Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
92
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
480
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
130
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
230
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
310
WordCamp Baltimore - Let's Get Sassy!
bradp
2
300
Starter Themes for Appleton WordPress Meetup
bradp
1
97
#WCGR - Getting SASSy
bradp
4
230
#WCPVD - Getting SASSy
bradp
2
230
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
130
Other Decks in Technology
See All in Technology
Classmethod Odyssey 登壇資料
yamahiro
0
390
What if...? 처음부터 다시 LLM 어플리케이션을 개발한다면
huffon
0
1k
テストケースの自動生成に生成AIの導入を試みた話と生成AIによる今後の期待
shift_evolve
0
180
Git 研修 Basic【MIXI 24新卒技術研修】
mixi_engineers
PRO
0
310
初中級者用如何使用backlog -VALE TUDOEDITION-
in0u
0
140
VPoEの視点から見た、ヘンリーがサーバーサイドKotlinを使う理由 / Why Server-side Kotlin 2024
cho0o0
1
420
dxd2024-生成AIに振り回された3か月間の成功と失敗/dxd2024-link-and-motivation
lmi
2
260
サーバーレスAPI(API Gateway+Lambda)とNext.jsで 個人ブログを作ろう!
shuntaka
PRO
0
560
Classmethod流のPlatform Engineering / classmethod-platform-engineering-devio2024
tomoki10
0
470
CTOから見た事業開発とプロダクト開発 / My Perspective on Business and Product Development as CTO
keisuke69
4
960
可視化プラットフォームGrafanaの基本と活用方法の全て
hamadakoji
0
230
ABEMAにおけるLLMを用いたコンテンツベース推薦システム導入と効果検証
cyberagentdevelopers
PRO
1
700
Featured
See All Featured
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
52k
It's Worth the Effort
3n
181
27k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
36
9.1k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.9k
KATA
mclloyd
20
13k
Agile that works and the tools we love
rasmusluckow
325
20k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
245
1.2M
Creatively Recalculating Your Daily Design Routine
revolveconf
214
11k
Into the Great Unknown - MozCon
thekraken
20
1.3k
GitHub's CSS Performance
jonrohan
1026
450k
Imperfection Machines: The Place of Print at Facebook
scottboms
262
13k
Facilitating Awesome Meetings
lara
46
5.8k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None