';
});

Nonce Protection

All AJAX requests and form submissions include WordPress nonce verification. This prevents Cross-Site Request Forgery (CSRF) attacks.

Nonces are generated per-user, per-action, and time-limited. Even if an attacker tricks an admin into visiting a malicious link, no snippet management actions can be performed without a valid nonce.

AJAX Security Validation

The plugin's AJAX endpoints implement multiple security layers:

  1. Nonce verification on every request
  2. Capability checking before processing
  3. Input sanitization for all user-provided data
  4. Output escaping for all responses
  5. Rate limiting on snippet execution endpoints

Automatic Error Recovery

If a published PHP snippet causes a fatal error:

  1. The error is caught by a custom error handler
  2. The problematic snippet is automatically disabled
  3. An admin notification is sent with error details
  4. The site continues functioning normally
  5. The snippet can be fixed and re-enabled from the dashboard

This recovery system ensures that even the most severe coding mistakes cannot take your site offline.

Syntax Validation

Before any snippet is saved, its syntax is validated:

  • CSS: Parsed for malformed rules, missing braces, and invalid selectors
  • JavaScript: Checked for syntax errors using a JavaScript parser
  • PHP: Validated with php -l equivalent linting
  • HTML: Checked for unclosed tags and malformed attributes

Syntax errors are highlighted in the editor with line numbers and descriptive messages.

Import Safety

When importing snippets via JSON:

  1. All imported snippets are set to Draft status by default
  2. JSON structure is validated against the schema
  3. Each snippet undergoes the same syntax validation as manual creation
  4. Dangerous function scanning applies to imported PHP snippets
  5. Import source tracking is logged for audit purposes
Best Practice

Always review imported snippets before publishing. Even if they come from a trusted source, your environment may differ from the author's. Test each snippet in Safe Mode if it contains PHP.

PHP Execution Model

PHP snippets in Tofido Code Manager execute entirely in memory. Unlike some competing solutions:

  • No cache files are written to the filesystem for PHP snippets
  • No eval() is used - code runs through proper WordPress hook integration
  • No persistent storage of executable code outside the database
  • Execution is scoped to prevent variable leakage

This design minimizes the attack surface and ensures that disabling a snippet immediately stops its execution.

Security Checklist

Before publishing any snippet, verify:

  • PHP snippets have been tested in Safe Mode
  • No dangerous function warnings are ignored without justification
  • Display conditions are correctly configured
  • The snippet is necessary and optimized
  • Imported snippets have been reviewed and tested
  • Only trusted administrators have snippet management access