The document discusses secure coding practices for WordPress plugins. It outlines three common attacks - SQL injection, XSS (cross-site scripting), and CSRF (cross-site request forgery). For each attack, it provides examples of insecure code and explains how to make the code secure using techniques like escaping output, validating input, and using nonces. It also discusses some common mistakes to avoid, like using eval() and not sanitizing variables before output. The goal is to teach developers how to thwart attacks and code more securely.

1. Secure Coding
with WordPress
@markjaquith
Mark Jaquith m@rkj.me
“JAKE-with” markjaquith.com

2. The state of
WordPress plugin
security is...

4. Problem #1
Lack of
awareness

5. Problem #2
Apathy

6. Goals
I want you to learn the following:
1. How to thwart the three most
common attacks
2. Two useful principles
3. Common mistakes to avoid

7. Attack #1
SQL
Injection

8. $wpdb->query(
"UPDATE $wpdb->posts
SET post_title = '$newtitle'
WHERE ID = $my_id"
);

10. $wpdb->update()

11. $wpdb->update(
$wpdb->posts,
array( 'post_title' => $newtitle ),
array( 'ID' => $my_id )
);

12. $sets = array(
'post_title' => $newtitle,
'post_content' => $newcontent
);
$wheres = array(
'post_type' => 'post',
'post_name' => $my_name
);
$wpdb->update( $wpdb->posts, $sets, $wheres );

13. $wpdb->insert( $table, $data )

14. $wpdb->prepare()

15. $wpdb->prepare(
"SELECT * FROM $wpdb->posts
WHERE post_name = %s OR ID = %d",
$some_name,
$some_id
);

16. • Powered by sprintf(), but only %s
and %d are supported right now
• Do not quote %s — use %s, NOT '%s'
• Does the escaping for you

17. Rule #1
Escape Late

18. Attack #2
XSS
(Cross-Site Scripting)

19. <h1>
<?php echo $title ?>
<h1>

20. $title = '<script>pwnage();</script>';

21. Rule #2
Anything that
isn’t hardcoded
is suspect

22. Rule #2 (revised)
Everything
is suspect

23. Easy as...

24. esc_html()

25. <h1>
<?php echo esc_html( $title ); ?>
</h1>

26. <?php $title = '" onmouseover="pwnd();'; ?>
<a href="#wordcamp" title="<?php echo
$title; ?>">
Link Text
</a>

27. esc_attr()

28. <?php $title = '" onmouseover="pwnd();'; ?>
<a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>">
Link Text
</a>

29. <?php $url = 'javascript:pwnd()'; ?>
<a href="<?php echo $url; ?>">
Link Text
</a>

30. esc_url()

31. esc_url_raw()

32. esc_js()

33. <script>
var foo = '<?php echo esc_js( $unsafe ); ?>';
</script>

34. esc_textarea()

35. wp_filter_kses()

36. Attack #3
CSRF
Cross-site Request Forgery

37. Authorization
vs.
Intention

38. Nonces
action-, object-, & user-specific
time-limited secret keys

39. Specific to
• WordPress user
• Action attempted
• Object of attempted action
• Time window

40. wp_nonce_field( 'plugin-action_object' )

41. <form action="process.php" method="post">
<?php
wp_nonce_field('plugin-action_object');
?>
...
</form>

42. check_admin_referer( 'plugin-action_object' );

43. Still need to use
current_user_can()

44. CSRF for
Ajax/XHR

45. // 1. On the front end
$nonce = wp_create_nonce
( 'your_action' );
// 2. add &_ajax_nonce=$nonce to your
// post/get vars
// 3. On the backend
check_ajax_referer( 'your_action' );

46. Stupid shit I
see all the time

47. eval()

48. <form action="<?php echo $_SERVER['REQUEST_URI']; ?>">

49. <a href="<?php echo $home; ?>" title="<?php echo $title; ?>">
<?php echo $text; ?>
</a>
<script>var foo = '<?php echo $var; ?>';</script>

50. <a href="<?php echo esc_url( $home ); ?>" title="<?php
echo esc_attr( $title ); ?>">
<?php echo esc_html( $text ); ?>
</a>
<script>var foo = '<?php echo esc_js( $var ); ?>';</
script>

51. Thanks!
@markjaquith
Mark Jaquith m@rkj.me
“JAKE-with” markjaquith.com