Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
84
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
420
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
130
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
210
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
290
WordCamp Baltimore - Let's Get Sassy!
bradp
2
270
Starter Themes for Appleton WordPress Meetup
bradp
1
93
#WCGR - Getting SASSy
bradp
4
220
#WCPVD - Getting SASSy
bradp
2
220
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
120
Other Decks in Technology
See All in Technology
開発スピードの維持向上を支える、テスト設計の 漸進的進化への取り組み / Continuous Test Design Development for Speed of Product Development
ropqa
0
190
The depthes of profiling Ruby - RubyKaigi 2024
osyoyu
0
170
Real World Type Puzzle and Code Generation
yukukotani
4
640
PHP 9 に備えよ - 動的プロパティ、どうすればいぃ?
taisukearase
0
360
Step by Stepで学ぶ、ADT(代数的データ型)、モナドからEffect-TSまで
leveragestech
1
3.1k
汎用ポリシー言語Rego + OPAと認可・検証事例の紹介 / Introduction Rego & OPA for authorization and validation
mizutani
1
170
20240516 OpenID TechNight Vol.21 OpenIDファウンデーション・ジャパンの 今後の活動について
oidfj
0
140
【SORACOM UG 四国】今だからこそ学ぶ!IoTの全体像と最新事例、生成AIの基礎
soracom
PRO
2
170
AWS CLIの起動が重くてつらいので aws-sdk-client-go を書いた / kamakura.go#6
fujiwara3
6
3.4k
LLM評価の落とし穴~開発者目線で気をつけるポイント~
rishigami
12
3.3k
1Q86
kawaguti
PRO
2
190
Databricksの生成AI戦略
taka_aki
1
380
Featured
See All Featured
Code Reviewing Like a Champion
maltzj
516
39k
RailsConf 2023
tenderlove
9
590
How GitHub (no longer) Works
holman
305
140k
The Brand Is Dead. Long Live the Brand.
mthomps
49
30k
Typedesign – Prime Four
hannesfritz
36
2.1k
What's new in Ruby 2.0
geeforr
338
31k
Principles of Awesome APIs and How to Build Them.
keavy
121
16k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
What the flash - Photography Introduction
edds
64
11k
Adopting Sorbet at Scale
ufuk
69
8.6k
The Language of Interfaces
destraynor
151
23k
The Cult of Friendly URLs
andyhume
74
5.7k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None