Plugin Security

Brad Parbs

July 26, 2014

Tweet

More Decks by Brad Parbs

See All by Brad Parbs

Learn to Love the Terminal

0

690

Extremely Powerful Local WordPress Development with Vagrant and Friends

1

180

Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014

1

320

Web414 - Writing Clean, Clear, & Semantic Markup with HTML5

0

410

WordCamp Baltimore - Let's Get Sassy!

2

500

Starter Themes for Appleton WordPress Meetup

1

180

#WCGR - Getting SASSy

4

290

#WCPVD - Getting SASSy

2

280

WordCamp Chicago 2013 - Template Hiearchy

1

170

Other Decks in Technology

See All in Technology

Contract One Engineering Unit 紹介資料

PRO

0

13k

Data Hubグループ紹介資料

PRO

0

2.7k

レガシー共有バッチ基盤への挑戦 - SREドリブンなリアーキテクチャリングの取り組み

0

210

フルカイテン株式会社エンジニア向け採用資料

0

10k

茨城の思い出を振り返る～CDKのセキュリティを添えて～ / 20260201 Mitsutoshi Matsuo

PRO

1

240

Amazon Bedrock Knowledge Basesチャンキング解説！

0

130

FinTech SREのAWSサービス活用/Leveraging AWS Services in FinTech SRE

0

130

Kiro IDEのドキュメントを全部読んだので地味だけどちょっと嬉しい機能を紹介する

0

180

Webhook best practices for rock solid and resilient deployments

1

280

Introduction to Bill One Development Engineer

PRO

0

360

Claude_CodeでSEOを最適化する_AI_Ops_Community_Vol.2__マーケティングx_AIはここまで進化した.pdf

2

550

CDK対応したAWS DevOps Agentを試そう_20260201

1

250

Featured

See All Featured

Product Roadmaps are Hard

PRO

55

12k

GraphQLとの向き合い方2022年版

50

14k

Organizational Design Perspectives: An Ontology of Organizational Design Elements

PRO

1

190

Cheating the UX When There Is Nothing More to Optimize - PixelPioneers

stephaniewalter

287

14k

ReactJS: Keep Simple. Everything can be a component!

666

130k

SEO Brein meetup: CTRL+C is not how to scale international SEO

0

2.3k

The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024

26

3.3k

41

3.8k

Prompt Engineering for Job Search

0

160

Put a Button on it: Removing Barriers to Going Fast.

60

4.2k

What's in a price? How to price your products and services

247

13k

The Cult of Friendly URLs

79

6.8k

Transcript

Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None