Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Plugin Security
Brad Parbs
July 26, 2014
Technology
3
57
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
250
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
120
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
170
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
240
WordCamp Baltimore - Let's Get Sassy!
bradp
2
220
Starter Themes for Appleton WordPress Meetup
bradp
1
78
#WCGR - Getting SASSy
bradp
4
190
#WCPVD - Getting SASSy
bradp
2
190
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
99
Other Decks in Technology
See All in Technology
それでもどうしてRecoilを使うのか / Harajuku.ts Meetup Recoil
okunokentaro
13
3.7k
Oktaの管理者権限を適切に移譲してみた
shimosyan
2
250
2023年は何する宣言
shigeruoda
0
240
230120 ガンダムの事例にみる自動化の対象 Haruka Oh!さん
comucal
PRO
0
120
Deep dive in Reserved Instance ~脳死推奨量購入からの脱却~
kzkmaeda
0
430
データベースの発表には RDBMS 以外もありますよ
maroon1st
0
230
Cloudflare Workersで動くOG画像生成器
aiji42
1
460
AWS re:Invent 2022で発表された新機能を試してみた ~Cloud OperationとSecurity~ / New Cloud Operation and Security Features Announced at AWS reInvent 2022
yuj1osm
1
140
S3とCloudWatch Logsの見直しから始めるコスト削減 / Cost saving S3 and CloudWatch Logs
shonansurvivors
0
150
WebLogic Server for OCI 概要
oracle4engineer
PRO
3
840
400種類のWeb APIをサポートしているデータパイプラインツールにおけるWeb APIとの共存戦略
cdataj
0
150
オンプレk8sとEKSの並行運用の実際
ch1aki
0
160
Featured
See All Featured
Code Reviewing Like a Champion
maltzj
508
38k
Atom: Resistance is Futile
akmur
256
24k
Navigating Team Friction
lara
176
12k
The Art of Programming - Codeland 2020
erikaheidi
35
11k
Art, The Web, and Tiny UX
lynnandtonic
284
18k
BBQ
matthewcrist
75
8.1k
Learning to Love Humans: Emotional Interface Design
aarron
263
38k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
318
19k
5 minutes of I Can Smell Your CMS
philhawksworth
198
18k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
224
50k
The Straight Up "How To Draw Better" Workshop
denniskardys
226
130k
The Power of CSS Pseudo Elements
geoffreycrofte
52
4.3k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None