Snakes in a plugin - WordPress plugin security

Duncan Stuart@dgmstuart

@dgmstuart

“You can't defend. You can't prevent. The only thing you can do is detect and respond.”Bruce Schneier

@dgmstuart

WordPress dev for the public sector

Secure hosting

Plugin security reviews

www.dxw.com

@dgmstuart

The internet is a terrifying place

Demo

@dgmstuart

You can’t trust the ‘from’ field

You can’t trust the address bar

The internet is a terrifying place

What did we learn?

@dgmstuart

It’s much, much worse

@dgmstuart

@dgmstuart

@dgmstuart

It’s not unusual...

It’s the most common vulnerability

25% of plugins we review are unsafe

over 25% are conditionally safe

@dgmstuart

“I am regularly asked what the average Internet user can do to ensure his security.

Bruce Schneier

@dgmstuart

“I am regularly asked what the average Internet user can do to ensure his security. My first answer is usually 'Nothing; you're screwed'”Bruce Schneier

@dgmstuart

@dgmstuart

What can you do?

1. Update!

2. Pen test!

3. Mongoose!

@dgmstuart

Security alerts for WordPress plugins

www.mongoosewp.com

@dgmstuart @thedxw

www.dxw.com

Thank You

Questions?@dgmstuart