Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
Brad Parbs
July 26, 2014
Technology
160
3
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Plugin Security
Brad Parbs
July 26, 2014
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
720
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
190
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
340
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
440
WordCamp Baltimore - Let's Get Sassy!
bradp
2
530
Starter Themes for Appleton WordPress Meetup
bradp
1
200
#WCGR - Getting SASSy
bradp
4
300
#WCPVD - Getting SASSy
bradp
2
310
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
190
Other Decks in Technology
See All in Technology
WebGIS AI Agentの紹介
_shimizu
0
560
ぼっちではじめた登壇が「51名」「241件」の発信に化けた
subroh0508
1
310
飲食店もAIで。レジ締めやハンディシステムをつくってる話 / Using AI for restaurant management
vtryo
0
180
OTel × Datadog で 「AI活用」を計測し、改善に繋げる
shihochan
2
640
AI 不只幫你寫 Code: 當專案從 300 暴增到 1500, 我們如何撐住 DevOps
appleboy
0
240
水を運ぶ人としてのリーダーシップ
izumii19
4
1k
AI-DLCを “そのまま導入しなかった”話 ~組織に合わせてアジャストした 私たちの実践共有~
hiroramos4
PRO
1
430
サイバーエージェントにおけるAI推進戦略と変革への取り組み
shotatsuge
0
570
起点・思考・出力で分解する 〜PM業務の自動化設計〜
kazu_kichi_67
1
1.1k
Lightning近況報告
kozy4324
0
220
元銀行員がAIだけでアプリを量産!「バイブコーディング実演セミナー 」
tatsuya1970
0
110
スタートアップにAmazon EKSは早すぎる? マルチプロダクト戦略を加速する Platform Engineeringの実践 / Is Amazon EKS Too Soon for Startups? Practical Platform Engineering to Accelerate a Multi-Product Strategy
elmodev09
1
1.8k
Featured
See All Featured
Git: the NoSQL Database
bkeepers
PRO
432
67k
How to Grow Your eCommerce with AI & Automation
katarinadahlin
PRO
1
210
Faster Mobile Websites
deanohume
310
32k
The Invisible Side of Design
smashingmag
301
52k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
2
870
Primal Persuasion: How to Engage the Brain for Learning That Lasts
tmiket
0
380
How to build a perfect <img>
jonoalderson
1
5.7k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.8k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
The Mindset for Success: Future Career Progression
greggifford
PRO
0
370
Mind Mapping
helmedeiros
PRO
1
260
Large-scale JavaScript Application Architecture
addyosmani
515
110k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None