Plugin Security

Transcript

1. Security for Your Plugins
   

   View Slide

2. I’m Brad Parbs.
   

   View Slide

3. Nathan, you should watch
   Band of Brothers.
   

   View Slide

4. Let’s talk about what
   sucks in WordPress.
   

   View Slide

5. View Slide

6. View Slide

7. “20% of the 50 most popular WordPress
   plugins are vulnerable to common Web
   attacks. This amounts to nearly 8 million
   downloads of vulnerable plugins.”
   Checkmarx, an application security company
   

   View Slide

8. Things that happen when
   your stuff isn’t secure.
   

   View Slide

9. View Slide

10. How do we make sure
    this doesn’t happen?
    

    View Slide

11. Always develop with
    debugging ON
    

    View Slide

12. define(  'WP_DEBUG',  true  );  
    define(  'WP_DEBUG_DISPLAY',  false  );  
    define(  'WP_DEBUG_LOG',  true  );  
    define(  'SCRIPT_DEBUG',  true  );  
    define(  'WP_CACHE',  false  );
    

    View Slide

13. Sanitize all the things
    

    View Slide

14. intval();  
    absint();
    

    View Slide

15. wp_kses();
    

    View Slide

16. sanitize_title();
    

    View Slide

17. sanitize_email()  
    sanitize_file_name()  
    sanitize_html_class()  
    sanitize_key()  
    sanitize_meta()  
    sanitize_mime_type()  
    sanitize_option()  
    sanitize_sql_orderby()  
    sanitize_post_field()  
    sanitize_text_field()  
    sanitize_title()  
    sanitize_title_for_query()  
    sanitize_title_with_dashes()  
    sanitize_user()
    

    View Slide

18. Escape all the things
    

    View Slide

19. esc_html();
    

    View Slide

20. esc_textarea();
    

    View Slide

21. esc_attr();
    

    View Slide

22. esc_url();
    

    View Slide

23. http://codex.wordpress.org/Data_Validation
    

    View Slide

24. Database Queries
    

    View Slide

25. $wpdb-­‐>insert();
    

    View Slide

26. $wpdb-­‐>update();
    

    View Slide

27. $wpdb-­‐>prepare();
    

    View Slide

28. Nonces
    

    View Slide

29. wp_nonce_url();
    

    View Slide

30. wp_nonce_field();
    

    View Slide

31. wp_create_nonce();
    

    View Slide

32. check_admin_referer();
    

    View Slide

33. wp_verify_nonce();
    

    View Slide

34. Remote Data
    

    View Slide

35. CURL is bad.
    

    View Slide

36. For real, CURL is bad.
    

    View Slide

37. wp_remote_get();
    

    View Slide

38. wp_remote_post();
    

    View Slide

39. wp_remote_request();
    

    View Slide

40. Check capabilities &
    roles
    

    View Slide

41. current_user_can();
    

    View Slide

42. Use native functions
    

    View Slide

43. A story about
    TimThumb
    

    View Slide

44. Questions?
    

    View Slide

45. View Slide