Plugin Security

Brad Parbs

July 26, 2014

More Decks by Brad Parbs

See All by Brad Parbs

Learn to Love the Terminal

0

710

Extremely Powerful Local WordPress Development with Vagrant and Friends

1

180

Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014

1

330

Web414 - Writing Clean, Clear, & Semantic Markup with HTML5

0

410

WordCamp Baltimore - Let's Get Sassy!

2

520

Starter Themes for Appleton WordPress Meetup

1

190

#WCGR - Getting SASSy

4

300

#WCPVD - Getting SASSy

2

290

WordCamp Chicago 2013 - Template Hiearchy

1

180

Other Decks in Technology

See All in Technology

2026年、知っておくべき最新サーバレスTips10選/serverless-10-tips

13

5.1k

[OpsJAWS 40]リリースしたら終わり、じゃなかった。セキュリティ空白期間をAWS Security Agentで埋める

3

230

AI와 협업하는 조직으로의 여정

0

230

Code Interpreter で、AIに安全にコードを書かせる。

0

7.1k

KGDC_13_Amazon Q Developerで挑む！ 13事例から見えたAX組織変革の最前線_公開情報

0

120

AIでAIをテストする - 音声AIエージェントの品質保証戦略

1

100

Standards et agents IA : un tour d’horizon de MCP, A2A, ADK et plus encore

0

150

AI時代における技術的負債への取り組み

1

1.4k

Revisiting [CLS] and Patch Token Interaction in Vision Transformers

0

350

ネットワーク運用を楽にするAWS DevOps Agent活用法！！ / 20260421 Masaki Okuda

PRO

2

200

Practical TypeProf: Lessons from Analyzing Optcarrot

0

220

Claude Code を安全に使おう勉強会 / Claude Code Security Basics

masahirokawahara

8

30k

Featured

See All Featured

For a Future-Friendly Web

183

10k

Information Architects: The Missing Link in Design Systems

0

890

The innovator’s Mindset -  Leading Through an Era of Exponential Change - McGill University 2025

PRO

1

160

Code Review Best Practice

74

20k

Documentation Writing (for coders)

77

5.3k

How to Ace a Technical Interview

281

24k

New Earth Scene 8

3

2.1k

GraphQLとの向き合い方2022年版

50

15k

SEO Brein meetup: CTRL+C is not how to scale international SEO

1

2.6k

Breaking role norms: Why Content Design is so much more than writing copy - Taylor Woolridge

0

260

Optimising Largest Contentful Paint

37

3.6k

Building Experiences: Design Systems, User Experience, and Full Site Editing

0

480

Transcript

Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None