Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
82
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
390
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
130
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
210
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
290
WordCamp Baltimore - Let's Get Sassy!
bradp
2
260
Starter Themes for Appleton WordPress Meetup
bradp
1
91
#WCGR - Getting SASSy
bradp
4
220
#WCPVD - Getting SASSy
bradp
2
220
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
120
Other Decks in Technology
See All in Technology
入社後初めてのタスクでk8sアップグレードした話.pdf
kkato1
0
380
Signals Unleashed: The Full Guide
rainerhahnekamp
0
350
インシデントレスポンスのライフサイクルを廻すポイントってなに / Pinpoints of Incidentresponse Lifecycle for Operation
sakaitakeshi
0
290
SREとその組織類型
tatsuo48
8
1.5k
なぜ NOT A HOTEL が Web3 に取り組むのか - NOT A HOTEL TECH TALK
ynunokawa
0
160
The CloudCompare project by Dr. Daniel Girardeau-Montaut
kentaitakura
0
500
普段有償でサポート業務をしているCSAが技術知見を無料で公開する理由
07jp27
1
630
エンタープライズ環境下での Active Directory の運用 TIPS
tamaiyutaro
1
1.5k
巨大なテーブルのテーブル定義を無停止で安全に誰でも変更できるようにする / Table-definitions-for-huge-tables-can-be-modified-by-anyone-safely-and-non-disruptively
freee
1
720
コンテナセキュリティの基本と脅威への対策
kyohmizu
3
670
自動生成を活用した、運用保守コストを抑える Error/Alert/Runbook の一元集約管理 / Centralized management of Error/Alert/Runbook to minimize operational costs using automated code generation
biwashi
9
2.1k
TransitGatewayの基礎
toru_kubota
0
230
Featured
See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
Clear Off the Table
cherdarchuk
82
310k
Thoughts on Productivity
jonyablonski
57
3.8k
Designing for Performance
lara
601
67k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
34
8.8k
Git: the NoSQL Database
bkeepers
PRO
421
63k
4 Signs Your Business is Dying
shpigford
175
21k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Web development in the modern age
philhawksworth
201
10k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
4.4k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None