Your SlideShare is downloading. ×
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding

1,550
views

Published on

A description of common security issues that exit in PHP/MySQL and HTML/Javascript based websites, how to mitigate, and then how WordPress can help

A description of common security issues that exit in PHP/MySQL and HTML/Javascript based websites, how to mitigate, and then how WordPress can help

Published in: Technology, Business

3 Comments
2 Likes
Statistics
Notes
  • Hi Anders - thanks so much for the comments. I will update my next slideset with your information. :)
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Also... if you're interested... I've written a comprehensive WordPress Security Checklist which can be downloaded for free on www.wpsecuritychecklist.com... feel free to link to that in your presentations if you'd like...
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi Aaron,

    Great presentation... just wanted to let you know that the two plugins you recommend have been combined into one plugin: http://wordpress.org/extend/plugins/websitedefender-wordpress-security/

    That's the most recent version, and it replaces the other two...
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,550
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
3
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Secure Wordpress Coding Aaron Saray
  • 2. Why Trust This Guy? ● PHP programmer > than a decade ● Nerd since 8 yrs old ● MKEPUG ● Author ● you paid? :)
  • 3. Why at WordCamp?● I use WordPress ○ even programmers do, yup● I like WordPress● WordPress is everywhere ○ I actually care about the world... you should too!
  • 4. What is Security?● Physical, mental, emotional, resources● Secure programming? ○ protecting the user from... ■ themselves ■ the bad guys ■ glitches
  • 5. Why you should care?Yay - its time for everyones favorite game show!
  • 6. Myth: ...Fact: you should care - youre a nice person.Otherwise you wouldnt be here...
  • 7. Myth: No one will attack meFact: Yes they will.● No one cares about my little website● Im not doing anything important● They can have it all, I have nothing they want
  • 8. Thats Wrong!
  • 9. Examples:● Testing Credit Cards● Hosting bad stuff● Stealing User Accounts (and passwords)● installing trojans ○ google now hates you● Who cares about Google ads? ○ Theyre only $0.02...
  • 10. $132,994.97
  • 11. Myth: PHP is so insecure that...● Bank vault is insecure with the door open● Haters be hatin● PHP users ○ Facebook ○ Yahoo ○ etc ■ if it were so bad, then why?
  • 12. What Security Concerns in WebProjects Do We Have?● HTML begat PHP begat WordPress ● SQL Injection ● XSS ● CSRF *NOTE: examples are simple, and not necessarily indicative of real code.
  • 13. SQL Injection● An attack that injects unknown SQL commands ○ usually done through a form filed ○ can be done in a query string● Consequence? ○ read all data ○ write / update / delete ○ drop tables!
  • 14. SQL Injection Example
  • 15. SQL Injection Example$sql = "select * from user where email=me@aaronsaray.com and password=monkey
  • 16. SQL Injection Example What about password of ... say... x or userid=1; --$sql = "select * from user where email=me@aaronsaray.com andpassword=x or userid=1; --";
  • 17. SQL Injection SolutionFilter user input!!
  • 18. Cross Site Scripting (XSS)● An attack that allows a third party to add and execute client side scripts into a web page ○ Client side scripting (such as javascript) is fine (and useful) ○ but not if the site creator didnt approve it● Consequence? ○ form submission ○ steal cookie (login token) ○ Sammy!
  • 19. XSS Example
  • 20. XSS Example
  • 21. Is this really that bad?Yup.
  • 22. XSS SolutionFilter user input!!
  • 23. Cross Site Request Forgery (CSRF)● An attack that sends a request from a malicious site masquerading as a legitimate request.● Submission or action originating not on your website● Consequence? ○ forms submitted ○ any user action done ■ potentially authorized users without knowledge
  • 24. CSRF Example
  • 25. CSRF Example
  • 26. CSRF SolutionMulti pronged:● Use POST for data changes (RFC 2616)● Use $_POST, not $_REQUEST● Use a token ○ in Wordpress, theyre called "nonce"
  • 27. CSRF Solution
  • 28. CSRF Solution
  • 29. CSRF Solution in Wordpress
  • 30. ... so, who cares?Wordpress is a web project● Its PHP● Its HTML● Its Javascript● Its CSS● It takes user input● It displays user input
  • 31. What can I do about it?Thanks for asking!● Security Scanning Plugin● Theme Creation Security● Practice safe plugin
  • 32. If you remember just one thing...Use these Security Plugins:● Secure Wordpress http://wordpress.org/extend/plugins/secure-wordpress/● WP Security http://wordpress.org/extend/plugins/wp-security-scan/
  • 33. Secure Themes● This isnt just filler ○ people focus on plugins usually. *slap*● Things to consider: ○ when using other themes or child themes ○ creating your own theme
  • 34. Themes that you... borrow● Everyone grabs a theme ○ be smart about it ○ if its too good to be true...● Things to remember: ○ update themes when they ask you to ■ Remember the TimThumb-amo! ○ take a look at them ■ cdn.google.com/jquery.js ■ myhotbride.ru/funfreemoney.js
  • 35. Themes that you sorta borrow● If you see a cool theme... ○ Child theme it! ○ Stay up to date with the parent security
  • 36. and if youre in a rush...● Theme Authenticity Checker ○ http://builtbackwards.com/projects/tac/
  • 37. so which security issues exist?● All of them!
  • 38. Lets check out some best practices
  • 39. Use built in functions● set_theme_mod()● Settings API
  • 40. Use built in filters● esc_attr()● esc_html()● esc_textarea()● esc_url()● esc_js()● wp_filter_kses()
  • 41. Filter example
  • 42. Security through Obscurity● Not always that bad... ○ automated tools - why give them a freebie?● remove versions from your themes
  • 43. Version examples...
  • 44. O.P.P.● Other Peoples Plugins!
  • 45. General Security● Security is really shared between plugins and themes● These can be applied to all of your programming, or other peoples programming. ○ For securitys sake - be careful when youre hacking other peoples plugins.
  • 46. 2 Parts Left:
  • 47. First, and foremost● Clean yo house
  • 48. Clean it up● Update your Wordpress● Delete old things: ○ plugins ○ themes ○ user uploads from that hot babe● http://codex.wordpress.org/Hardening_WordPress
  • 49. #2, Code Securely● Use NONCE● Dont let AJAX files sit around● Watch your SQL
  • 50. Use $wpdb● It is a global variable ○ yup, I hate it too● Use these methods instead of creating your new wheelhttp://codex.wordpress.org/Function_Reference/wpdb_Class
  • 51. $wpdb example
  • 52. My Final AdviceIts Open Source Software for a reason
  • 53. Aaron Saray Open Source Developer Milwaukee, WIQuestions? http://aaronsaray.com● Questions about @aaronsaray Secure Wordpress Coding? Milwaukee PHP Users Group http://mkepug.org @mkepug

×