Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
120
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
630
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
160
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
290
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
370
WordCamp Baltimore - Let's Get Sassy!
bradp
2
410
Starter Themes for Appleton WordPress Meetup
bradp
1
150
#WCGR - Getting SASSy
bradp
4
260
#WCPVD - Getting SASSy
bradp
2
260
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
150
Other Decks in Technology
See All in Technology
大規模組織にAIエージェントを迅速に導入するためのセキュリティの勘所 / AI agents for large-scale organizations
i35_267
6
220
Introduction to Sansan for Engineers / エンジニア向け会社紹介
sansan33
PRO
5
39k
室長の逆襲 :データ活用の陣地を増やすためのヒント
masatoshi0205
0
180
ecspressoの設計思想に至る道 / sekkeinight2025
fujiwara3
8
1.1k
PHPでResult型やってみよう
higaki_program
0
190
「現場で活躍するAIエージェント」を実現するチームと開発プロセス
tkikuchi1002
6
1k
Wasmで社内ツールを作って配布しよう
askua
0
110
P2P ではじめる WebRTC のつまづきどころ
tnoho
1
200
ObsidianをLLM時代のナレッジベースに! クリッピング→Markdown→CLI連携の実践
srvhat09
7
8.9k
RapidPen: AIエージェントによる高度なペネトレーションテスト自動化の研究開発
laysakura
1
390
TypeScript 上達の道
ysknsid25
4
480
自分がLinc’wellで提供しているプロダクトを理解するためにやったこと
murabayashi
1
160
Featured
See All Featured
Testing 201, or: Great Expectations
jmmastey
43
7.6k
Building Applications with DynamoDB
mza
95
6.5k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
1k
Faster Mobile Websites
deanohume
308
31k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Adopting Sorbet at Scale
ufuk
77
9.5k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Become a Pro
speakerdeck
PRO
29
5.4k
Speed Design
sergeychernyshev
32
1k
How to train your dragon (web standard)
notwaldorf
96
6.1k
VelocityConf: Rendering Performance Case Studies
addyosmani
332
24k
Designing Experiences People Love
moore
142
24k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None