×
Copy
Open
Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Security for Your Plugins
Slide 2
Slide 2 text
I’m Brad Parbs.
Slide 3
Slide 3 text
Nathan, you should watch Band of Brothers.
Slide 4
Slide 4 text
Let’s talk about what sucks in WordPress.
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
“20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Slide 8
Slide 8 text
Things that happen when your stuff isn’t secure.
Slide 9
Slide 9 text
No content
Slide 10
Slide 10 text
How do we make sure this doesn’t happen?
Slide 11
Slide 11 text
Always develop with debugging ON
Slide 12
Slide 12 text
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false ); define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Slide 13
Slide 13 text
Sanitize all the things
Slide 14
Slide 14 text
intval(); absint();
Slide 15
Slide 15 text
wp_kses();
Slide 16
Slide 16 text
sanitize_title();
Slide 17
Slide 17 text
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta() sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Slide 18
Slide 18 text
Escape all the things
Slide 19
Slide 19 text
esc_html();
Slide 20
Slide 20 text
esc_textarea();
Slide 21
Slide 21 text
esc_attr();
Slide 22
Slide 22 text
esc_url();
Slide 23
Slide 23 text
http://codex.wordpress.org/Data_Validation
Slide 24
Slide 24 text
Database Queries
Slide 25
Slide 25 text
$wpdb-‐>insert();
Slide 26
Slide 26 text
$wpdb-‐>update();
Slide 27
Slide 27 text
$wpdb-‐>prepare();
Slide 28
Slide 28 text
Nonces
Slide 29
Slide 29 text
wp_nonce_url();
Slide 30
Slide 30 text
wp_nonce_field();
Slide 31
Slide 31 text
wp_create_nonce();
Slide 32
Slide 32 text
check_admin_referer();
Slide 33
Slide 33 text
wp_verify_nonce();
Slide 34
Slide 34 text
Remote Data
Slide 35
Slide 35 text
CURL is bad.
Slide 36
Slide 36 text
For real, CURL is bad.
Slide 37
Slide 37 text
wp_remote_get();
Slide 38
Slide 38 text
wp_remote_post();
Slide 39
Slide 39 text
wp_remote_request();
Slide 40
Slide 40 text
Check capabilities & roles
Slide 41
Slide 41 text
current_user_can();
Slide 42
Slide 42 text
Use native functions
Slide 43
Slide 43 text
A story about TimThumb
Slide 44
Slide 44 text
Questions?
Slide 45
Slide 45 text
No content