Learn the proper way to write the most secure code in WordPress. Whether you’re a plugin developer or build themes, it’s extremely important to understand how to secure your code from hacks and exploits. Overlooking some very easy to follow techniques can expose your website to the hackers everywhere. WordPress features a number of built-in methods to help make sure your code is safe and secure, and we’ll cover each and every one in detail.
Text of Writing Secure WordPress Code WordCamp NYC 2014
WRITING SECURE WORDPRESS CODE BY BRAD WILLIAMS Brad Williams @williamsba h-p://www.slideshare.net/williamsba/wri>ng-secure-wordpress-code-wordcamp-nyc-2014
WHO IS BRAD? Brad Williams @williamsba Brad Williams
CO-HOST DRADCAST Brad Williams @williamsba
TODAYS TOPICS Brad Williams @williamsba Cover the big three exploits SQL Injec>on - SQLi Cross-Site Scrip>ng - XSS Cross-Site Request Forgery CSRF Hack Examples Data Valida>on and Sani>za>on Resources
TRUST NO ONE Brad Williams @williamsba Golden Rule of Code Trust No One
TRUST NO ONE Brad Williams @williamsba Consider all data invalid unless it can be proven valid
SQL INJECTION - SQLI Brad Williams @williamsba SQL Injec>on (SQLi)
SQL INJECTION - SQLI Brad Williams @williamsba SQL injec*on is a code injec>on technique in which malicious SQL statements are inserted into an entry eld for execu>on
SQL INJECTION - SQLI Brad Williams @williamsba SQL Injec>on Example global $wpdb; $ID = $_GET['ID']; $sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';"; SELECT post_>tle FROM wp_posts WHERE ID = '5';
SQL INJECTION - SQLI Brad Williams @williamsba SQL Injec>on Example SELECT post_>tle FROM wp_posts WHERE ID = ''; SELECT * FROM wp_users WHERE 1 = '1'; global $wpdb; $ID = "'; SELECT * FROM wp_users WHERE 1 = '1"; $sql = "SELECT post_title FROM $wpdb->posts WHERE ID = '$ID';";
SQL INJECTION - SQLI Brad Williams @williamsba h-p://www.sitepoint.com/forums/showthread.php?83772-web-site-hacked My Introduc>on to SQLi
SQL INJECTION - SQLI Brad Williams @williamsba h-p://www.sitepoint.com/forums/showthread.php?83772-web-site-hacked My Introduc>on to SQLi
SQL INJECTION - SQLI Brad Williams @williamsba WordPress Database Class
SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->insert()
SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->prepare()
SQL INJECTION - SQLI Brad Williams @williamsba Handles strings (%s) and integers (%d) Does the escaping for you No need to quote %s $wpdb->prepare( " SELECT post_title FROM $wpdb->posts WHERE ID = %d ", $ID ); $wpdb->prepare()
SQL INJECTION - SQLI Brad Williams @williamsba Handles strings (%s) and integers (%d) Does the escaping for you No need to quote %s $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ); $wpdb->prepare()
SQL INJECTION - SQLI Brad Williams @williamsba $wpdb->prepare() only prepares the query, it does not execute it. $wpdb->query( $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ) ); $wpdb->prepare() echo $wpdb->prepare( " DELETE FROM $wpdb->postmeta WHERE post_id = %d AND meta_key = %s ", 420, 'Europe' ); To view the fully prepared query simply echo it
SQL INJECTION - SQLI Brad Williams @williamsba h-p://xkcd.com/327/ Dont be Li-le Bobby Tables
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Cross-Site Scrip>ng (XSS)
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba What is Cross-Site Scrip>ng? A-acker injects client-side scripts into your web pages
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Escaping To escape is to take the data you may already have and help secure it prior to rendering it for the end user
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba 1. esc_ is the prex for all escaping func>ons 2. a-r is the context being escaped 3. _e is the op>onal transla>on sux Props to Mark Jaquith! Escaping
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba BAD
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba BAD
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba View Source: alert('Hello Europe!'); GOOD
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba esc_attr() Used whenever you need to display data inside an HTML element h-p://codex.wordpress.org/Func>on_Reference/esc_a-r
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba esc_textarea() Used to encode text for use in a form element h-p://codex.wordpress.org/Func>on_Reference/esc_textarea
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Link esc_url() Used for valida>ng and sani>zing URLs h-p://codex.wordpress.org/Func>on_Reference/esc_url
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba esc_url_raw() Used for escaping a URL for database queries, redirects, and HTTP requests Similar to esc_url(), but does not replace en>>es for display h-p://codex.wordpress.org/Func>on_Reference/esc_url_raw
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba esc_js() Used to escape text strings in JavaScript h-p://codex.wordpress.org/Func>on_Reference/esc_js
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Integers
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba $ID = absint( $_GET['ID'] ); absint() Coverts a value to a non-nega>ve integer h-p://codex.wordpress.org/Func>on_Reference/absint
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba $ID = intval( $_GET['ID'] ); intval() Returns the integer value. Works with nega>ve values h-p://php.net/manual/en/func>on.intval.php
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba Sani>zing To sani>ze is to take the data and clean to make safe
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba BAD
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_text_field() Sani>ze a string h-p://codex.wordpress.org/Func>on_Reference/sani>ze_text_eld
CROSS-SITE SCRIPTING - XSS Brad Williams @williamsba sanitize_email() Strip out all characters not allowed in an email address h-p://codex.wordpress.org/Func>on_Reference/sani>z