Plugin Security

D529f2403e21f08bfa16365bdf032f81?s=47 Brad Parbs
July 26, 2014
Technology
3
43

Plugin Security

D529f2403e21f08bfa16365bdf032f81?s=128

Brad Parbs

July 26, 2014
Tweet

More Decks by Brad Parbs

See All by Brad Parbs
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
0
72
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
89
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
140
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
0
210
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
2
170
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
59
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
4
170
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
2
160
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
88

Other Decks in Technology

See All in Technology
332f89cc697355902a817506b6995f2b?s=48 ytaka23
8
1.7k
C9237e9aa6c8fe028a484c9621991423?s=48 arahabica
0
200
80c79a9d024d1e1a253893a78189ce6d?s=48 ujnak
1
140
75fd80a8ace6ab292a7de563e018ae11?s=48 takashi_toyosaki
0
240
229b1596ce57cd0935a2bacd410d87a0?s=48 aaaddress1
2
380
1dfa2bb34977b1db41d0d46d4505183f?s=48 osuke
2
1.8k
69b4dadef85efe143ac825b62d36ed7c?s=48 fruitriin
3
310
4615930de72ec08f99d3227761ace0d8?s=48 yenlung
2
460
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
200
9e7a653ed313b3da4b263a772bfc5026?s=48 clustervr
0
220
79dcb04101764d7bf66f898dd446838e?s=48 tsukubachallenge
0
250
54bcc1069d75636cc735e72877dd30ec?s=48 taichinakamura
0
210

Featured

See All Featured
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
222
46k
7559f6cff1f5efc2d210965febd4d71c?s=48 bermonpainter
340
25k
Fe6b81005d1553accd6b2a28f6a2bef1?s=48 phodgson
83
3.8k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
119
15k
F383c6a4dc55e331bbe2987b622cee6b?s=48 stephaniewalter
256
10k
Aebc2d07a50011e2a30d38435fde564a?s=48 jrom
113
6.8k
24fc194843a71f10949be18d5a692682?s=48 gr2m
82
11k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
189
8.2k
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
581
190k
B3d6434763caa0ef5dc4b792662c49f7?s=48 smashingmag
228
17k
5f50f94346fbcb23706f0707169317a4?s=48 aarron
253
36k
32de0bd2ba869609d26fd052a4622778?s=48 cromwellryan
99
5.7k

Transcript

  1. Security for Your Plugins

  2. I’m Brad Parbs.

  3. Nathan, you should watch Band of Brothers.

  4. Let’s talk about what sucks in WordPress.

  5. None
  6. None

  7. “20% of the 50 most popular WordPress plugins are vulnerable

    to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company

  8. Things that happen when your stuff isn’t secure.

  9. None

  10. How do we make sure this doesn’t happen?

  11. Always develop with debugging ON

  12. define(  'WP_DEBUG',  true  );   define(  'WP_DEBUG_DISPLAY',  false  );  

    define(  'WP_DEBUG_LOG',  true  );   define(  'SCRIPT_DEBUG',  true  );   define(  'WP_CACHE',  false  );

  13. Sanitize all the things

  14. intval();   absint();

  15. wp_kses();

  16. sanitize_title();

  17. sanitize_email()   sanitize_file_name()   sanitize_html_class()   sanitize_key()   sanitize_meta()  

    sanitize_mime_type()   sanitize_option()   sanitize_sql_orderby()   sanitize_post_field()   sanitize_text_field()   sanitize_title()   sanitize_title_for_query()   sanitize_title_with_dashes()   sanitize_user()

  18. Escape all the things

  19. esc_html();

  20. esc_textarea();

  21. esc_attr();

  22. esc_url();

  23. http://codex.wordpress.org/Data_Validation

  24. Database Queries

  25. $wpdb-­‐>insert();

  26. $wpdb-­‐>update();

  27. $wpdb-­‐>prepare();

  28. Nonces

  29. wp_nonce_url();

  30. wp_nonce_field();

  31. wp_create_nonce();

  32. check_admin_referer();

  33. wp_verify_nonce();

  34. Remote Data

  35. CURL is bad.

  36. For real, CURL is bad.

  37. wp_remote_get();

  38. wp_remote_post();

  39. wp_remote_request();

  40. Check capabilities & roles

  41. current_user_can();

  42. Use native functions

  43. A story about TimThumb

  44. Questions?

  45. None