Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Secure WordPress Development Practices


Published on

I gave this talk at the September OCWP developer meetup.

Published in: Technology
  • Login to see the comments

Secure WordPress Development Practices

  1. 1. So you’re writing code for the masses, huh? Are you being responsible and protecting them from getting pwned?
  2. 2. Watch This.
  3. 3. That guy pwned a plugin I wrote live on stage at WordCamp New York. It changed my life.
  4. 4. Read This.
  5. 5. tl;dr • Keep your dev environment clean • Escape your data output • Sanitize your data inputs • Validate referrers • Core functionality should always trump your super awesome functionality
  6. 6. Keep Your Dev Environment Clean Don’t think that just because you’re on a mac you’re safe from viruses. If you’re on a PC, you should assume you’re already pwned.
  7. 7. Kaspersky Anti-Virus • I use it. • Dre uses it. • Tony uses it. • You should be using it.
  8. 8. Trust No One, Trust Nothing
  9. 9. XSS: Cross-site Scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
  10. 10. Escape All The Things On Output • Bad data will be tamed • esc_{context} • esc_js - Escape single quotes, htmlspecialchar " < > &, and fix line endings. • esc_html - Escaping for HTML blocks. • esc_attr - Escaping for HTML attributes. • esc_sql - Escapes data for use in a MySQL query. • esc_url - Checks and cleans a URL. • esc_textarea - Escaping for textarea values.
  11. 11. Sanitize All The Things On Input • sanitize_* and similar functions help for most things • $_POST = array(‘e’=>‘<script src=‘’></script>’) • BAD: update_post_meta($id, ‘e’, $_POST[‘e’]) • GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’])) • Note: Might unintentionally change data and give unexpected results
  12. 12. Whitelisting Data • Whitelisting data - Only accept known data • $_POST = array( ‘pwn’=>‘<script src=‘’></script>’, ‘e’=‘’ ); • BAD: • foreach( $_POST as $key => $val ) : update_post_meta($id, $key, $val); endforeach; • GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))
  13. 13. Blacklisting Data • Blacklisting data - Only accept data if it’s in the proper format • $_POST = array( ‘e’=‘me@domain.’ ); • if( is_email($_POST[‘e’]) ) update_post_meta( $id, ‘e’, sanitize_email($_POST[‘e’]) );
  14. 14. CSRF: Cross-site Request Forgery Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
  15. 15. Sweet, this might lead to my next big deal! ACCEPT!
  16. 16. zOMG WTF?!
  17. 17. Nonces FTW! ( • Before the Request • wp_nonce_url • wp_create_nonce • wp_nonce_field • Verify the Request • wp_verify_nonce • check_admin_referer
  18. 18. Is there an API for that?
  19. 19. Professional WordPress Plugin Development