Personally speaking, this is one of my biggest concerns when I am working on custom WordPress plugins and themes. If you develop plugins for WordPress, you should simply follow the WordPress Coding standards. Coding standards helps to improve the readability of code and helps to avoid common coding errors.

Here are few important points I want to share with you –

1) Use Namespace For Your Custom Plugin or Theme. This will avoid same name conflicts with other plugins & theme functions and class.

2) Practice Commenting your code as when your code grows more than few line of codes it can become difficult to know exactly what to do.

3) Prevent XSS Vulnerabilities by Sanitize data input and sanitize output data. It is essential if you are dealing with user inputs. We have several methods to sanitize depending on the data and the context it’s used.

4) Use Nonce Values – Nonce values are short for numbers used once and are used to protect against cross-site request forgeries, or CSRF

5) Prevent Direct Access to your custom plugin files. It is very easy just put if ( ! defined( ‘ABSPATH’ ) ) exit; in the top of your PHP files.

6) Use roles and capabilities to make sure users may do what they are doing.

7) Send all your AJAX requests to ajax-admin.php, and use hooks to handle these requests. Find more details here

8) Use WordPress Functions and Class to implement your logic. That way, your scripts will be less prone to vulnerabilities and if some appears, they will be fixed by the WordPress core contributors and you won’t have to worry to contact all of your clients. Like to do all database related work WordPress had wpdb Class & its a recommended practice to use this class and not write raw queries.

9) Do not modify core WordPress files as it can cause unintended consequences. Always do it as a custom or Must Use WordPress plugin.

10) Check for Errors – make sure your custom WordPress plugin or script doesn’t generate any type of errors. To do this just edit your wp-config.php file and put this code

define( WP_DEBUG, true );
define( 'WP_DEBUG_DISPLAY', true );

For more details please check the official WordPress coding standards page