Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Brad Parbs
July 26, 2014
Technology
160
3
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Plugin Security
Brad Parbs
July 26, 2014
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
720
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
190
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
340
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
440
WordCamp Baltimore - Let's Get Sassy!
bradp
2
530
Starter Themes for Appleton WordPress Meetup
bradp
1
200
#WCGR - Getting SASSy
bradp
4
300
#WCPVD - Getting SASSy
bradp
2
310
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
190
Other Decks in Technology
See All in Technology
AIエージェントとPhysical AIが拓く製造業の変革(ハノーバーメッセリキャップ)
iotcomjpadmin
0
160
ご挨拶「10周年を迎える共創ラボのこれまでとこれから」
iotcomjpadmin
0
150
[AWS Summit Japan 2026]迷っているあなたへ_小さな一歩が、やがて自分を助けてくれる
sh_fk2
2
430
コミュニティの有益性 ~JAWS Days 2026 での体験を通して~ / The Benefits of a Community ~Through My Experience at JAWS Days 2026~
seike460
PRO
0
300
飲食店もAIで。レジ締めやハンディシステムをつくってる話 / Using AI for restaurant management
vtryo
0
200
アラート調査向けAIエージェントの本番導入とその後/AI Agents for Alert Investigation: Production Deployment and After
taddy_919
1
240
2026 AI Memory Architecture
nagatsu
0
540
AI時代のコスト管理を考えよう〜明日から使える実践AWSノウハウ~
yoshimi0227
0
930
iOS アプリの「これって不具合ですか?」を AI に調べてもらう
miichan
0
150
AIペネトレーションテスト・ セキュリティ検証「AgenticSec」紹介資料
laysakura
2
7.7k
フルAIで個人開発して学んだあれこれ / yuruai vol.1
isaoshimizu
0
150
トークン最適化のためのユーザーストーリー分析 / User Story Analysis for Token Optimization
oomatomo
0
120
Featured
See All Featured
End of SEO as We Know It (SMX Advanced Version)
ipullrank
3
4.2k
StorybookのUI Testing Handbookを読んだ
zakiyama
31
6.8k
Reflections from 52 weeks, 52 projects
jeffersonlam
356
21k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Crafting Experiences
bethany
1
190
The B2B funnel & how to create a winning content strategy
katarinadahlin
PRO
1
400
Facilitating Awesome Meetings
lara
57
7k
A better future with KSS
kneath
240
18k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
123
22k
Agile Leadership in an Agile Organization
kimpetersen
PRO
0
170
The Invisible Side of Design
smashingmag
301
52k
RailsConf 2023
tenderlove
30
1.5k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None