Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tips for writing secure code in WordPress

Tips for writing secure code in WordPress

A look at some common security vulnerabilities and how to prevent them in WordPress.

Matthew Haines-Young

May 12, 2015

More Decks by Matthew Haines-Young

Other Decks in Technology


  1. Nonces • Security tokens • Verify the source of a

    request. • Unique to action, user ID and time. • Limited lifespan
  2. XSS • Create a fake log in screen and trick

    you into revealing your username/password • Steal your cookies! This means they can just pretend to be you! • They can perform requests as a logged in user. Eg create themselves a new user • Make a request to the plugin/theme editor and write to a file that then creates a PHP back door.
  3. Validate & Sanitize Input • Check submitted data is what

    you are expecting. • Clean the data.
  4. Validate Input If you know what type of data you

    are expecting you can validate the input. • intval() • substr( $zipcode, 0, 5 );
  5. Sanitize Input • sanitize_email() • sanitize_file_name() • sanitize_html_class() • sanitize_key()

    • sanitize_meta() • sanitize_mime_type() • sanitize_option() • sanitize_sql_orderby() • sanitize_text_field() • sanitize_title() • sanitize_title_for_query() • sanitize_title_with_dashes() • sanitize_user()
  6. Escape Output • Escape anything you don’t trust 100%. •

    You probably can’t trust it! • Converts symbols such as < and " to HTML entities. These are displayed instead of being parsed as html and prevents any scripts from being executed.
  7. Guiding Principles 1. Never trust user input. 2. Escape as

    late as possible. 3. Escape everything from untrusted sources (like databases and users), third-parties (like Twitter), etc. 4. Never assume anything. 5. Never trust user input. 6. Sanitation is okay, but validation/ rejection is better. 7. Never trust user input.
  8. XSS

  9. What about HTML strings • Avoid where possible. Separate logic

    & presentation. • When you have to, use wp_kses • Sanitizes content for allowed HTML tags • wp_kses_post - allowed tags in post content. • Slow- but not that slow!
  10. SQL Injections • Avoid direct database queries • Use WordPress

    API eg WP_Query • Use $wpdb->prepare and other escaping functions like esc_sql and like_escape.