Plugin Security

July 26, 2014

160

Plugin Security

Brad Parbs

July 26, 2014

More Decks by Brad Parbs

See All by Brad Parbs

Learn to Love the Terminal

0

710

Extremely Powerful Local WordPress Development with Vagrant and Friends

1

190

Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014

1

330

Web414 - Writing Clean, Clear, & Semantic Markup with HTML5

0

430

WordCamp Baltimore - Let's Get Sassy!

2

520

Starter Themes for Appleton WordPress Meetup

1

190

#WCGR - Getting SASSy

4

300

#WCPVD - Getting SASSy

2

290

WordCamp Chicago 2013 - Template Hiearchy

1

180

Other Decks in Technology

See All in Technology

エムスリーテクノロジーズ株式会社エンジニア向け紹介資料 / M3 Technologies Company Deck

0

170

（きっとたぶん）人材育成や教育のような何かの話

0

750

AIエージェントの支払い基盤　AgentCore Payments概要

2

200

AI対話分析の夢と、汚いデータの現実 Looker / Dataplex / Dataform で実現する品質ファーストな基盤設計

0

590

How to learn AWS Well-Architected with AWS BuilderCards: Security Edition

PRO

0

150

Purview 勉強会報告 Microsoft Purview 入門しようとしてみた

1

440

サンプリングは「作る」のか「使う」のか？分散トレースのコストと運用を両立する実践的戦略 / Why you need the tail sampling and why you don't want it

4

180

Gaussian Splattingの実用化 - 映像制作への展開

gpuunite_official

0

200

100マイクロサービスのTerraform/Kubernetes管理地獄から抜け出すためのAI活用術

0

160

R&D 祭 2024 UE5で絵コンテ・作画の制作支援ツールをつくる話

PRO

0

170

毎日の作業を Claude Code 経由にしたら、ノウハウがコードになった

1

1.4k

Sociotechnical Architecture Reviews: Understanding Teams, not just Artefacts

1

180

Featured

See All Featured

Efficient Content Optimization with Google Search Console & Apps Script

PRO

1

550

Chrome DevTools: State of the Union 2024 - Debugging React & Beyond

10

1.2k

Technical Leadership for Architectural Decision Making

3

360

Put a Button on it: Removing Barriers to Going Fast.

60

4.3k

Color Theory Basics | Prateek | Gurzu

0

310

Exploring the relationship between traditional SERPs and Gen AI search

raygrieselhuber

PRO

2

4k

世界の人気アプリ100個を分析して見えたペイウォール設計の心得

PRO

70

39k

Building a A Zero-Code AI SEO Workflow

PRO

0

520

Agile Actions for Facilitating Distributed Teams - ADO2019

0

190

Git: the NoSQL Database

PRO

432

67k

Public Speaking Without Barfing On Your Shoes - THAT 2023

1

390

Applied NLP in the Age of Generative AI

PRO

4

2.2k

Transcript

Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None