Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Plugin Security
Search
Brad Parbs
July 26, 2014
Technology
3
130
Plugin Security
Brad Parbs
July 26, 2014
Tweet
Share
More Decks by Brad Parbs
See All by Brad Parbs
Learn to Love the Terminal
bradp
0
650
Extremely Powerful Local WordPress Development with Vagrant and Friends
bradp
1
170
Extremely Powerful Local WordPress Development with Vagrant and Friends - WordCamp Grand Rapids 2014
bradp
1
300
Web414 - Writing Clean, Clear, & Semantic Markup with HTML5
bradp
0
380
WordCamp Baltimore - Let's Get Sassy!
bradp
2
430
Starter Themes for Appleton WordPress Meetup
bradp
1
160
#WCGR - Getting SASSy
bradp
4
260
#WCPVD - Getting SASSy
bradp
2
270
WordCamp Chicago 2013 - Template Hiearchy
bradp
1
150
Other Decks in Technology
See All in Technology
Oracle Cloud Infrastructure:2025年9月度サービス・アップデート
oracle4engineer
PRO
0
440
ACA でMAGI システムを社内で展開しようとした話
mappie_kochi
1
270
GopherCon Tour 概略
logica0419
2
190
BirdCLEF+2025 Noir 5位解法紹介
myso
0
200
「AI駆動PO」を考えてみる - 作る速さから価値のスループットへ:検査・適応で未来を開発 / AI-driven product owner. scrummat2025
yosuke_nagai
4
600
AI ReadyなData PlatformとしてのAutonomous Databaseアップデート
oracle4engineer
PRO
0
190
Large Vision Language Modelを用いた 文書画像データ化作業自動化の検証、運用 / shibuya_AI
sansan_randd
0
110
いまさら聞けない ABテスト入門
skmr2348
1
200
OpenAI gpt-oss ファインチューニング入門
kmotohas
2
1k
いま注目しているデータエンジニアリングの論点
ikkimiyazaki
0
600
生成AIで「お客様の声」を ストーリーに変える 新潮流「Generative ETL」
ishikawa_satoru
1
320
社内お問い合わせBotの仕組みと学び
nish01
0
400
Featured
See All Featured
Writing Fast Ruby
sferik
629
62k
A better future with KSS
kneath
239
17k
Practical Orchestrator
shlominoach
190
11k
Building a Scalable Design System with Sketch
lauravandoore
462
33k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
127
53k
YesSQL, Process and Tooling at Scale
rocio
173
14k
Navigating Team Friction
lara
189
15k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Faster Mobile Websites
deanohume
310
31k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
22k
Optimising Largest Contentful Paint
csswizardry
37
3.4k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
1.6k
Transcript
Security for Your Plugins
I’m Brad Parbs.
Nathan, you should watch Band of Brothers.
Let’s talk about what sucks in WordPress.
None
None
“20% of the 50 most popular WordPress plugins are vulnerable
to common Web attacks. This amounts to nearly 8 million downloads of vulnerable plugins.” Checkmarx, an application security company
Things that happen when your stuff isn’t secure.
None
How do we make sure this doesn’t happen?
Always develop with debugging ON
define( 'WP_DEBUG', true ); define( 'WP_DEBUG_DISPLAY', false );
define( 'WP_DEBUG_LOG', true ); define( 'SCRIPT_DEBUG', true ); define( 'WP_CACHE', false );
Sanitize all the things
intval(); absint();
wp_kses();
sanitize_title();
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta()
sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_post_field() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user()
Escape all the things
esc_html();
esc_textarea();
esc_attr();
esc_url();
http://codex.wordpress.org/Data_Validation
Database Queries
$wpdb-‐>insert();
$wpdb-‐>update();
$wpdb-‐>prepare();
Nonces
wp_nonce_url();
wp_nonce_field();
wp_create_nonce();
check_admin_referer();
wp_verify_nonce();
Remote Data
CURL is bad.
For real, CURL is bad.
wp_remote_get();
wp_remote_post();
wp_remote_request();
Check capabilities & roles
current_user_can();
Use native functions
A story about TimThumb
Questions?
None