1) WordPress themes and plugins are often vulnerable to security issues like SQL injection and XSS due to a lack of sanitization and escaping of user input. 2) Proper sanitization and output escaping is important - sanitize early and escape late. The WPDB class and esc_* functions help prevent SQL injection, while esc_html(), esc_attr(), esc_url() and related functions help prevent XSS. 3) Nonces should be used for authentication and verification of intentions for actions like form submissions to prevent CSRF attacks. Common mistakes like eval() and revealing server variables can also cause vulnerabilities.

1. Building Secure WordPress
Themes and Plugins

2. Tikaram Bhandari
Happiness Engineer / Theme Developer
Catch Themes

3. The State of WordPress Themes
and Plugins security...

4. Problems
Lack of Awareness
Lack of Concern

5. Attack #1
SQL Injection
$wpdb->query (
''UPDATE $wpdb -> $posts
SET post_title = '$newtitle'
WHERE id= $my_id''
);

6. Disregard Queries: Use API
$wpdb -> update()
$wpdb -> update (
$wpdb -> $posts,
array ( 'post_title' => '$newtitle' ),
array ( 'id' => $my_id )
);
$wpdb -> insert( $table, $data )
$wpdb -> prepare( )

7. Sanitize Early ( Rule #1)
Sanitizing in customizer
$wp_customize->add_setting(
'prefix_email_address',
array(
…
'sanitize_callback' => 'is_email',
) );
$wp_customize->add_setting(
'prefix_twitter_url',
array(
'default' => '',
'transport' => 'postMessage',
'sanitize_callback' => 'esc_url_raw',
) );

8. Attack #2
XSS
Cross-Site Scripting
<h1>
<?php echo $title; ?>
</h1>
$title = '<script>some_function();</script>';

9. Escape Late ( Rule #2)

10. {
esc_attr_e
Easy as 1 2 3
{
{
esc_html()
<h1>
<?php echo esc_html( $title ) ; ?>
</h1>

11. <?php $title=' ''onmouseover=''fucn();'; ?>
<a href =''#wordcamp'' title=''<?php echo $title;
?>''>
Text
</a>
esc_attr()
<?php $title=' '' onmouseover=''fucn();'; ?>
<a href =''#wordcamp'' title=''<?php echo
esc_attr( $title ) ; ?>''>
Text
</a>

12. <?php $url = 'javascript:func()'; ?>
<a href= ''<?php echo $url; ?> ''>
Text
</a>
esc_url()
<?php $url = 'javascript:func()'; ?>
<a href= ''<?php echo esc_url( $url ) ; ?> ''>
Text
</a>

13. esc_js()
<script>
var foo = ' <?php echo esc_js( $unsafe ); ?> ';
</script>
esc_textarea()

14. wp_kses family
wp_kses()
wp_kses_post()
wp_kses_allowed_html

15. Not Hardcoded = Suspect ( Rule #3)
Everything is suspect

16. Attack #3
CSRF : Cross-site Request Forgery
Authorization vs Intention

17. Nonces
action-, object- & user-specific time specific
secret keys
wp_nonce_field('theme-action_object')
check_admin_referer('theme-
action_object')

18. CSRF for Ajax/XHR requests
 On front end
$nonce = wp_create_nonce( 'your_action' )
 Add &_ajax_nonce = $nonce to your post/get
vars
 On backend
check_ajax_referer( 'your_action' ) ;

19. Some mistakes
 eval()
 <form action= '' <?php echo
$_SERVER['REQURES_URI']; ?> '' >

20. Common Vulnerabilities
Data Sanitization/Escaping
Using Nonces
Common Mistakes
Summary

21. References
Plugin Security
https://developer.wordpress.org/plugins/security
Theme Security
https://developer.wordpress.org/themes/theme-
security

22. Thanks, any questions?
Email: tikaram@catchthemes.com