WordPress Security - WordCamp Phoenix

•

6 likes•7,621 views

The document discusses secure coding practices for WordPress plugins. It outlines three common attacks - SQL injection, XSS (cross-site scripting), and CSRF (cross-site request forgery). For each attack, it provides examples of insecure code and explains how to make the code secure using techniques like escaping output, validating input, and using nonces. It also discusses some common mistakes to avoid, like using eval() and not sanitizing variables before output. The goal is to teach developers how to thwart attacks and code more securely.

Secure Coding
with WordPress

@markjaquith
Mark Jaquith m@rkj.me
“JAKE-with” markjaquith.com

The state of
WordPress plugin
security is...

Goals
I want you to learn the following:

1. How to thwart the three most
common attacks
2. Two useful principles
3. Common mistakes to avoid

$wpdb->query(
"UPDATE $wpdb->posts
SET post_title = '$newtitle'
WHERE ID = $my_id"
);

$wpdb->update(
$wpdb->posts,
array( 'post_title' => $newtitle ),
array( 'ID' => $my_id )
);

$sets = array(
'post_title' => $newtitle,
'post_content' => $newcontent
);

$wheres = array(
'post_type' => 'post',
'post_name' => $my_name
);

$wpdb->update( $wpdb->posts, $sets, $wheres );

$wpdb->prepare(
"SELECT * FROM $wpdb->posts
WHERE post_name = %s OR ID = %d",
$some_name,
$some_id
);

• Powered by sprintf(), but only %s
and %d are supported right now

• Do not quote %s — use %s, NOT '%s'
• Does the escaping for you

Rule #2

Anything that
isn’t hardcoded
is suspect

Rule #2 (revised)

Everything
is suspect

<h1>
<?php echo esc_html( $title ); ?>
</h1>

<?php $title = '" onmouseover="pwnd();'; ?>
<a href="#wordcamp" title="<?php echo
$title; ?>">
Link Text
</a>

<?php $title = '" onmouseover="pwnd();'; ?>
<a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>">
Link Text
</a>

<?php $url = 'javascript:pwnd()'; ?>
<a href="<?php echo $url; ?>">
Link Text
</a>

<script>
var foo = '<?php echo esc_js( $unsafe ); ?>';
</script>

Attack #3

CSRF
Cross-site Request Forgery

Nonces
action-, object-, & user-specific
time-limited secret keys

Specific to
• WordPress user
• Action attempted
• Object of attempted action
• Time window

wp_nonce_field( 'plugin-action_object' )

<form action="process.php" method="post">
<?php
wp_nonce_field('plugin-action_object');
?>
...
</form>

check_admin_referer( 'plugin-action_object' );

// 1. On the front end
$nonce = wp_create_nonce
( 'your_action' );

// 2. add &_ajax_nonce=$nonce to your
// post/get vars

// 3. On the backend
check_ajax_referer( 'your_action' );

<form action="<?php echo $_SERVER['REQUEST_URI']; ?>">

<a href="<?php echo $home; ?>" title="<?php echo $title; ?>">
<?php echo $text; ?>
</a>
<script>var foo = '<?php echo $var; ?>';</script>

<a href="<?php echo esc_url( $home ); ?>" title="<?php
echo esc_attr( $title ); ?>">
<?php echo esc_html( $text ); ?>
</a>
<script>var foo = '<?php echo esc_js( $var ); ?>';</
script>

Thanks!
@markjaquith
Mark Jaquith m@rkj.me
“JAKE-with” markjaquith.com

What's hot

제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호

daumfoundation

jQuery: Tips, tricks and hints for better development and Performance

Jonas De Smet

R57shell

ady36

Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany

Balázs Tatár

Webmontag Berlin "coffee script"Webmontag Berlin

Can WordPress really do that? A case study of vierderduer.no

Morten Rand-Hendriksen

Session3สอนทำโปรเจคจบ วิทคอมไอทีคอมธุรกิจ

IsTrue(true)?

David Golden

Uninstall opera

Przemek Jakubczyk

How did i steal your database

Mostafa Siraj

PythonでJWT生成からボット作成、投稿までやってみた

itoxdev

Dangerous Ruby (or: Job Security)

Vidmantas Kabošis

Xmpp prebind

Syed Arshad

Modware next generation with pub modulecybersiddhu

Web Scraping with PHPMatthew Turland

Ae internals

mnikolenko

Mysql & PhpInbal Geffen

Service intergration

재민 장

AngulrJS Overview

Eyal Vardi

Ubi comp27nov04mohamed ashraf

What's hot (20)

제5회인터넷리더십프로그램_왕초보를 위한 트위터 완벽 활용_정진호

jQuery: Tips, tricks and hints for better development and Performance

R57shell

Let's write secure Drupal code! - 13.09.2018 @ Drupal Europe, Darmstadt, Germany

Webmontag Berlin "coffee script"

Can WordPress really do that? A case study of vierderduer.no

Session3

IsTrue(true)?

Uninstall opera

How did i steal your database

PythonでJWT生成からボット作成、投稿までやってみた

Dangerous Ruby (or: Job Security)

Xmpp prebind

Modware next generation with pub module

Web Scraping with PHP

Ae internals

Mysql & Php

Service intergration

AngulrJS Overview

Ubi comp27nov04

Similar to WordPress Security - WordCamp Phoenix

Building secured wordpress themes and plugins

Tikaram Bhandari

WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011

John Ford

Daily notes

meghendra168

logic321

Add loop shortcodePeter Baylies

You Don't Know Query (WordCamp Netherlands 2012)

andrewnacin

Dealing with Legacy PHP ApplicationsClinton Dreisbach

Be lazy, be ESI: HTTP caching and Symfony2 @ PHPDay 2011 05-13-2011

Alessandro Nadalin

Blog Hacks 2011

Yusuke Wada

Gail villanueva add muscle to your wordpress sitereferences

Proposed PHP function: is_literal()

Craig Francis

You Got Async in my PHP!

Chris Tankersley

Web applications are becoming the norm for users, and being able to handle thousands of requests per second is happening more and more. Developers spend an enormous amount of time making sure that their applications are as fast as possible, but tuning your web server can only go so far. Async Programming is being used by many languages as a quick and easy way to serve web applications, and PHP is no exception. Libraries like ReactPHP and Amp, alongside extensions like Swoole, give developers broad choices for how to build their applications using async principles. See how these tools and async programming can help your application stay quick and agile.

Grok Drupal (7) Theming

PINGV

You don’t know query - WordCamp UK Edinburgh 2012l3rady

Php Securityguest7cf35c

Php (1)pinalsadiwala

Dutch PHP Conference - PHPSpec 2 - The only Design Tool you need

Kacper Gunia

Let's write secure drupal code!

Balázs Tatár

Unit testing with zend framework tek11

Michelangelo van Dam

Let's write secure Drupal code!

Balázs Tatár

Similar to WordPress Security - WordCamp Phoenix (20)

Building secured wordpress themes and plugins

WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011

Daily notes

logic321

Add loop shortcode

You Don't Know Query (WordCamp Netherlands 2012)

Dealing with Legacy PHP Applications

Be lazy, be ESI: HTTP caching and Symfony2 @ PHPDay 2011 05-13-2011

Blog Hacks 2011

Gail villanueva add muscle to your wordpress site

Proposed PHP function: is_literal()

You Got Async in my PHP!

Grok Drupal (7) Theming

You don’t know query - WordCamp UK Edinburgh 2012

Php Security

Php (1)

Dutch PHP Conference - PHPSpec 2 - The only Design Tool you need

Let's write secure drupal code!

Unit testing with zend framework tek11

Let's write secure Drupal code!

Recently uploaded

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

Thierry Lestable

When stars align: studies in data quality, knowledge graphs, and machine lear...

Elena Simperl

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

Key Trends Shaping the Future of Infrastructure.pdf

Cheryl Hung

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

UiPathCommunity

💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™: See how to accelerate model training and optimize model performance with active learning Learn about the latest enhancements to out-of-the-box document processing – with little to no training required Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath. Speakers: 👨‍🏫 Andras Palfi, Senior Product Manager, UiPath 👩‍🏫 Lenka Dulovicova, Product Program Manager, UiPath

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

FIDO Alliance

UiPath Test Automation using UiPath Test Suite series, part 4

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap. The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies. Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques What will you get from this session? 1. Insights into SAP testing best practices 2. Heatmap utilization for testing 3. Optimization of testing processes 4. Demo Topics covered: Execution from the test manager Orchestrator execution result Defect reporting SAP heatmap example with demo Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Tobias Schneck

As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other? Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Product School

Bits & Pixels using AI for Good.........

Alison B. Lowndes

Essentials of Automations: Optimizing FME Workflows with Parameters

Safe Software

Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place. Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects. Here’s what you’ll gain: - Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows. - Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy. - Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency. - Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity. We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic. Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.

GraphRAG is All You need? LLM & Knowledge Graph

Guy Korland

Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs. 1. Unifying Large Language Models and Knowledge Graphs: A Roadmap. https://arxiv.org/abs/2306.08302 2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs: https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

FIDO Alliance

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Product School

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

Mission to Decommission: Importance of Decommissioning Products to Increase E...

Product School

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

Prayukth K V

The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development. The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers: State of global ICS asset and network exposure Sectoral targets and attacks as well as the cost of ransom Global APT activity, AI usage, actor and tactic profiles, and implications Rise in volumes of AI-powered cyberattacks Major cyber events in 2024 Malware and malicious payload trends Cyberattack types and targets Vulnerability exploit attempts on CVEs Attacks on counties – USA Expansion of bot farms – how, where, and why In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East Why are attacks on smart factories rising? Cyber risk predictions Axis of attacks – Europe Systemic attacks in the Middle East Download the full report from here: https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/

Recently uploaded (20)

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...

When stars align: studies in data quality, knowledge graphs, and machine lear...

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Key Trends Shaping the Future of Infrastructure.pdf

Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

UiPath Test Automation using UiPath Test Suite series, part 4

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024

Epistemic Interaction - tuning interfaces to provide information for AI support

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...

Bits & Pixels using AI for Good.........

Essentials of Automations: Optimizing FME Workflows with Parameters

GraphRAG is All You need? LLM & Knowledge Graph

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf

Designing Great Products: The Power of Design and Leadership by Chief Designe...

Elevating Tactical DDD Patterns Through Object Calisthenics

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

Mission to Decommission: Importance of Decommissioning Products to Increase E...

State of ICS and IoT Cyber Threat Landscape Report 2024 preview

WordPress Security - WordCamp Phoenix

1. Secure Coding with WordPress @markjaquith Mark Jaquith m@rkj.me “JAKE-with” markjaquith.com

2. The state of WordPress plugin security is...

4. Problem #1 Lack of awareness

5. Problem #2 Apathy

6. Goals I want you to learn the following: 1. How to thwart the three most common attacks 2. Two useful principles 3. Common mistakes to avoid

7. Attack #1 SQL Injection

8. $wpdb->query( "UPDATE $wpdb->posts SET post_title = '$newtitle' WHERE ID = $my_id" );

10. $wpdb->update()

11. $wpdb->update( $wpdb->posts, array( 'post_title' => $newtitle ), array( 'ID' => $my_id ) );

12. $sets = array( 'post_title' => $newtitle, 'post_content' => $newcontent ); $wheres = array( 'post_type' => 'post', 'post_name' => $my_name ); $wpdb->update( $wpdb->posts, $sets, $wheres );

13. $wpdb->insert( $table, $data )

14. $wpdb->prepare()

15. $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_name = %s OR ID = %d", $some_name, $some_id );

16. • Powered by sprintf(), but only %s and %d are supported right now • Do not quote %s — use %s, NOT '%s' • Does the escaping for you

17. Rule #1 Escape Late

18. Attack #2 XSS (Cross-Site Scripting)

19. <h1> <?php echo $title ?> <h1>

20. $title = '<script>pwnage();</script>';

21. Rule #2 Anything that isn’t hardcoded is suspect

22. Rule #2 (revised) Everything is suspect

23. Easy as...

24. esc_html()

25. <h1> <?php echo esc_html( $title ); ?> </h1>

26. <?php $title = '" onmouseover="pwnd();'; ?> <a href="#wordcamp" title="<?php echo $title; ?>"> Link Text </a>

27. esc_attr()

28. <?php $title = '" onmouseover="pwnd();'; ?> <a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>"> Link Text </a>

29. <?php $url = 'javascript:pwnd()'; ?> <a href="<?php echo $url; ?>"> Link Text </a>

30. esc_url()

31. esc_url_raw()

32. esc_js()

33. <script> var foo = '<?php echo esc_js( $unsafe ); ?>'; </script>

34. esc_textarea()

35. wp_filter_kses()

36. Attack #3 CSRF Cross-site Request Forgery

37. Authorization vs. Intention

38. Nonces action-, object-, & user-specific time-limited secret keys

39. Specific to • WordPress user • Action attempted • Object of attempted action • Time window

40. wp_nonce_field( 'plugin-action_object' )

41. <form action="process.php" method="post"> <?php wp_nonce_field('plugin-action_object'); ?> ... </form>

42. check_admin_referer( 'plugin-action_object' );

43. Still need to use current_user_can()

44. CSRF for Ajax/XHR

45. // 1. On the front end $nonce = wp_create_nonce ( 'your_action' ); // 2. add &_ajax_nonce=$nonce to your // post/get vars // 3. On the backend check_ajax_referer( 'your_action' );

46. Stupid shit I see all the time

47. eval()

48. <form action="<?php echo $_SERVER['REQUEST_URI']; ?>">

49. <a href="<?php echo $home; ?>" title="<?php echo $title; ?>"> <?php echo $text; ?> </a> <script>var foo = '<?php echo $var; ?>';</script>

50. <a href="<?php echo esc_url( $home ); ?>" title="<?php echo esc_attr( $title ); ?>"> <?php echo esc_html( $text ); ?> </a> <script>var foo = '<?php echo esc_js( $var ); ?>';</ script>

51. Thanks! @markjaquith Mark Jaquith m@rkj.me “JAKE-with” markjaquith.com

WordPress Security - WordCamp Phoenix

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to WordPress Security - WordCamp Phoenix

Similar to WordPress Security - WordCamp Phoenix (20)

More from Mark Jaquith

More from Mark Jaquith (13)

Recently uploaded

Recently uploaded (20)

WordPress Security - WordCamp Phoenix