Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tips for writing secure code in WordPress

Tips for writing secure code in WordPress

A look at some common security vulnerabilities and how to prevent them in WordPress.


Matthew Haines-Young

May 12, 2015


  1. Writing Secure WordPress Code

  2. CSRF Cross Site Request Forgery

  3. An attacker can trick a user into doing something they

    didn't intend.
  4. Click for free stuff!!! http://example.com?action=delete-everything

  5. Nonces • Security tokens • Verify the source of a

    request. • Unique to action, user ID and time. • Limited lifespan
  6. Nonces • wp_create_nonce • wp_nonce_field • wp_nonce_url • wp_verify_nonce •

  7. Nonces

  8. XSS Cross site scripting

  9. Inject malicious client-side script into a page. This can then

    be executed as a trusted user.
  10. XSS • Create a fake log in screen and trick

    you into revealing your username/password • Steal your cookies! This means they can just pretend to be you! • They can perform requests as a logged in user. Eg create themselves a new user • Make a request to the plugin/theme editor and write to a file that then creates a PHP back door.
  11. Solution: Sanitize on Input Escape on output.

  12. Validate & Sanitize Input • Check submitted data is what

    you are expecting. • Clean the data.
  13. Validate Input If you know what type of data you

    are expecting you can validate the input. • intval() • substr( $zipcode, 0, 5 );
  14. Sanitize Input • sanitize_email() • sanitize_file_name() • sanitize_html_class() • sanitize_key()

    • sanitize_meta() • sanitize_mime_type() • sanitize_option() • sanitize_sql_orderby() • sanitize_text_field() • sanitize_title() • sanitize_title_for_query() • sanitize_title_with_dashes() • sanitize_user()
  15. Escape Output • Escape anything you don’t trust 100%. •

    You probably can’t trust it! • Converts symbols such as < and " to HTML entities. These are displayed instead of being parsed as html and prevents any scripts from being executed.
  16. Guiding Principles 1. Never trust user input. 2. Escape as

    late as possible. 3. Escape everything from untrusted sources (like databases and users), third-parties (like Twitter), etc. 4. Never assume anything. 5. Never trust user input. 6. Sanitation is okay, but validation/ rejection is better. 7. Never trust user input.
  17. XSS

  18. What about HTML strings • Avoid where possible. Separate logic

    & presentation. • When you have to, use wp_kses • Sanitizes content for allowed HTML tags • wp_kses_post - allowed tags in post content. • Slow- but not that slow!
  19. SQL Injections • Passing untrusted data to a MySQL query

    can be open to exploitation.
  20. None
  21. SQL Injections • Avoid direct database queries • Use WordPress

    API eg WP_Query • Use $wpdb->prepare and other escaping functions like esc_sql and like_escape.
  22. Resources • https://codex.wordpress.org/WordPress_Nonces • https://codex.wordpress.org/ Validating_Sanitizing_and_Escaping_User_Data • https://vip.wordpress.com/documentation/best- practices/security/validating-sanitizing-escaping/ •

    https://vip.wordpress.com/documentation/best- practices/database-queries/