WordPress core security should be considered as distinct and separate from plugin security. Assuming your wanting plugin best practice, I would take a look at https://owasp.org.
Below is the “best of” hit list you need to follow:
Start here https://www.owasp.org/index.php/PHP_Top_5 skip the system level stuff like safe mode and focus on the many web app vulnerabilities you can avoid including, XSS, parameter tampering, SQL injection, insecure data transmission, authentication and TCP hijack.
Follow with a visit to https://www.owasp.org/index.php/Category:OWASP_PHP_Project
and the security API
https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=PHP
https://code.google.com/p/owasp-esapi-php
https://owasp-esapi-php.googlecode.com/files/esapi4php-contributing.pdf
If you are realizing you can’t leave it up to any other plugin or WordPress base code upgrade to fix your security messes you are farther along than 95% of the WordPress plugin writers.
This will likely be the only valid security coding advice you get. run with it, don’t get discouraged.
Don’t depend on your fellow plugin code writers for secure coding advice. One last piece of advice, If they say use plugin x y or Z to address web app XSS or SQL injection, they are ignorant or intentionally blowing smoke to encourage downloads of a particular (faulty) plugin they vainly pin their personal (ignorance is bliss) hopes on.
