Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
130
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
650
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
160
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
300
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
370
WordCamp Baltimore - Let's Get Sassy!
bradp
2
420
Starter Themes for Appleton WordPress Meetup
bradp
1
160
#WCGR - Getting SASSy
bradp
4
260
#WCPVD - Getting SASSy
bradp
2
260
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
150
Other Decks in Technology
See All in Technology
DuckDB-Wasmを使って ブラウザ上でRDBMSを動かす
hacusk
1
140
役割は変わっても、変わらないもの 〜スクラムマスターからEMへの転身で学んだ信頼構築の本質〜 / How to build trust
shinop
0
160
『FailNet~やらかし共有SNS~』エレベーターピッチ
yokomachi
1
200
ガチな登山用デバイスからこんにちは
halka
1
210
iPhone Eye Tracking機能から学ぶやさしいアクセシビリティ
fujiyamaorange
0
570
MCPで変わる Amebaデザインシステム「Spindle」の開発
spindle
PRO
3
2.7k
Platform開発が先行する Platform Engineeringの違和感
kintotechdev
1
140
AI エージェントとはそもそも何か? - 技術背景から Amazon Bedrock AgentCore での実装まで- / AI Agent Unicorn Day 2025
hariby
3
880
ZOZOマッチのアーキテクチャと技術構成
zozotech
PRO
3
1.3k
落ちる 落ちるよ サーバーは落ちる
suehiromasatoshi
0
120
Kiroと学ぶコンテキストエンジニアリング
oikon48
6
8.4k
BPaaSにおける人と協働する前提のAIエージェント-AWS登壇資料
kentarofujii
0
120
Featured
See All Featured
Building Applications with DynamoDB
mza
96
6.6k
Practical Orchestrator
shlominoach
190
11k
Being A Developer After 40
akosma
90
590k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
The World Runs on Bad Software
bkeepers
PRO
70
11k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Code Review Best Practice
trishagee
70
19k
A Tale of Four Properties
chriscoyier
160
23k
Balancing Empowerment & Direction
lara
3
610
ReactJS: Keep Simple. Everything can be a component!
pedronauck
667
120k
Building a Modern Day E-commerce SEO Strategy
aleyda
43
7.5k
Speed Design
sergeychernyshev
32
1.1k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None