Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
100
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
530
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
140
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
240
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
330
WordCamp Baltimore - Let's Get Sassy!
bradp
2
310
Starter Themes for Appleton WordPress Meetup
bradp
1
100
#WCGR - Getting SASSy
bradp
4
240
#WCPVD - Getting SASSy
bradp
2
240
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
130
Other Decks in Technology
See All in Technology
急成長中のWINTICKETにおける品質と開発スピードと向き合ったQA戦略と今後の展望 / winticket-autify
cyberagentdevelopers
PRO
1
120
独自ツール開発でスタジオ撮影をDX!「VLS(Virtual LED Studio)」 / dx-studio-vls
cyberagentdevelopers
PRO
0
110
【LT】ソフトウェア産業は進化しているのか? -Javaの想い出とともに- #jjug_ccc
takabow
0
150
クライアントサイドでよく使われる Debounce処理 をサーバサイドで3回実装した話
yoshiori
1
130
Apple/Google/Amazonの決済システムの違いを踏まえた定期購読課金システムの構築 / abema-billing-system
cyberagentdevelopers
PRO
1
190
新卒1年目が挑む!生成AI × マルチエージェントで実現する次世代オンボーディング / operation-ai-onboarding
cyberagentdevelopers
PRO
0
100
なんで、私がAWS Heroに!? 〜社外の広い世界に一歩踏み出そう〜
minorun365
PRO
1
540
リファクタリングへの耐性が高いモデルベースの統合テストの紹介 / Model-Base Integration Test for Refactoring
yuitosato
5
1.5k
日経ビジュアルデータにおける スクロールテリングと地図/nikkei-tech-talk-26
nikkei_engineer_recruiting
0
160
サイバーエージェントにおける生成AIのリスキリング施策の取り組み / cyber-ai-reskilling
cyberagentdevelopers
PRO
1
130
分布で見る効果検証入門 / ai-distributional-effect
cyberagentdevelopers
PRO
2
550
TinyMLの技術動向
kyotomon
2
260
Featured
See All Featured
Gamification - CAS2011
davidbonilla
80
5k
Measuring & Analyzing Core Web Vitals
bluesmoon
0
29
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
328
21k
Adopting Sorbet at Scale
ufuk
73
9k
Become a Pro
speakerdeck
PRO
24
4.9k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
For a Future-Friendly Web
brad_frost
174
9.4k
10 Git Anti Patterns You Should be Aware of
lemiorhan
653
59k
Rails Girls Zürich Keynote
gr2m
93
13k
Making Projects Easy
brettharned
115
5.9k
Statistics for Hackers
jakevdp
796
220k
How GitHub (no longer) Works
holman
311
140k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None