Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
110
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
620
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
150
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
280
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
360
WordCamp Baltimore - Let's Get Sassy!
bradp
2
390
Starter Themes for Appleton WordPress Meetup
bradp
1
140
#WCGR - Getting SASSy
bradp
4
250
#WCPVD - Getting SASSy
bradp
2
260
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
140
Other Decks in Technology
See All in Technology
JNation 2025 - Quarkus for Spring Developers
edeandrea
PRO
0
100
Digitization部 紹介資料
sansan33
PRO
1
3.8k
コードの考古学 〜労務システムから発掘した成長の糧〜
kenta_smarthr
0
450
データプレーンプログラミングとは? DPU&スイッチASICの開発経験から語る
ebiken
PRO
0
160
新卒から4年間、20年もののWebサービスと向き合って学んだソフトウェア考古学 - PHPカンファレンス新潟2025 / new graduate 4year software archeology
oguri
2
340
“新卒らしさ”を脱ぎ捨てて 〜1年を経て学んだこと〜
rebase_engineering
0
120
会社員しながら本を書いてきた知見の共有
sat
PRO
3
680
Okayama WordPress Meetup #12 | そのバックアップ、本当に復元できますか? リストアやってみた!
takeshifurusato
0
110
技術書典18結果報告
mutsumix
2
170
Cloud Run を解剖して コンテナ監視を考える / Breaking Down Cloud Run to Rethink Container Monitoring
aoto
PRO
0
110
“⾞が通れるほど⼤きな”セキュリティーホールを抑えながらログインしたい
taiseiue
0
130
2025advance01
minamizaki
0
120
Featured
See All Featured
Building Better People: How to give real-time feedback that sticks.
wjessup
368
19k
How To Stay Up To Date on Web Technology
chriscoyier
790
250k
What's in a price? How to price your products and services
michaelherold
245
12k
Why You Should Never Use an ORM
jnunemaker
PRO
56
9.4k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
740
GraphQLの誤解/rethinking-graphql
sonatard
71
11k
Building a Modern Day E-commerce SEO Strategy
aleyda
40
7.3k
A designer walks into a library…
pauljervisheath
205
24k
Navigating Team Friction
lara
185
15k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
19
1.2k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
105
19k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None