Plugin Security

Plugin Security

D529f2403e21f08bfa16365bdf032f81?s=128

Brad Parbs

July 26, 2014
Tweet

Transcript

  1. Security for Your Plugins

  2. I’m Brad Parbs.

  3. Nathan, you should watch Band of Brothers.

  4. Let’s talk about what sucks in WordPress.

  5. None
  6. None
  7. “20% of the 50 most popular WordPress plugins are vulnerable

    to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
  8. Things that happen when your stuff isn’t secure.

  9. None
  10. How do we make sure this doesn’t happen?

  11. Always develop with debugging ON

  12. define(  'WP_DEBUG',  true  );   define(  'WP_DEBUG_DISPLAY',  false  );  

    define(  'WP_DEBUG_LOG',  true  );   define(  'SCRIPT_DEBUG',  true  );   define(  'WP_CACHE',  false  );
  13. Sanitize all the things

  14. intval();   absint();

  15. wp_kses();

  16. sanitize_title();

  17. sanitize_email()   sanitize_file_name()   sanitize_html_class()   sanitize_key()   sanitize_meta()  

    sanitize_mime_type()   sanitize_option()   sanitize_sql_orderby()   sanitize_post_field()   sanitize_text_field()   sanitize_title()   sanitize_title_for_query()   sanitize_title_with_dashes()   sanitize_user()
  18. Escape all the things

  19. esc_html();

  20. esc_textarea();

  21. esc_attr();

  22. esc_url();

  23. http://codex.wordpress.org/Data_Validation

  24. Database Queries

  25. $wpdb-­‐>insert();

  26. $wpdb-­‐>update();

  27. $wpdb-­‐>prepare();

  28. Nonces

  29. wp_nonce_url();

  30. wp_nonce_field();

  31. wp_create_nonce();

  32. check_admin_referer();

  33. wp_verify_nonce();

  34. Remote Data

  35. CURL is bad.

  36. For real, CURL is bad.

  37. wp_remote_get();

  38. wp_remote_post();

  39. wp_remote_request();

  40. Check capabilities & roles

  41. current_user_can();

  42. Use native functions

  43. A story about TimThumb

  44. Questions?

  45. None