Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
120
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
620
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
150
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
280
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
370
WordCamp Baltimore - Let's Get Sassy!
bradp
2
390
Starter Themes for Appleton WordPress Meetup
bradp
1
150
#WCGR - Getting SASSy
bradp
4
250
#WCPVD - Getting SASSy
bradp
2
260
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
140
Other Decks in Technology
See All in Technology
Workflows から Agents へ ~ 生成 AI アプリの成長過程とアプローチ~
belongadmin
3
160
Web3 のリアリティ / Web3 Reality
ks91
PRO
0
100
TerraformをSaaSで使うとAzureの運用がこんなに楽ちん!HCP Terraformって何?
mnakabayashi
0
130
讓測試不再 BB! 從 BDD 到 CI/CD, 不靠人力也能 MVP
line_developers_tw
PRO
0
210
上長や社内ステークホルダーに対する解像度を上げて、より良い補完関係を築く方法 / How-to-increase-resolution-and-build-better-complementary-relationships-with-your-bosses-and-internal-stakeholders
madoxten
13
7.7k
Create a Rails8 responsive app with Gemini and RubyLLM
palladius
0
120
Contract One Engineering Unit 紹介資料
sansan33
PRO
0
6.4k
Copilot Agentを普段使いしてわかった、バックエンド開発で使えるTips
ykagano
1
1.2k
評価の納得感を2段階高める「構造化フィードバック」
aloerina
1
190
成立するElixirの再束縛(再代入)可という選択
kubell_hr
0
290
vLLM meetup Tokyo
jpishikawa
1
240
AI技術トレンド勉強会 #1MCPの基礎と実務での応用
nisei_k
1
210
Featured
See All Featured
BBQ
matthewcrist
89
9.7k
Rails Girls Zürich Keynote
gr2m
94
14k
Balancing Empowerment & Direction
lara
1
300
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Build The Right Thing And Hit Your Dates
maggiecrowley
36
2.7k
Speed Design
sergeychernyshev
31
990
Build your cross-platform service in a week with App Engine
jlugia
231
18k
For a Future-Friendly Web
brad_frost
179
9.8k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
16
920
Building Adaptive Systems
keathley
43
2.6k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Measuring & Analyzing Core Web Vitals
bluesmoon
7
480
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None