Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
110
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
600
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
150
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
280
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
360
WordCamp Baltimore - Let's Get Sassy!
bradp
2
380
Starter Themes for Appleton WordPress Meetup
bradp
1
140
#WCGR - Getting SASSy
bradp
4
250
#WCPVD - Getting SASSy
bradp
2
260
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
140
Other Decks in Technology
See All in Technology
地に足の付いた現実的な技術選定から魔力のある体験を得る『AIレシート読み取り機能』のケーススタディ / From Grounded Tech Choices to Magical UX: A Case Study of AI Receipt Scanning
moznion
5
1.7k
水耕栽培に全部賭けろ
mutsumix
0
110
MagicPodが描くAIエージェント戦略とソフトウェアテストの未来
magicpod
0
250
2025年8月から始まるAWS Lambda INITフェーズ課金/AWS Lambda INIT phase billing changes
quiver
1
1.1k
Developer 以外にこそ使って欲しい Amazon Q Developer
mita
0
150
経済メディア編集部の実務に小さく刺さるAI / small-ai-with-editorial
nkzn
2
430
Part1 GitHubってなんだろう?その2
tomokusaba
2
790
250510 StepFunctionのテスト自動化始めました vol.1
east_takumi
1
250
ソフトウェアテスト 最初の一歩 〜テスト設計技法をワークで体験しながら学ぶ〜 #JaSSTTokyo / SoftwareTestingFirstStep
nihonbuson
PRO
2
160
Pythonデータ分析実践試験 出題傾向や学習のポイントとテクニカルハイライト
terapyon
1
160
使えるデータ基盤を作る技術選定の秘訣 / selecting-the-right-data-technology
pei0804
9
1.5k
Docker Compose で手軽に手元環境を実現する / Simplifying Local Environments with Docker Compose #CinemaDeLT
nabeo
0
210
Featured
See All Featured
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.2k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
41
2.3k
It's Worth the Effort
3n
184
28k
Rebuilding a faster, lazier Slack
samanthasiow
81
9k
Testing 201, or: Great Expectations
jmmastey
42
7.5k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Practical Orchestrator
shlominoach
187
11k
BBQ
matthewcrist
88
9.6k
Side Projects
sachag
453
42k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.2k
Site-Speed That Sticks
csswizardry
6
540
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None