Tips for writing secure code in WordPress

Transcript

1. Writing Secure WordPress Code

2. CSRF Cross Site Request Forgery

3. An attacker can trick a user into doing something they

   didn't intend.

4. Click for free stuff!!! http://example.com?action=delete-everything

5. Nonces • Security tokens • Verify the source of a

   request. • Unique to action, user ID and time. • Limited lifespan

6. Nonces • wp_create_nonce • wp_nonce_field • wp_nonce_url • wp_verify_nonce •

   check_admin_referrer

7. Nonces

8. XSS Cross site scripting

9. Inject malicious client-side script into a page. This can then

   be executed as a trusted user.

10. XSS • Create a fake log in screen and trick

    you into revealing your username/password • Steal your cookies! This means they can just pretend to be you! • They can perform requests as a logged in user. Eg create themselves a new user • Make a request to the plugin/theme editor and write to a file that then creates a PHP back door.

11. Solution: Sanitize on Input Escape on output.

12. Validate & Sanitize Input • Check submitted data is what

    you are expecting. • Clean the data.

13. Validate Input If you know what type of data you

    are expecting you can validate the input. • intval() • substr( $zipcode, 0, 5 );

14. Sanitize Input • sanitize_email() • sanitize_file_name() • sanitize_html_class() • sanitize_key()

    • sanitize_meta() • sanitize_mime_type() • sanitize_option() • sanitize_sql_orderby() • sanitize_text_field() • sanitize_title() • sanitize_title_for_query() • sanitize_title_with_dashes() • sanitize_user()

15. Escape Output • Escape anything you don’t trust 100%. •

    You probably can’t trust it! • Converts symbols such as < and " to HTML entities. These are displayed instead of being parsed as html and prevents any scripts from being executed.

16. Guiding Principles 1. Never trust user input. 2. Escape as

    late as possible. 3. Escape everything from untrusted sources (like databases and users), third-parties (like Twitter), etc. 4. Never assume anything. 5. Never trust user input. 6. Sanitation is okay, but validation/ rejection is better. 7. Never trust user input.

17. XSS

18. What about HTML strings • Avoid where possible. Separate logic

    & presentation. • When you have to, use wp_kses • Sanitizes content for allowed HTML tags • wp_kses_post - allowed tags in post content. • Slow- but not that slow!

19. SQL Injections • Passing untrusted data to a MySQL query

    can be open to exploitation.
20. None

21. SQL Injections • Avoid direct database queries • Use WordPress

    API eg WP_Query • Use $wpdb->prepare and other escaping functions like esc_sql and like_escape.

22. Resources • https://codex.wordpress.org/WordPress_Nonces • https://codex.wordpress.org/ Validating_Sanitizing_and_Escaping_User_Data • https://vip.wordpress.com/documentation/best- practices/security/validating-sanitizing-escaping/ •

    https://vip.wordpress.com/documentation/best- practices/database-queries/