Plugin Security

Transcript

1. Security for Your Plugins

2. I’m Brad Parbs.

3. Nathan, you should watch Band of Brothers.

4. Let’s talk about what sucks in WordPress.

5. None
6. None

7. “20% of the 50 most popular WordPress plugins are vulnerable

   to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company

8. Things that happen when your stuff isn’t secure.

9. None

10. How do we make sure this doesn’t happen?

11. Always develop with debugging ON

12. define(  'WP_DEBUG',  true  );   define(  'WP_DEBUG_DISPLAY',  false  );  

    define(  'WP_DEBUG_LOG',  true  );   define(  'SCRIPT_DEBUG',  true  );   define(  'WP_CACHE',  false  );

13. Sanitize all the things

14. intval();   absint();

15. wp_kses();

16. sanitize_title();

17. sanitize_email()   sanitize_file_name()   sanitize_html_class()   sanitize_key()   sanitize_meta()  

    sanitize_mime_type()   sanitize_option()   sanitize_sql_orderby()   sanitize_post_field()   sanitize_text_field()   sanitize_title()   sanitize_title_for_query()   sanitize_title_with_dashes()   sanitize_user()

18. Escape all the things

19. esc_html();

20. esc_textarea();

21. esc_attr();

22. esc_url();

23. http://codex.wordpress.org/Data_Validation

24. Database Queries

25. $wpdb-­‐>insert();

26. $wpdb-­‐>update();

27. $wpdb-­‐>prepare();

28. Nonces

29. wp_nonce_url();

30. wp_nonce_field();

31. wp_create_nonce();

32. check_admin_referer();

33. wp_verify_nonce();

34. Remote Data

35. CURL is bad.

36. For real, CURL is bad.

37. wp_remote_get();

38. wp_remote_post();

39. wp_remote_request();

40. Check capabilities & roles

41. current_user_can();

42. Use native functions

43. A story about TimThumb

44. Questions?

45. None