A talk on WordPress plugin security given at Big Media & Enterprise WordPress London Meetup, including a live demo of exploiting a plugin vulnerability. Video available here: https://vip.wordpress.com/2015/03/11/snakes-in-a-plugin-wordpress-plugin-security/ Meetup: http://www.meetup.com/Big-Media-Enterprise-WordPress-London-Meetup/events/220408317/

1. Duncan Stuart
@dgmstuart

2. @dgmstuart
“You can't defend.
You can't prevent.
The only thing you can do
is detect and respond.”
Bruce Schneier

3. @dgmstuart
WordPress dev for the public sector
Secure hosting
Plugin security reviews
www.dxw.com

4. @dgmstuart
The internet is a terrifying place

5. Demo

6. @dgmstuart
You can’t trust the ‘from’ field
You can’t trust the address bar
The internet is a terrifying place
What did we learn?

7. @dgmstuart
It’s much, much worse
@dgmstuart

9. @dgmstuart

10. @dgmstuart
It’s not unusual...
It’s the most common vulnerability
25% of plugins we review are unsafe
over 25% are conditionally safe

11. @dgmstuart
“I am regularly asked what the
average Internet user can do to
ensure his security.
Bruce Schneier

12. @dgmstuart
“I am regularly asked what the
average Internet user can do to
ensure his security. My first
answer is usually 'Nothing;
you're screwed'”
Bruce Schneier

13. @dgmstuart

14. @dgmstuart
What can you do?
1. Update!
2. Pen test!
3. Mongoose!

15. @dgmstuart
Security alerts for WordPress plugins
www.mongoosewp.com

16. @dgmstuart @thedxw
www.dxw.com
Thank You

17. Questions?
@dgmstuart