Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Brad Parbs
July 26, 2014
Technology
3
150
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
690
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
180
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
320
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
410
WordCamp Baltimore - Let's Get Sassy!
bradp
2
500
Starter Themes for Appleton WordPress Meetup
bradp
1
180
#WCGR - Getting SASSy
bradp
4
290
#WCPVD - Getting SASSy
bradp
2
280
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
170
Other Decks in Technology
See All in Technology
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
torounit
0
460
What happened to RubyGems and what can we learn?
mikemcquaid
0
250
Contract One Engineering Unit 紹介資料
sansan33
PRO
0
13k
M&A 後の統合をどう進めるか ─ ナレッジワーク × Poetics が実践した組織とシステムの融合
kworkdev
PRO
1
420
15 years with Rails and DDD (AI Edition)
andrzejkrzywda
0
180
【Oracle Cloud ウェビナー】[Oracle AI Database + AWS] Oracle Database@AWSで広がるクラウドの新たな選択肢とAI時代のデータ戦略
oracle4engineer
PRO
1
110
IaaS/SaaS管理における SREの実践 - SRE Kaigi 2026
bbqallstars
4
1.8k
Data Hubグループ 紹介資料
sansan33
PRO
0
2.7k
茨城の思い出を振り返る ~CDKのセキュリティを添えて~ / 20260201 Mitsutoshi Matsuo
shift_evolve
PRO
1
220
コスト削減から「セキュリティと利便性」を担うプラットフォームへ
sansantech
PRO
3
1.4k
AWS Network Firewall Proxyを触ってみた
nagisa53
0
200
なぜ今、コスト最適化(倹約)が必要なのか? ~AWSでのコスト最適化の進め方「目的編」~
htan
1
110
Featured
See All Featured
The agentic SEO stack - context over prompts
schlessera
0
630
Heart Work Chapter 1 - Part 1
lfama
PRO
5
35k
VelocityConf: Rendering Performance Case Studies
addyosmani
333
24k
Code Reviewing Like a Champion
maltzj
527
40k
Evolving SEO for Evolving Search Engines
ryanjones
0
120
Being A Developer After 40
akosma
91
590k
Leading Effective Engineering Teams in the AI Era
addyosmani
9
1.6k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Everyday Curiosity
cassininazir
0
130
We Have a Design System, Now What?
morganepeng
54
8k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
It's Worth the Effort
3n
188
29k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None