I've recently inherited a website where the previous dev has created their own plugin. It was written a few years ago but the dev left, the site hasn't been updated and so it's over to me :)

The functions are grouped by relevance to each other in their own php files and included in the plugin's functions.php file which I assume is to keep the theme files clean.

Some of the code is simple shortcodes, some of it is manipulating their own mysql tables to store customer addresses and orders.

The code in each function is wrapped with:

 
function blah(){
 
if (is_user_logged_in()) {
 
ob_start();
 
global $wpdb;
 
  blah blah blah;
 
return ob_get_clean();
 
} else {
    echo "Not logged in";
    wp_redirect(home_url());
    exit;
}
 
}
 

And all the db interactions appear to be cleaned before actioned and it uses variables such as $querystr and $wpdb->insert etc.

The staff have their own WP users and log in via the Wordpress login page. They are directed to different pages depending on their roles. Some get to insert, update, delete, others just get to see custom reports to let them know what they are supposed to do on a given day.

So my question is, is that enough for it be considered secure (from both a WP and DB view) or should I be looking to add something else ?

[e] Got the wrong brackets for the BBCode, hopefully it's right now.