Save 37% off PRO during our Black Friday Sale! »

Plugin Security

D529f2403e21f08bfa16365bdf032f81?s=47 Brad Parbs
July 26, 2014
Technology
3
53

Plugin Security

D529f2403e21f08bfa16365bdf032f81?s=128

Brad Parbs

July 26, 2014
Tweet

More Decks by Brad Parbs

See All by Brad Parbs
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
0
160
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
110
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
150
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
0
230
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
2
200
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
68
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
4
180
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
2
170
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
97

Other Decks in Technology

See All in Technology
1e6cfe94614ed96ac769e93f2e0c63f0?s=48 kavisha
1
460
4649f3418cb4e7b951ca28e65003c7ac?s=48 sumi
1
400
A60224e356e52f631bec70bc9df52889?s=48 empitsu
2
2k
4bd69b0ec8e5731a5332ee100ad8fb6d?s=48 entaku
1
400
997716e957fe4db19491b2794346a7ce?s=48 airreader
0
310
81902928da54ee11fd4028144d061993?s=48 tohae
1
210
4ccf6c02807d06f043a71435c48ce86a?s=48 eller86
2
1k
39660b800174f05657f47a30ff8258c7?s=48 msyksphinz
1
180
Bc76bcaa1b60adef57995ba63697bdee?s=48 hiroyukiyagihashi
0
570
966e29b84ae7dbde170f66b0bc75b7a6?s=48 ishiayaya
0
1k
26afa82334d1037f0ba602272b950c90?s=48 kazuhitotakahashi
0
230
Ca6281fff64797dc419b78f51f25c0a5?s=48 fujiwara3
PRO
4
890

Featured

See All Featured
88bc30284c6a424b63a92aad27d0ba36?s=48 jnunemaker
PRO
44
5k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
6
790
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
55
3.5k
1ce0eb06fd6a9e9566a0cb310cfee635?s=48 jrick
PRO
1
19k
7653c7c449918ff6542880a8c284f5e7?s=48 jponch
106
5.4k
A9a491b0fcbe0fbce3d64063a37add99?s=48 rmw
17
1.2k
96270e4c3e5e9806cf7245475c00b275?s=48 addyosmani
497
110k
3ab1249be442027903e1180025340b3f?s=48 reverentgeek
37
2.9k
170b760e0147792d0140e59ec78e9893?s=48 eitanlees
120
11k
0fe2973fa8d27d96547e43322341183a?s=48 swwweet
211
7.2k
7559f6cff1f5efc2d210965febd4d71c?s=48 bermonpainter
349
27k
465724d73fe3a92c0879fdfb43a3a6f3?s=48 philhawksworth
196
17k

Transcript

  1. Security for Your Plugins

  2. I’m Brad Parbs.

  3. Nathan, you should watch Band of Brothers.

  4. Let’s talk about what sucks in WordPress.

  5. None
  6. None

  7. “20% of the 50 most popular WordPress plugins are vulnerable

    to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company

  8. Things that happen when your stuff isn’t secure.

  9. None

  10. How do we make sure this doesn’t happen?

  11. Always develop with debugging ON

  12. define(  'WP_DEBUG',  true  );   define(  'WP_DEBUG_DISPLAY',  false  );  

    define(  'WP_DEBUG_LOG',  true  );   define(  'SCRIPT_DEBUG',  true  );   define(  'WP_CACHE',  false  );

  13. Sanitize all the things

  14. intval();   absint();

  15. wp_kses();

  16. sanitize_title();

  17. sanitize_email()   sanitize_file_name()   sanitize_html_class()   sanitize_key()   sanitize_meta()  

    sanitize_mime_type()   sanitize_option()   sanitize_sql_orderby()   sanitize_post_field()   sanitize_text_field()   sanitize_title()   sanitize_title_for_query()   sanitize_title_with_dashes()   sanitize_user()

  18. Escape all the things

  19. esc_html();

  20. esc_textarea();

  21. esc_attr();

  22. esc_url();

  23. http://codex.wordpress.org/Data_Validation

  24. Database Queries

  25. $wpdb-­‐>insert();

  26. $wpdb-­‐>update();

  27. $wpdb-­‐>prepare();

  28. Nonces

  29. wp_nonce_url();

  30. wp_nonce_field();

  31. wp_create_nonce();

  32. check_admin_referer();

  33. wp_verify_nonce();

  34. Remote Data

  35. CURL is bad.

  36. For real, CURL is bad.

  37. wp_remote_get();

  38. wp_remote_post();

  39. wp_remote_request();

  40. Check capabilities & roles

  41. current_user_can();

  42. Use native functions

  43. A story about TimThumb

  44. Questions?

  45. None