Plugin Security

July 26, 2014

150

Plugin Security

Brad Parbs

July 26, 2014

Tweet

More Decks by Brad Parbs

See All by Brad Parbs

Learn to Love the Terminal

0

690

Extremely Powerful Local WordPress Development with Vagrant and Friends

1

180

Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014

1

320

Web414 - Writing Clean, Clear, & Semantic Markup with HTML5

0

410

WordCamp Baltimore - Let's Get Sassy!

2

500

Starter Themes for Appleton WordPress Meetup

1

180

#WCGR - Getting SASSy

4

290

#WCPVD - Getting SASSy

2

280

WordCamp Chicago 2013 - Template Hiearchy

1

170

Other Decks in Technology

See All in Technology

Context Engineeringが企業で不可欠になる理由

PRO

3

530

外部キー制約の知っておいて欲しいこと - RDBMSを正しく使うために必要なこと / FOREIGN KEY Night

PRO

12

5.2k

モダンUIでフルサーバーレスなAIエージェントをAmplifyとCDKでサクッとデプロイしよう

4

180

Azure Durable Functions で作った NL2SQL Agent の精度向上に取り組んだ話/jat08

0

170

FinTech SREのAWSサービス活用/Leveraging AWS Services in FinTech SRE

0

130

Ruby版 JSXのRuxが気になる

PRO

0

140

Amazon Bedrock Knowledge Basesチャンキング解説！

0

130

Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf

2

530

プロダクト成長を支える開発基盤とスケールに伴う課題

4

1.3k

茨城の思い出を振り返る～CDKのセキュリティを添えて～ / 20260201 Mitsutoshi Matsuo

PRO

1

230

配列に見る bash と zsh の違い

1

130

All About Sansan – for New Global Engineers

PRO

1

1.3k

Featured

See All Featured

Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge

0

160

Highjacked: Video Game Concept Design

PRO

1

290

Java REST API Framework Comparison - PWX 2021

34

9.1k

Redefining SEO in the New Era of Traffic Generation

1

210

Cheating the UX When There Is Nothing More to Optimize - PixelPioneers

stephaniewalter

287

14k

How to Align SEO within the Product Triangle To Get  Buy-In & Support - #RIMC

1

1.4k

Tell your own story through comics

1

810

Put a Button on it: Removing Barriers to Going Fast.

60

4.2k

Making the Leap to Tech Lead

135

9.7k

The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)

PRO

0

240

The browser strikes back

0

360

Navigating Algorithm Shifts & AI Overviews - #SMXNext

0

1.1k

Transcript

Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None