Jeremiah Grossman posted some good slides about the issue of Cross-Site Request Forgeries (CSRF). We tackled this security issue in WordPress two years ago. I wrote an article about the issue that still holds true (plugin authors should definitely give it a read if any of this sounds unfamiliar). Our method is the token method, with fallback to a slightly modified version of the Are You Sure? method for plugins that haven’t properly implemented the token method. It was a large effort to implement it, but it has paid off handsomely. CSRF is largely a non-issue in WordPress, which means we can focus our efforts on XSS and SQL injection vectors.