Submit Search
Upload
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
•
2 likes
•
6,545 views
John Ford
Follow
The WordPress Plugin & Theme Security presentation at WordCamp Melbourne February 2011.
Read less
Read more
Technology
Report
Share
Report
Share
1 of 40
Download now
Download to read offline
Recommended
физическая активность и здоровье
физическая активность и здоровье
sk1ll
WordPress for Business Sites - ConvergeSouth - October 2011
WordPress for Business Sites - ConvergeSouth - October 2011
John Ford
WordPress.com の裏側 (Behind the Scenes of WordPress.com) - WordCamp Tokyo - Nov...
WordPress.com の裏側 (Behind the Scenes of WordPress.com) - WordCamp Tokyo - Nov...
John Ford
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
John Ford
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008
Mark Jaquith
WordPress Security - WordCamp Phoenix
WordPress Security - WordCamp Phoenix
Mark Jaquith
You're Doing it Wrong - WordCamp Orlando
You're Doing it Wrong - WordCamp Orlando
Chris Scott
Add loop shortcode
Add loop shortcode
Peter Baylies
Recommended
физическая активность и здоровье
физическая активность и здоровье
sk1ll
WordPress for Business Sites - ConvergeSouth - October 2011
WordPress for Business Sites - ConvergeSouth - October 2011
John Ford
WordPress.com の裏側 (Behind the Scenes of WordPress.com) - WordCamp Tokyo - Nov...
WordPress.com の裏側 (Behind the Scenes of WordPress.com) - WordCamp Tokyo - Nov...
John Ford
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
Security: The Great WordPress Lockdown - WordCamp Melbourne - February 2011
John Ford
Secure Coding with WordPress - WordCamp SF 2008
Secure Coding with WordPress - WordCamp SF 2008
Mark Jaquith
WordPress Security - WordCamp Phoenix
WordPress Security - WordCamp Phoenix
Mark Jaquith
You're Doing it Wrong - WordCamp Orlando
You're Doing it Wrong - WordCamp Orlando
Chris Scott
Add loop shortcode
Add loop shortcode
Peter Baylies
SULTHAN's - PHP MySQL programs
SULTHAN's - PHP MySQL programs
SULTHAN BASHA
Dutch PHP Conference - PHPSpec 2 - The only Design Tool you need
Dutch PHP Conference - PHPSpec 2 - The only Design Tool you need
Kacper Gunia
Auto tools
Auto tools
祺 周
Php
Php
Linh Tran
PHPSpec - the only Design Tool you need - 4Developers
PHPSpec - the only Design Tool you need - 4Developers
Kacper Gunia
logic321
logic321
logic321
Blog Hacks 2011
Blog Hacks 2011
Yusuke Wada
Zero to SOLID
Zero to SOLID
Vic Metcalfe
Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)
Mark Jaquith
Forget about index.php and build you applications around HTTP!
Forget about index.php and build you applications around HTTP!
Kacper Gunia
4. Php MongoDB view_data
4. Php MongoDB view_data
Razvan Raducanu, PhD
You're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp Atlanta
Chris Scott
Daily notes
Daily notes
meghendra168
Symfony without the framework
Symfony without the framework
GOG.com dev team
Make WordPress realtime.
Make WordPress realtime.
Josh Hillier
[WLDN] Supercharging word press development in 2018
[WLDN] Supercharging word press development in 2018
Adam Tomat
Forget about Index.php and build you applications around HTTP - PHPers Cracow
Forget about Index.php and build you applications around HTTP - PHPers Cracow
Kacper Gunia
All you need to know about JavaScript loading and execution in the browser - ...
All you need to know about JavaScript loading and execution in the browser - ...
Caelum
PHP POWERPOINT SLIDES
PHP POWERPOINT SLIDES
Ismail Mukiibi
Php update and delet operation
Php update and delet operation
syeda zoya mehdi
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
More Related Content
Similar to WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
SULTHAN's - PHP MySQL programs
SULTHAN's - PHP MySQL programs
SULTHAN BASHA
Dutch PHP Conference - PHPSpec 2 - The only Design Tool you need
Dutch PHP Conference - PHPSpec 2 - The only Design Tool you need
Kacper Gunia
Auto tools
Auto tools
祺 周
Php
Php
Linh Tran
PHPSpec - the only Design Tool you need - 4Developers
PHPSpec - the only Design Tool you need - 4Developers
Kacper Gunia
logic321
logic321
logic321
Blog Hacks 2011
Blog Hacks 2011
Yusuke Wada
Zero to SOLID
Zero to SOLID
Vic Metcalfe
Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)
Mark Jaquith
Forget about index.php and build you applications around HTTP!
Forget about index.php and build you applications around HTTP!
Kacper Gunia
4. Php MongoDB view_data
4. Php MongoDB view_data
Razvan Raducanu, PhD
You're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp Atlanta
Chris Scott
Daily notes
Daily notes
meghendra168
Symfony without the framework
Symfony without the framework
GOG.com dev team
Make WordPress realtime.
Make WordPress realtime.
Josh Hillier
[WLDN] Supercharging word press development in 2018
[WLDN] Supercharging word press development in 2018
Adam Tomat
Forget about Index.php and build you applications around HTTP - PHPers Cracow
Forget about Index.php and build you applications around HTTP - PHPers Cracow
Kacper Gunia
All you need to know about JavaScript loading and execution in the browser - ...
All you need to know about JavaScript loading and execution in the browser - ...
Caelum
PHP POWERPOINT SLIDES
PHP POWERPOINT SLIDES
Ismail Mukiibi
Php update and delet operation
Php update and delet operation
syeda zoya mehdi
Similar to WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
(20)
SULTHAN's - PHP MySQL programs
SULTHAN's - PHP MySQL programs
Dutch PHP Conference - PHPSpec 2 - The only Design Tool you need
Dutch PHP Conference - PHPSpec 2 - The only Design Tool you need
Auto tools
Auto tools
Php
Php
PHPSpec - the only Design Tool you need - 4Developers
PHPSpec - the only Design Tool you need - 4Developers
logic321
logic321
Blog Hacks 2011
Blog Hacks 2011
Zero to SOLID
Zero to SOLID
Secure Coding With Wordpress (BarCamp Orlando 2009)
Secure Coding With Wordpress (BarCamp Orlando 2009)
Forget about index.php and build you applications around HTTP!
Forget about index.php and build you applications around HTTP!
4. Php MongoDB view_data
4. Php MongoDB view_data
You're Doing it Wrong - WordCamp Atlanta
You're Doing it Wrong - WordCamp Atlanta
Daily notes
Daily notes
Symfony without the framework
Symfony without the framework
Make WordPress realtime.
Make WordPress realtime.
[WLDN] Supercharging word press development in 2018
[WLDN] Supercharging word press development in 2018
Forget about Index.php and build you applications around HTTP - PHPers Cracow
Forget about Index.php and build you applications around HTTP - PHPers Cracow
All you need to know about JavaScript loading and execution in the browser - ...
All you need to know about JavaScript loading and execution in the browser - ...
PHP POWERPOINT SLIDES
PHP POWERPOINT SLIDES
Php update and delet operation
Php update and delet operation
Recently uploaded
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
jfdjdjcjdnsjd
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Zilliz
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
danishmna97
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
rafiqahmad00786416
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Zilliz
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Deepika Singh
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Dropbox
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
apidays
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
Sandro Moreira
Recently uploaded
(20)
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
presentation ICT roal in 21st century education
presentation ICT roal in 21st century education
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
1.
Plugin & Theme Security
http://johnford.is/ @iamjohnford
2.
SQL Injection
3.
$wpdb->query( "UPDATE $wpdb->posts
SET post_title = '$new_title' WHERE ID = $id" ); BAD
4.
$wpdb->query( "SELECT *
FROM $wpdb->users WHERE user_login = '$username' AND user_pass = '$password'" ); BAD
5.
$username = "'
OR 1 -- "; $wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = '$username' AND user_pass = '$password'" ); BAD
6.
$wpdb->query( "SELECT *
FROM $wpdb->users WHERE user_login = '' OR 1 -- ' AND user_pass = '$password'" ); BAD
7.
$wpdb->update()
GOOD
8.
$wpdb->update( $wpdb->posts, array(
'post_title' => $new_title ), array( 'ID' => $id ) ); GOOD
9.
$wpdb->insert( $table, $data
); GOOD
10.
$wpdb->prepare()
GOOD
11.
$wpdb->prepare( "SELECT *
FROM $wpdb->posts WHERE post_name = %s OR ID = %d", $some_name, $some_id ); GOOD
12.
http://codex.wordpress.org/
Function_Reference/ wpdb_Class
13.
XSS Cross-site Scripting
14.
<h1>
<?php echo $title; ?> </h1> BAD
15.
$title = '<script>jsCode();</script>'; <h1>
<?php echo $title; ?> </h1> BAD
16.
<h1>
<?php echo esc_html( $title ); ?> </h1> GOOD
17.
esc_attr_e()
18.
<a href="#wordcamp" title="<?php
echo $title; ?>"> Link Text </a> BAD
19.
<?php $title =
'" onmouseover="jsCode();'; ?> <a href="#wordcamp" title="<?php echo $title; ?>"> Link Text </a> BAD
20.
<a href="#wordcamp" title="<?php
echo esc_attr( $title ); ?>"> Link Text </a> GOOD
21.
esc_textarea()
GOOD
22.
23.
24.
<a href="<?php echo
$url; ?>"> Link Text </a> BAD
25.
<?php $url =
'javascript:jsCode();'; ?> <a href="<?php echo $url; ?>"> Link Text </a> BAD
26.
<a href="<?php echo
esc_url( $url ); ?>"> Link Text </a> GOOD
27.
<form action="<?php echo
$_SERVER['REQUEST_URI']; ?>"> BAD
28.
<form action="<?php echo
esc_url( $_SERVER['REQUEST_URI'] ); ?>"> GOOD
29.
<script>
var foo = '<?php echo $unsafe; ?>'; </script> BAD
30.
<script>
var foo = '<?php echo esc_js( $unsafe ); ?>'; </script> GOOD
31.
wp_filter_kses( $data )
GOOD
32.
http://codex.wordpress.org/
Data_Validation
33.
CSRF Cross-site Request Forgery
34.
Nonces action-, object-, &
user-specific time-limited secret keys
35.
wp_nonce_field( 'plugin-action_object' )
GOOD
36.
check_admin_referer( 'plugin-action_object' )
GOOD
37.
38.
http://codex.wordpress.org/
WordPress_Nonces
39.
eval() = evil
40.
Thank you!
http://johnford.is/ @iamjohnford
Download now