Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
160
3
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Plugin Security
Brad Parbs
July 26, 2014
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
720
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
190
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
340
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
440
WordCamp Baltimore - Let's Get Sassy!
bradp
2
530
Starter Themes for Appleton WordPress Meetup
bradp
1
200
#WCGR - Getting SASSy
bradp
4
300
#WCPVD - Getting SASSy
bradp
2
310
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
190
Other Decks in Technology
See All in Technology
AIに障害切り分けを全部やってもらった。 。 。 。
estie
0
230
AWS Security Agent といっしょに脅威モデリングをやってみよう
amarelo_n24
1
210
5分でわかるDuckDB Quack
chanyou0311
4
260
そこにあるから地図ができる~位置を示す"モノ"を愉しむ~ - Interface 2026年6月号GPS特集オフ会 / interface_202606_GPS_offline
sakaik
1
100
コミュニティの有益性 ~JAWS Days 2026 での体験を通して~ / The Benefits of a Community ~Through My Experience at JAWS Days 2026~
seike460
PRO
0
290
AIをフル活用してオンコール機能のプロトタイプを2日で作った話 / Building an AI-Powered On-Call Prototype in Just Two Days
nari_ex
0
140
不要なレビューをAIにまかせて AIコーディングの環境改善を加速した
shoota
1
270
サイバーエージェントにおけるAI推進戦略と変革への取り組み
shotatsuge
0
590
螺旋型キャリアの生存戦略 / kinoko-conf2026
rakus_dev
1
1.1k
ぼっちではじめた登壇が「51名」「241件」の発信に化けた
subroh0508
1
330
[チョークトーク資料]AWS DevOps Agent を使いこなす / AWS Dev Ops Agent Chalk Talk AWS Summit Japan 2026
kinunori
4
800
製造現場での生成AIの活用、およびエージェントAIの実装のあり方、AVEVAの取り組み
iotcomjpadmin
0
180
Featured
See All Featured
Odyssey Design
rkendrick25
PRO
2
710
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
6k
Learning to Love Humans: Emotional Interface Design
aarron
275
41k
Code Reviewing Like a Champion
maltzj
528
40k
Context Engineering - Making Every Token Count
addyosmani
9
980
Designing Powerful Visuals for Engaging Learning
tmiket
1
430
What does AI have to do with Human Rights?
axbom
PRO
1
2.2k
How to Think Like a Performance Engineer
csswizardry
28
2.7k
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
katarinadahlin
PRO
1
3.6k
The browser strikes back
jonoalderson
0
1.3k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
New Earth Scene 8
popppiees
3
2.4k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None