Plugin Security

July 26, 2014

140

Plugin Security

Brad Parbs

July 26, 2014

Tweet

More Decks by Brad Parbs

See All by Brad Parbs

Learn to Love the Terminal

0

680

Extremely Powerful Local WordPress Development with Vagrant and Friends

1

170

Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014

1

310

Web414 - Writing Clean, Clear, & Semantic Markup with HTML5

0

390

WordCamp Baltimore - Let's Get Sassy!

2

490

Starter Themes for Appleton WordPress Meetup

1

170

#WCGR - Getting SASSy

4

280

#WCPVD - Getting SASSy

2

280

WordCamp Chicago 2013 - Template Hiearchy

1

160

Other Decks in Technology

See All in Technology

なぜあなたはそんなに re:Invent に行くのか？

PRO

0

220

小さく、早く、可能性を多産する。生成AIプロジェクト / prAIrie-dog

visional_engineering_and_design

0

120

20251219 OpenIDファウンデーション・ジャパン紹介 / OpenID Foundation Japan Intro

0

520

Connection-based OAuthから学ぶOAuth for AI Agents

0

400

AgentCore BrowserとClaude Codeスキルを活用した『初手AI』を実現する業務自動化AIエージェント基盤

7

1.8k

技術選定、下から見るか？横から見るか？

0

120

Oracle Database@Google Cloud：サービス概要のご紹介

oracle4engineer

PRO

1

770

NIKKEI Tech Talk #41: セキュア・バイ・デザインからクラウド管理を考える

PRO

0

240

AR Guitar: Expanding Guitar Performance from a Live House to Urban Space

0

260

テストセンター受験、オンライン受験、どっちなんだい？

0

190

Next.js 16の新機能 Cache Components について

0

190

モダンデータスタックの理想と現実の間で～1.3億人Vポイントデータ基盤の現在地とこれから～

taromatsui_cccmkhd

2

280

Featured

See All Featured

Helping Users Find Their Own Way: Creating Modern Search Experiences

31

3k

41

3.8k

Testing 201, or: Great Expectations

46

7.8k

Chrome DevTools: State of the Union 2024 - Debugging React & Beyond

9

1k

Optimising Largest Contentful Paint

37

3.5k

The Curious Case for Waylosing

0

200

Faster Mobile Websites

310

31k

職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position

53

47k

The Invisible Side of Design

302

51k

Building AI with AI

PRO

1

580

Designing Powerful Visuals for Engaging Learning

0

190

Why Your Marketing Sucks and What You Can Do About It - Sophie Logan

0

49

Transcript

Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None