Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
120
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
630
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
160
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
280
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
370
WordCamp Baltimore - Let's Get Sassy!
bradp
2
390
Starter Themes for Appleton WordPress Meetup
bradp
1
150
#WCGR - Getting SASSy
bradp
4
250
#WCPVD - Getting SASSy
bradp
2
260
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
140
Other Decks in Technology
See All in Technology
工具人的一生: 開發很多 AI 工具讓我 慵懶過一生
line_developers_tw
PRO
0
240
RubyOnRailsOnDevin+α / DevinMeetupJapan#2
ginkouno
0
680
AIエージェントの継続的改善のためオブザーバビリティ
pharma_x_tech
6
1.3k
Create a Rails8 responsive app with Gemini and RubyLLM
palladius
0
130
新規プロダクト開発、AIでどう変わった? #デザインエンジニアMeetup
bengo4com
0
480
AWS全冠したので振りかえってみる
tajimon
0
150
「規約、知識、オペレーション」から考える中規模以上の開発組織のCursorルールの 考え方・育て方 / Cursor Rules for Coding Styles, Domain Knowledges and Operations
yuitosato
6
1.9k
DroidKnights 2025 - Jetpack XR 살펴보기: XR 개발은 어떻게 이루어지는가?
heesung6701
1
130
産業機械をElixirで制御する
kikuyuta
0
170
技術職じゃない私がVibe Codingで感じた、AGIが身近になる未来
blueb
0
130
API の仕様から紐解く「MCP 入門」 ~MCP の「コンテキスト」って何だ?~
cdataj
0
170
菸酒生在 LINE Taiwan 的後端雙刀流
line_developers_tw
PRO
0
240
Featured
See All Featured
YesSQL, Process and Tooling at Scale
rocio
172
14k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
16
930
Statistics for Hackers
jakevdp
799
220k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.5k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.5k
What's in a price? How to price your products and services
michaelherold
245
12k
For a Future-Friendly Web
brad_frost
179
9.8k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Agile that works and the tools we love
rasmusluckow
329
21k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
161
15k
Building an army of robots
kneath
306
45k
Stop Working from a Prison Cell
hatefulcrawdad
269
20k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None