Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
130
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
650
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
170
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
300
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
380
WordCamp Baltimore - Let's Get Sassy!
bradp
2
430
Starter Themes for Appleton WordPress Meetup
bradp
1
160
#WCGR - Getting SASSy
bradp
4
260
#WCPVD - Getting SASSy
bradp
2
270
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
150
Other Decks in Technology
See All in Technology
定期的な価値提供だけじゃない、スクラムが導くチームの共創化 / 20251004 Naoki Takahashi
shift_evolve
PRO
3
300
生成AIとM5Stack / M5 Japan Tour 2025 Autumn 東京
you
PRO
0
210
BirdCLEF+2025 Noir 5位解法紹介
myso
0
190
VCC 2025 Write-up
bata_24
0
180
Azure SynapseからAzure Databricksへ 移行してわかった新時代のコスト問題!?
databricksjapan
0
140
stupid jj tricks
indirect
0
7.9k
SwiftUIのGeometryReaderとScrollViewを基礎から応用まで学び直す:設計と活用事例
fumiyasac0921
0
140
Access-what? why and how, A11Y for All - Nordic.js 2025
gdomiciano
1
110
ACA でMAGI システムを社内で展開しようとした話
mappie_kochi
1
250
自作LLM Native GORM Pluginで実現する AI Agentバックテスト基盤構築
po3rin
2
250
Function calling機能をPLaMo2に実装するには / PFN LLMセミナー
pfn
PRO
0
920
[2025-09-30] Databricks Genie を利用した分析基盤とデータモデリングの IVRy の現在地
wxyzzz
0
470
Featured
See All Featured
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
12
1.2k
Agile that works and the tools we love
rasmusluckow
331
21k
Designing Experiences People Love
moore
142
24k
Typedesign – Prime Four
hannesfritz
42
2.8k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
132
19k
Context Engineering - Making Every Token Count
addyosmani
5
180
Side Projects
sachag
455
43k
Art, The Web, and Tiny UX
lynnandtonic
303
21k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.5k
How STYLIGHT went responsive
nonsquared
100
5.8k
Thoughts on Productivity
jonyablonski
70
4.9k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None