WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding


Published on

A description of common security issues that exit in PHP/MySQL and HTML/Javascript based websites, how to mitigate, and then how WordPress can help

Published in: Technology, Business
  • Hi Anders - thanks so much for the comments. I will update my next slideset with your information. :)
    Are you sure you want to  Yes  No
    Your message goes here
  • Also... if you're interested... I've written a comprehensive WordPress Security Checklist which can be downloaded for free on www.wpsecuritychecklist.com... feel free to link to that in your presentations if you'd like...
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi Aaron,

    Great presentation... just wanted to let you know that the two plugins you recommend have been combined into one plugin: http://wordpress.org/extend/plugins/websitedefender-wordpress-security/

    That's the most recent version, and it replaces the other two...
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding

  1. 1. Secure Wordpress Coding Aaron Saray
  2. 2. Why Trust This Guy? ● PHP programmer > than a decade ● Nerd since 8 yrs old ● MKEPUG ● Author ● you paid? :)
  3. 3. Why at WordCamp?● I use WordPress ○ even programmers do, yup● I like WordPress● WordPress is everywhere ○ I actually care about the world... you should too!
  4. 4. What is Security?● Physical, mental, emotional, resources● Secure programming? ○ protecting the user from... ■ themselves ■ the bad guys ■ glitches
  5. 5. Why you should care?Yay - its time for everyones favorite game show!
  6. 6. Myth: ...Fact: you should care - youre a nice person.Otherwise you wouldnt be here...
  7. 7. Myth: No one will attack meFact: Yes they will.● No one cares about my little website● Im not doing anything important● They can have it all, I have nothing they want
  8. 8. Thats Wrong!
  9. 9. Examples:● Testing Credit Cards● Hosting bad stuff● Stealing User Accounts (and passwords)● installing trojans ○ google now hates you● Who cares about Google ads? ○ Theyre only $0.02...
  10. 10. $132,994.97
  11. 11. Myth: PHP is so insecure that...● Bank vault is insecure with the door open● Haters be hatin● PHP users ○ Facebook ○ Yahoo ○ etc ■ if it were so bad, then why?
  12. 12. What Security Concerns in WebProjects Do We Have?● HTML begat PHP begat WordPress ● SQL Injection ● XSS ● CSRF *NOTE: examples are simple, and not necessarily indicative of real code.
  13. 13. SQL Injection● An attack that injects unknown SQL commands ○ usually done through a form filed ○ can be done in a query string● Consequence? ○ read all data ○ write / update / delete ○ drop tables!
  14. 14. SQL Injection Example
  15. 15. SQL Injection Example$sql = "select * from user where email=me@aaronsaray.com and password=monkey
  16. 16. SQL Injection Example What about password of ... say... x or userid=1; --$sql = "select * from user where email=me@aaronsaray.com andpassword=x or userid=1; --";
  17. 17. SQL Injection SolutionFilter user input!!
  18. 18. Cross Site Scripting (XSS)● An attack that allows a third party to add and execute client side scripts into a web page ○ Client side scripting (such as javascript) is fine (and useful) ○ but not if the site creator didnt approve it● Consequence? ○ form submission ○ steal cookie (login token) ○ Sammy!
  19. 19. XSS Example
  20. 20. XSS Example
  21. 21. Is this really that bad?Yup.
  22. 22. XSS SolutionFilter user input!!
  23. 23. Cross Site Request Forgery (CSRF)● An attack that sends a request from a malicious site masquerading as a legitimate request.● Submission or action originating not on your website● Consequence? ○ forms submitted ○ any user action done ■ potentially authorized users without knowledge
  24. 24. CSRF Example
  25. 25. CSRF Example
  26. 26. CSRF SolutionMulti pronged:● Use POST for data changes (RFC 2616)● Use $_POST, not $_REQUEST● Use a token ○ in Wordpress, theyre called "nonce"
  27. 27. CSRF Solution
  28. 28. CSRF Solution
  29. 29. CSRF Solution in Wordpress
  30. 30. ... so, who cares?Wordpress is a web project● Its PHP● Its HTML● Its Javascript● Its CSS● It takes user input● It displays user input
  31. 31. What can I do about it?Thanks for asking!● Security Scanning Plugin● Theme Creation Security● Practice safe plugin
  32. 32. If you remember just one thing...Use these Security Plugins:● Secure Wordpress http://wordpress.org/extend/plugins/secure-wordpress/● WP Security http://wordpress.org/extend/plugins/wp-security-scan/
  33. 33. Secure Themes● This isnt just filler ○ people focus on plugins usually. *slap*● Things to consider: ○ when using other themes or child themes ○ creating your own theme
  34. 34. Themes that you... borrow● Everyone grabs a theme ○ be smart about it ○ if its too good to be true...● Things to remember: ○ update themes when they ask you to ■ Remember the TimThumb-amo! ○ take a look at them ■ cdn.google.com/jquery.js ■ myhotbride.ru/funfreemoney.js
  35. 35. Themes that you sorta borrow● If you see a cool theme... ○ Child theme it! ○ Stay up to date with the parent security
  36. 36. and if youre in a rush...● Theme Authenticity Checker ○ http://builtbackwards.com/projects/tac/
  37. 37. so which security issues exist?● All of them!
  38. 38. Lets check out some best practices
  39. 39. Use built in functions● set_theme_mod()● Settings API
  40. 40. Use built in filters● esc_attr()● esc_html()● esc_textarea()● esc_url()● esc_js()● wp_filter_kses()
  41. 41. Filter example
  42. 42. Security through Obscurity● Not always that bad... ○ automated tools - why give them a freebie?● remove versions from your themes
  43. 43. Version examples...
  44. 44. O.P.P.● Other Peoples Plugins!
  45. 45. General Security● Security is really shared between plugins and themes● These can be applied to all of your programming, or other peoples programming. ○ For securitys sake - be careful when youre hacking other peoples plugins.
  46. 46. 2 Parts Left:
  47. 47. First, and foremost● Clean yo house
  48. 48. Clean it up● Update your Wordpress● Delete old things: ○ plugins ○ themes ○ user uploads from that hot babe● http://codex.wordpress.org/Hardening_WordPress
  49. 49. #2, Code Securely● Use NONCE● Dont let AJAX files sit around● Watch your SQL
  50. 50. Use $wpdb● It is a global variable ○ yup, I hate it too● Use these methods instead of creating your new wheelhttp://codex.wordpress.org/Function_Reference/wpdb_Class
  51. 51. $wpdb example
  52. 52. My Final AdviceIts Open Source Software for a reason
  53. 53. Aaron Saray Open Source Developer Milwaukee, WIQuestions? http://aaronsaray.com● Questions about @aaronsaray Secure Wordpress Coding? Milwaukee PHP Users Group http://mkepug.org @mkepug