Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Plugin Security

D529f2403e21f08bfa16365bdf032f81?s=47 Brad Parbs
July 26, 2014
Technology
3
46

Plugin Security

D529f2403e21f08bfa16365bdf032f81?s=128

Brad Parbs

July 26, 2014
Tweet

More Decks by Brad Parbs

See All by Brad Parbs
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
0
85
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
90
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
150
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
0
210
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
2
180
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
61
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
4
170
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
2
170
D529f2403e21f08bfa16365bdf032f81?s=48 bradp
1
90

Other Decks in Technology

See All in Technology
0d29d155ce5c5a93ed46363626da3ea7?s=48 ocise
1
1.8k
61f2b4a323d0a406edcd1464acc694ed?s=48 tomihisa
1
1.1k
921515dc03f89bafe3d8f5d0b3ca0b74?s=48 mmarukaw
0
1.8k
0ff628872d7bd890507a43c7c20b1804?s=48 yshr1200
0
170
3115a782126be714b5f94d24073c957d?s=48 oracle4engineer
0
3.5k
Add4ea030be9e6aa7a319fc8c1b587c6?s=48 hashhub
3
15k
8d0803aa4572615f7bce5f5288e6b716?s=48 mochan_tk
1
110
4631864606a93224804a49331d1a7dfd?s=48 fufuhu
3
130
04ed942e4752bcefd412a04f6380fb13?s=48 azara
1
800
4f1820553d3671ade380904a131711b9?s=48 hikiaki
0
180
Fb025419ed38f98df595eb2eafc859f4?s=48 ihcomega56
1
420
A64ac825509279a770c13c6fc517f11a?s=48 kawaguti
2
410

Featured

See All Featured
Fde6c3a50ca518a909ef35c22c0ee0e4?s=48 destraynor
146
19k
3d4519fd34b76fb265fc0237f3792bd4?s=48 danielanewman
200
20k
A60068bce2e73de3a37ca9d2dbe36092?s=48 bryan
31
3.4k
E6c6e133e74c3b83f04d2861deaa1c20?s=48 searls
205
36k
9375a9529679f1b42b567a640d775e7d?s=48 schacon
145
6.6k
20bfe76b3d6105641f879fe45cfc9272?s=48 bkeepers
321
53k
433acaea1012b25d97ae66da9b998dad?s=48 malarkey
393
61k
C157b16234f1e75e8eac3698c1d4414a?s=48 ddemaree
273
31k
Ba530e786553390f3fb271848485681c?s=48 3n
163
22k
245cee81a9c424266e5e401d844ea881?s=48 lara
15
2.7k
5f83ef806155b403c3393160ce51f955?s=48 jlugia
216
16k
812e1705ff0f8bc1bcf18587bde687d5?s=48 62gerente
587
200k

Transcript

  1. Security for Your Plugins

  2. I’m Brad Parbs.

  3. Nathan, you should watch Band of Brothers.

  4. Let’s talk about what sucks in WordPress.

  5. None
  6. None

  7. “20% of the 50 most popular WordPress plugins are vulnerable

    to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company

  8. Things that happen when your stuff isn’t secure.

  9. None

  10. How do we make sure this doesn’t happen?

  11. Always develop with debugging ON

  12. define(  'WP_DEBUG',  true  );   define(  'WP_DEBUG_DISPLAY',  false  );  

    define(  'WP_DEBUG_LOG',  true  );   define(  'SCRIPT_DEBUG',  true  );   define(  'WP_CACHE',  false  );

  13. Sanitize all the things

  14. intval();   absint();

  15. wp_kses();

  16. sanitize_title();

  17. sanitize_email()   sanitize_file_name()   sanitize_html_class()   sanitize_key()   sanitize_meta()  

    sanitize_mime_type()   sanitize_option()   sanitize_sql_orderby()   sanitize_post_field()   sanitize_text_field()   sanitize_title()   sanitize_title_for_query()   sanitize_title_with_dashes()   sanitize_user()

  18. Escape all the things

  19. esc_html();

  20. esc_textarea();

  21. esc_attr();

  22. esc_url();

  23. http://codex.wordpress.org/Data_Validation

  24. Database Queries

  25. $wpdb-­‐>insert();

  26. $wpdb-­‐>update();

  27. $wpdb-­‐>prepare();

  28. Nonces

  29. wp_nonce_url();

  30. wp_nonce_field();

  31. wp_create_nonce();

  32. check_admin_referer();

  33. wp_verify_nonce();

  34. Remote Data

  35. CURL is bad.

  36. For real, CURL is bad.

  37. wp_remote_get();

  38. wp_remote_post();

  39. wp_remote_request();

  40. Check capabilities & roles

  41. current_user_can();

  42. Use native functions

  43. A story about TimThumb

  44. Questions?

  45. None