Secure WordPress Development Practices
-
Upload
brandon-dove -
Category
Technology
-
view
2.240 -
download
1
description
Transcript of Secure WordPress Development Practices
![Page 1: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/1.jpg)
So you’re writing code for the masses, huh?Are you being responsible and protecting them from
getting pwned?
![Page 2: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/2.jpg)
Watch This.http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
![Page 3: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/3.jpg)
That guy pwned a plugin I wrote live on stage at
WordCamp New York.It changed my life.
![Page 4: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/4.jpg)
Read This.http://wp.tutsplus.com/tutorials/creative-coding/data-sanitization-and-validation-with-wordpress/
![Page 5: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/5.jpg)
tl;dr
• Keep your dev environment clean
• Escape your data output
• Sanitize your data inputs
• Validate referrers
• Core functionality should always trump your super awesome functionality
![Page 6: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/6.jpg)
Keep Your Dev Environment Clean
Don’t think that just because you’re on a mac you’re safe from viruses.
If you’re on a PC, you should assume you’re already pwned.
![Page 7: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/7.jpg)
Kaspersky Anti-Virus
• I use it.
• Dre uses it.
• Tony uses it.
• You should be using it.
![Page 8: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/8.jpg)
Trust No One,Trust Nothing
![Page 9: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/9.jpg)
XSS: Cross-site Scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
http://en.wikipedia.org/wiki/Cross-site_scripting
![Page 10: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/10.jpg)
Escape All The Things On Outputhttp://codex.wordpress.org/Data_Validation#Output_Sanitation
• Bad data will be tamed
• esc_{context}
• esc_js - Escape single quotes, htmlspecialchar " < > &, and fix line endings.
• esc_html - Escaping for HTML blocks.
• esc_attr - Escaping for HTML attributes.
• esc_sql - Escapes data for use in a MySQL query.
• esc_url - Checks and cleans a URL.
• esc_textarea - Escaping for textarea values.
![Page 11: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/11.jpg)
Sanitize All The Things On Inputhttp://codex.wordpress.org/Data_Validation#Input_Validation
• sanitize_* and similar functions help for most things
• $_POST = array(‘e’=>‘<script src=‘http://pwnd.com/u.js’></script>’)
• BAD: update_post_meta($id, ‘e’, $_POST[‘e’])
• GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))
• Note: Might unintentionally change data and give unexpected results
![Page 12: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/12.jpg)
Whitelisting Datahttp://codex.wordpress.org/Data_Validation#Whitelist
• Whitelisting data - Only accept known data
• $_POST = array(‘pwn’=>‘<script src=‘http://pwnd.com/u.js’></script>’,‘e’=‘[email protected]’);
• BAD:
• foreach( $_POST as $key => $val ) :update_post_meta($id, $key, $val);endforeach;
• GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))
![Page 13: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/13.jpg)
Blacklisting Datahttp://codex.wordpress.org/Data_Validation#Blacklist
• Blacklisting data - Only accept data if it’s in the proper format
• $_POST = array(‘e’=‘me@domain.’);
• if( is_email($_POST[‘e’]) )update_post_meta( $id, ‘e’, sanitize_email($_POST[‘e’]) );
![Page 14: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/14.jpg)
CSRF: Cross-site Request Forgery
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.
http://en.wikipedia.org/wiki/Cross-site_request_forgery
![Page 15: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/15.jpg)
Sweet, this might lead to my next big deal! ACCEPT!
![Page 16: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/16.jpg)
zOMG WTF?!
http://mysite.com/wp-admin/post.php?post=307&action=trash
![Page 17: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/17.jpg)
Nonces FTW!(http://codex.wordpress.org/WordPress_Nonces)
• Before the Request
• wp_nonce_url
• wp_create_nonce
• wp_nonce_field
• Verify the Request
• wp_verify_nonce
• check_admin_referer
![Page 18: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/18.jpg)
Is there an API for that?
![Page 19: Secure WordPress Development Practices](https://reader034.fdocuments.in/reader034/viewer/2022051512/540564d88d7f729e768b4c28/html5/thumbnails/19.jpg)
Professional WordPressPlugin Developmenthttp://amzn.to/plugindevbook