Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
130
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
660
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
170
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
300
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
380
WordCamp Baltimore - Let's Get Sassy!
bradp
2
450
Starter Themes for Appleton WordPress Meetup
bradp
1
160
#WCGR - Getting SASSy
bradp
4
270
#WCPVD - Getting SASSy
bradp
2
270
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
160
Other Decks in Technology
See All in Technology
初めてのDatabricks Apps開発
taka_aki
1
400
ViteとTypeScriptのProject Referencesで 大規模モノレポのUIカタログのリリースサイクルを高速化する
shuta13
3
200
パフォーマンスチューニングのために普段からできること/Performance Tuning: Daily Practices
fujiwara3
2
120
あなたの知らない Linuxカーネル脆弱性の世界
recruitengineers
PRO
3
160
コンパウンド組織のCRE #cre_meetup
layerx
PRO
1
270
知覚とデザイン
rinchoku
1
580
AI時代、“平均値”ではいられない
uhyo
8
2.6k
「タコピーの原罪」から学ぶ間違った”支援” / the bad support of Takopii
piyonakajima
0
140
ゼロコード計装導入後のカスタム計装でさらに可観測性を高めよう
sansantech
PRO
1
430
Azure Well-Architected Framework入門
tomokusaba
1
130
Observability — Extending Into Incident Response
nari_ex
1
310
オブザーバビリティと育てた ID管理・認証認可基盤の歩み / The Journey of an ID Management, Authentication, and Authorization Platform Nurtured with Observability
kaminashi
1
690
Featured
See All Featured
YesSQL, Process and Tooling at Scale
rocio
173
15k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.1k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
Why Our Code Smells
bkeepers
PRO
340
57k
Documentation Writing (for coders)
carmenintech
75
5.1k
Speed Design
sergeychernyshev
32
1.2k
Context Engineering - Making Every Token Count
addyosmani
8
300
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
5.7k
Thoughts on Productivity
jonyablonski
70
4.9k
VelocityConf: Rendering Performance Case Studies
addyosmani
333
24k
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
9
930
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None