Plugin Security

July 26, 2014

160

Plugin Security

Brad Parbs

July 26, 2014

More Decks by Brad Parbs

See All by Brad Parbs

Learn to Love the Terminal

0

710

Extremely Powerful Local WordPress Development with Vagrant and Friends

1

190

Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014

1

330

Web414 - Writing Clean, Clear, & Semantic Markup with HTML5

0

420

WordCamp Baltimore - Let's Get Sassy!

2

520

Starter Themes for Appleton WordPress Meetup

1

190

#WCGR - Getting SASSy

4

300

#WCPVD - Getting SASSy

2

290

WordCamp Chicago 2013 - Template Hiearchy

1

180

Other Decks in Technology

See All in Technology

AIはハッカーを減らすのか、増やすのか？──現役ホワイトハッカーから見るAI時代のリアル【MEGU-Meet】

PRO

0

240

AgentCore Managed Harness を使ってみよう

2

290

Practical TypeProf: Lessons from Analyzing Optcarrot

1

1.6k

基盤を育てる外部SaaS連携の運用

gamonges_dresscode

1

130

Building a Study Buddy AI Agent from Scratch: From Passive Chatbots to Autonomous Systems

0

110

QAエンジニアはどうやってプロダクト議論の場に入れるのか？

0

220

Google Cloud Next '26 の裏でこっそりリリースされたCloud Number Registry & Cloud Hub コスト分析を試してみた

0

140

Microsoft 365 / Microsoft 365 Copilot : 自分の状態を確認する「ラベル」について

0

430

Cortex Codeのコスト見積ヒントご紹介

0

130

The 7 pitfalls of AI

0

160

AIと乗り切った1,500ページ超のヘルプサイト基盤刷新とさらにその先の話

1

210

拝啓、あの夏の僕へ〜あなたも知っているApp Runnerの世界〜

0

160

Featured

See All Featured

Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum

0

500

Claude Code どこまでも/ Claude Code Everywhere

65

55k

Performance Is Good for Brains [We Love Speed 2024]

12

1.6k

The AI Search Optimization Roadmap by Aleyda Solis

1

5.7k

Mozcon NYC 2025: Stop Losing SEO Traffic

0

220

How People are Using Generative and Agentic AI to Supercharge Their Products, Projects, Services and Value Streams Today

1

170

Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS

0

320

Ten Tips & Tricks for a 🌱 transition

0

110

Product Roadmaps are Hard

PRO

55

12k

The Director’s Chair: Orchestrating AI for Truly Effective Learning

1

160

Design and Strategy: How to Deal with People Who Don’t "Get" Design

133

19k

Practical Tips for Bootstrapping Information Extraction Pipelines

25

1.9k

Transcript

Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None