Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
110
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
620
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
150
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
280
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
360
WordCamp Baltimore - Let's Get Sassy!
bradp
2
390
Starter Themes for Appleton WordPress Meetup
bradp
1
140
#WCGR - Getting SASSy
bradp
4
250
#WCPVD - Getting SASSy
bradp
2
260
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
140
Other Decks in Technology
See All in Technology
MCP Clientを活用するための設計と実装上の工夫
yudai00
1
900
Oracle Cloud Infrastructureデータベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
48
32k
Java で学ぶ 代数的データ型
ysknsid25
2
1.1k
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
6.1k
おれのAI活用の現状とこれから
tsukasagr
0
110
うちの会社の評判は?SNSの投稿分析にAIを使ってみた
doumae
0
600
TechBull Membersの開発進捗どうですか!?
rvirus0817
0
490
Digitization部 紹介資料
sansan33
PRO
1
4k
CSSの最新トレンド Ver.2025
tonkotsuboy_com
10
3.6k
やさしいClaude Code入門
minorun365
PRO
40
32k
FastMCPでSQLをチェックしてくれるMCPサーバーを自作してCursorから動かしてみた
nayuts
1
260
Drawing with LLMs
rist
0
160
Featured
See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
56
9.4k
Designing for Performance
lara
608
69k
YesSQL, Process and Tooling at Scale
rocio
172
14k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
How to Think Like a Performance Engineer
csswizardry
24
1.6k
How STYLIGHT went responsive
nonsquared
100
5.6k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Building Applications with DynamoDB
mza
95
6.4k
Visualization
eitanlees
146
16k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
357
30k
The Art of Programming - Codeland 2020
erikaheidi
54
13k
Six Lessons from altMBA
skipperchong
28
3.8k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None