Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Plugin Security

D529f2403e21f08bfa16365bdf032f81?s=47 Brad Parbs
July 26, 2014
Technology
3
50

Plugin Security

D529f2403e21f08bfa16365bdf032f81?s=128

Brad Parbs

July 26, 2014
Tweet

More Decks by Brad Parbs

See All by Brad Parbs
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
0
120
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
94
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
150
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
0
220
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
2
190
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
65
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
4
170
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
2
170
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
93

Other Decks in Technology

See All in Technology
585cdfa5a081d53de7529e9b58926af2?s=48 kota2and3kan
0
500
C8b3d5eaa8c8a490a1530b9b5256a2a9?s=48 kaojiri
7
3.9k
Cd891a89dfec6ca7bd278b5f5bd87c90?s=48 tzkoba
3
1.7k
Ec2568783e5ea4ecd0d68e1f22291eb8?s=48 takahashikazutaro
0
310
6f455f3ddfaa8a1c3a8a03ecd5d73d4f?s=48 hirakichi
0
120
1eecfce54b4f902784d046328935efd4?s=48 makoto_inoue
0
200
Cd823abda454a7a2065fe6fe273ae84b?s=48 viva_tweet_x
1
480
380bcd2ab751f5838abd8219df53e5fe?s=48 tomoki10
5
3k
842515eaf8fbb2dfcc75197e7797dc15?s=48 sat
1
540
44b799f91cc48e38c5fe9f5d9c5ecc61?s=48 takaichi00
0
630
1741a7877b6ff93bf29af4d11c2c895e?s=48 ryan403
0
150
3373c144fef1d3518b9b3f24a6b46ad0?s=48 lmi
1
550

Featured

See All Featured
053e75a5b48b44d6dd0612795dfb326d?s=48 notwaldorf
48
2.8k
F29327647a9cff5c69618bae420792ea?s=48 tenderlove
58
3.7k
Ba530e786553390f3fb271848485681c?s=48 3n
167
22k
1177e050db6bafe62885362edf6e3537?s=48 lauravandoore
443
29k
9952dfcd5d338f8a8e7175c8a8f65fb5?s=48 wjessup
342
16k
A0517b08532aec8ab2aae3f65d40ad86?s=48 hannesfritz
32
1.1k
B47b288784fda77a94aeb234ca743c24?s=48 keavy
110
15k
15f2b8221f247985a27a627d2ece72f0?s=48 pauljervisheath
195
16k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
121
16k
91cefdf141106fa10674aae74ce05890?s=48 yeseniaperezcruz
304
32k
D8fc2580cfaca035f666d9e4ee79a7f7?s=48 mongodb
24
4k
651dcfe41723207fbb0aa044a4f7c07f?s=48 dotmariusz
98
5.6k

Transcript

  1. Security for Your Plugins

  2. I’m Brad Parbs.

  3. Nathan, you should watch Band of Brothers.

  4. Let’s talk about what sucks in WordPress.

  5. None
  6. None

  7. “20% of the 50 most popular WordPress plugins are vulnerable

    to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company

  8. Things that happen when your stuff isn’t secure.

  9. None

  10. How do we make sure this doesn’t happen?

  11. Always develop with debugging ON

  12. define(  'WP_DEBUG',  true  );   define(  'WP_DEBUG_DISPLAY',  false  );  

    define(  'WP_DEBUG_LOG',  true  );   define(  'SCRIPT_DEBUG',  true  );   define(  'WP_CACHE',  false  );

  13. Sanitize all the things

  14. intval();   absint();

  15. wp_kses();

  16. sanitize_title();

  17. sanitize_email()   sanitize_file_name()   sanitize_html_class()   sanitize_key()   sanitize_meta()  

    sanitize_mime_type()   sanitize_option()   sanitize_sql_orderby()   sanitize_post_field()   sanitize_text_field()   sanitize_title()   sanitize_title_for_query()   sanitize_title_with_dashes()   sanitize_user()

  18. Escape all the things

  19. esc_html();

  20. esc_textarea();

  21. esc_attr();

  22. esc_url();

  23. http://codex.wordpress.org/Data_Validation

  24. Database Queries

  25. $wpdb-­‐>insert();

  26. $wpdb-­‐>update();

  27. $wpdb-­‐>prepare();

  28. Nonces

  29. wp_nonce_url();

  30. wp_nonce_field();

  31. wp_create_nonce();

  32. check_admin_referer();

  33. wp_verify_nonce();

  34. Remote Data

  35. CURL is bad.

  36. For real, CURL is bad.

  37. wp_remote_get();

  38. wp_remote_post();

  39. wp_remote_request();

  40. Check capabilities & roles

  41. current_user_can();

  42. Use native functions

  43. A story about TimThumb

  44. Questions?

  45. None