Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Plugin Security
Brad Parbs
July 26, 2014
Technology
3
56
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
210
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
110
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
160
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
230
WordCamp Baltimore - Let's Get Sassy!
bradp
2
200
Starter Themes for Appleton WordPress Meetup
bradp
1
71
#WCGR - Getting SASSy
bradp
4
180
#WCPVD - Getting SASSy
bradp
2
180
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
99
Other Decks in Technology
See All in Technology
2024卒_freee_エンジニア職(ポテンシャル採用)_説明資料
freee
0
310
eBPF for Security Observability
lizrice
0
220
Target SDK Versionを上げない Notification runtime permission対応
napplecomputer
0
150
Autonomous Database Cloud 技術詳細 / adb-s_technical_detail_jp
oracle4engineer
PRO
10
18k
モブに早く慣れたい人のためのガイド / A Guide to Getting Started Quickly with Mob Programming
cybozuinsideout
PRO
2
1.9k
セキュリティ 開運研修2022 / security 2022
cybozuinsideout
PRO
3
3.9k
現状のFedCMの動作解説と OIDCとの親和性について- OpenID TechNight vol.19
ritou
2
460
ソフトウェアライセンス 2022 / Software License 2022
cybozuinsideout
PRO
1
1.2k
How to start with DDD when you have a Monolith
javujavichi
0
360
HoloLens2とMetaQuest2どちらも動くWebXRアプリをBabylon.jsで作る
iwaken71
0
210
MRTK3 - DataBinding and Theming 入門
futo23
0
200
220628 「Google AppSheet」タスク管理アプリをライブ作成 吉積情報伊藤さん
comucal
PRO
0
240
Featured
See All Featured
XXLCSS - How to scale CSS and keep your sanity
sugarenia
236
1M
Statistics for Hackers
jakevdp
781
210k
Why Our Code Smells
bkeepers
PRO
324
55k
Learning to Love Humans: Emotional Interface Design
aarron
261
37k
From Idea to $5000 a Month in 5 Months
shpigford
373
44k
What the flash - Photography Introduction
edds
62
10k
Building Flexible Design Systems
yeseniaperezcruz
310
34k
GraphQLの誤解/rethinking-graphql
sonatard
28
6.6k
No one is an island. Learnings from fostering a developers community.
thoeni
9
1.3k
How GitHub (no longer) Works
holman
296
140k
Designing for humans not robots
tammielis
241
23k
It's Worth the Effort
3n
172
25k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None