Plugin Security

July 26, 2014

130

Plugin Security

Brad Parbs

July 26, 2014

Tweet

More Decks by Brad Parbs

See All by Brad Parbs

Learn to Love the Terminal

0

660

Extremely Powerful Local WordPress Development with Vagrant and Friends

1

170

Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014

1

300

Web414 - Writing Clean, Clear, & Semantic Markup with HTML5

0

390

WordCamp Baltimore - Let's Get Sassy!

2

450

Starter Themes for Appleton WordPress Meetup

1

170

#WCGR - Getting SASSy

4

270

#WCPVD - Getting SASSy

2

270

WordCamp Chicago 2013 - Template Hiearchy

1

160

Other Decks in Technology

See All in Technology

やり方は一つだけじゃない、正解だけを目指さず寄り道やその先まで自分流に楽しむ趣味プログラミングの探求 2025-11-15 YAPC::Fukuoka

1

480

AIを前提に、業務を”再構築”せよ IVRyの9ヶ月にわたる挑戦と未来の働き方 (BTCONJP2025)

1

200

Claude Code 10連ガチャ

3

660

設計は最強のプロンプト - AI時代に武器にすべきスキルとは？-

kenichirokimura

1

350

[CV勉強会@関東 ICCV2025] WoTE: End-to-End Driving with Online Trajectory Evaluation via BEV World Model

0

160

内部品質・フロー効率・コミュニケーションコストを悪化させ現場を苦しめかねない16の組織設計アンチパターン［超簡易版］ / 16 Organization Design Anti-Patterns for Software Development

2

210

今、MySQLのバックアップを作り直すとしたら何がどう良いのかを考える旅

0

220

QAエンジニアがプロダクト専任でチームの中に入ると。。。？/登壇資料（杉森太樹）

PRO

0

190

AIと自動化がもたらす業務効率化の実例：反社チェック等の調査・業務プロセス自動化

0

120

Redux → Recoil → Zustand → useSyncExternalStore：状態管理の10年とReact本来の姿

PRO

10

4.9k

これからアウトプットする人たちへ - アウトプットを支える技術 / that support output

PRO

18

5.3k

Quarkusで作るInteractive Stream Application

0

110

Featured

See All Featured

Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything

31

2.6k

Building Better People: How to give real-time feedback that sticks.

370

20k

Cheating the UX When There Is Nothing More to Optimize - PixelPioneers

stephaniewalter

285

14k

Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]

10

660

30

1.3k

Documentation Writing (for coders)

76

5.1k

[RailsConf 2023] Rails as a piece of cake

57

6k

Building Applications with DynamoDB

96

6.7k

StorybookのUI Testing Handbookを読んだ

31

6.3k

Measuring & Analyzing Core Web Vitals

9

660

186

16k

Embracing the Ebb and Flow

88

4.9k

Transcript

Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None