Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
120
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
630
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
160
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
290
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
370
WordCamp Baltimore - Let's Get Sassy!
bradp
2
400
Starter Themes for Appleton WordPress Meetup
bradp
1
150
#WCGR - Getting SASSy
bradp
4
250
#WCPVD - Getting SASSy
bradp
2
260
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
150
Other Decks in Technology
See All in Technology
AIのAIによるAIのための出力評価と改善
chocoyama
2
580
Witchcraft for Memory
pocke
1
470
Microsoft Build 2025 技術/製品動向 for Microsoft Startup Tech Community
torumakabe
2
300
"サービスチーム" での技術選定 / Making Technology Decisions for the Service Team
kaminashi
1
170
Абьюзим random_bytes(). Фёдор Кулаков, разработчик Lamoda Tech
lamodatech
0
350
生成AI時代 文字コードを学ぶ意義を見出せるか?
hrsued
1
600
強化されたAmazon Location Serviceによる新機能と開発者体験
dayjournal
3
230
OpenHands🤲にContributeしてみた
kotauchisunsun
1
470
Lambda Web Adapterについて自分なりに理解してみた
smt7174
5
130
Кто отправит outbox? Валентин Удальцов, автор канала Пых
lamodatech
0
360
あなたの声を届けよう! 女性エンジニア登壇の意義とアウトプット実践ガイド #wttjp / Call for Your Voice
kondoyuko
4
470
A2Aのクライアントを自作する
rynsuke
1
210
Featured
See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.5k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Raft: Consensus for Rubyists
vanstee
140
7k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
20
1.3k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
17
940
4 Signs Your Business is Dying
shpigford
184
22k
Why You Should Never Use an ORM
jnunemaker
PRO
58
9.4k
For a Future-Friendly Web
brad_frost
179
9.8k
Embracing the Ebb and Flow
colly
86
4.7k
Done Done
chrislema
184
16k
A designer walks into a library…
pauljervisheath
207
24k
Rebuilding a faster, lazier Slack
samanthasiow
82
9.1k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None