SlideShare a Scribd company logo

Building secured wordpress themes and plugins

Download as PPTX, PDF
T
Tikaram Bhandari

1) WordPress themes and plugins are often vulnerable to security issues like SQL injection and XSS due to a lack of sanitization and escaping of user input. 2) Proper sanitization and output escaping is important - sanitize early and escape late. The WPDB class and esc_* functions help prevent SQL injection, while esc_html(), esc_attr(), esc_url() and related functions help prevent XSS. 3) Nonces should be used for authentication and verification of intentions for actions like form submissions to prevent CSRF attacks. Common mistakes like eval() and revealing server variables can also cause vulnerabilities.

Technology
1 of 22
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Building Secure WordPress Themes and Plugins
Tikaram Bhandari Happiness Engineer / Theme Developer Catch Themes
The State of WordPress Themes and Plugins security...
Problems Lack of Awareness Lack of Concern
Attack #1 SQL Injection $wpdb->query ( ''UPDATE $wpdb -> $posts SET post_title = '$newtitle' WHERE id= $my_id'' );
Disregard Queries: Use API $wpdb -> update() $wpdb -> update ( $wpdb -> $posts, array ( 'post_title' => '$newtitle' ), array ( 'id' => $my_id ) ); $wpdb -> insert( $table, $data ) $wpdb -> prepare( )
Sanitize Early ( Rule #1) Sanitizing in customizer $wp_customize->add_setting( 'prefix_email_address', array( … 'sanitize_callback' => 'is_email', ) ); $wp_customize->add_setting( 'prefix_twitter_url', array( 'default' => '', 'transport' => 'postMessage', 'sanitize_callback' => 'esc_url_raw', ) );
Attack #2 XSS Cross-Site Scripting <h1> <?php echo $title; ?> </h1> $title = '<script>some_function();</script>';
Escape Late ( Rule #2)
{ esc_attr_e Easy as 1 2 3 { { esc_html() <h1> <?php echo esc_html( $title ) ; ?> </h1>
<?php $title=' ''onmouseover=''fucn();'; ?> <a href =''#wordcamp'' title=''<?php echo $title; ?>''> Text </a> esc_attr() <?php $title=' '' onmouseover=''fucn();'; ?> <a href =''#wordcamp'' title=''<?php echo esc_attr( $title ) ; ?>''> Text </a>
<?php $url = 'javascript:func()'; ?> <a href= ''<?php echo $url; ?> ''> Text </a> esc_url() <?php $url = 'javascript:func()'; ?> <a href= ''<?php echo esc_url( $url ) ; ?> ''> Text </a>
esc_js() <script> var foo = ' <?php echo esc_js( $unsafe ); ?> '; </script> esc_textarea()
wp_kses family wp_kses() wp_kses_post() wp_kses_allowed_html
Not Hardcoded = Suspect ( Rule #3) Everything is suspect
Attack #3 CSRF : Cross-site Request Forgery Authorization vs Intention
Nonces action-, object- & user-specific time specific secret keys wp_nonce_field('theme-action_object') check_admin_referer('theme- action_object')
CSRF for Ajax/XHR requests  On front end $nonce = wp_create_nonce( 'your_action' )  Add &_ajax_nonce = $nonce to your post/get vars  On backend check_ajax_referer( 'your_action' ) ;
Some mistakes  eval()  <form action= '' <?php echo $_SERVER['REQURES_URI']; ?> '' >
Common Vulnerabilities Data Sanitization/Escaping Using Nonces Common Mistakes Summary
References Plugin Security https://developer.wordpress.org/plugins/security Theme Security https://developer.wordpress.org/themes/theme- security
Thanks, any questions? Email: tikaram@catchthemes.com

More Related Content

PDF
50 Laravel Tricks in 50 Minutes
Azim Kurt
 
PDF
WordCamp Montreal 2015: Combining Custom Post Types, Fields, and Meta Boxes t...
allilevine
 
PPTX
CakePHP workshop
Walther Lalk
 
PDF
WordPress Capabilities Magic
mannieschumpert
 
PDF
Be lazy, be ESI: HTTP caching and Symfony2 @ PHPDay 2011 05-13-2011
Alessandro Nadalin
 
PDF
WordPress as an application framework
Dustin Filippini
 
PPTX
Сергей Иващенко - Meet Magento Ukraine - Цены в Magento 2
Atwix
 
PDF
Gail villanueva add muscle to your wordpress site
references
 
50 Laravel Tricks in 50 Minutes
Azim Kurt
 
WordCamp Montreal 2015: Combining Custom Post Types, Fields, and Meta Boxes t...
allilevine
 
CakePHP workshop
Walther Lalk
 
WordPress Capabilities Magic
mannieschumpert
 
Be lazy, be ESI: HTTP caching and Symfony2 @ PHPDay 2011 05-13-2011
Alessandro Nadalin
 
WordPress as an application framework
Dustin Filippini
 
Сергей Иващенко - Meet Magento Ukraine - Цены в Magento 2
Atwix
 
Gail villanueva add muscle to your wordpress site
references
 

What's hot (20)

PDF
WordPress-Powered Portfolios
Tyler Sticka
 
PDF
Bag Of Tricks From Iusethis
Marcus Ramberg
 
PDF
Dig Deeper into WordPress - WD Meetup Cairo
Mohamed Mosaad
 
KEY
Data::FormValidator Simplified
Fred Moyer
 
PDF
How I started to love design patterns
Samuel ROZE
 
ZIP
First Steps in Drupal Code Driven Development
Nuvole
 
PDF
Introduction to CQRS and Event Sourcing
Samuel ROZE
 
PPTX
Анатолий Поляков - Drupal.ajax framework from a to z
LEDC 2016
 
KEY
Who Needs Ruby When You've Got CodeIgniter
ciconf
 
PDF
Symfony CoP: Form component
Samuel ROZE
 
PDF
購物車程式架構簡介
Jace Ju
 
PPTX
DrupalCamp Foz - Novas APIs Drupal 7
chuvainc
 
PPTX
11. CodeIgniter vederea unei singure inregistrari
Razvan Raducanu, PhD
 
PDF
WordPress Theme Workshop: Sidebars
David Bisset
 
PDF
Nickolay Shmalenuk.Render api eng.DrupalCamp Kyiv 2011
camp_drupal_ua
 
PPT
PHP cart
tumetr1
 
PDF
Flask 소수전공 강의자료 - 3차시
Junha Jang
 
PPTX
Migration to jQuery 3.5.x
StanislavIdolov
 
PPT
PHP webboard
tumetr1
 
PPT
Система рендеринга в Magento
Magecom Ukraine
 
WordPress-Powered Portfolios
Tyler Sticka
 
Bag Of Tricks From Iusethis
Marcus Ramberg
 
Dig Deeper into WordPress - WD Meetup Cairo
Mohamed Mosaad
 
Data::FormValidator Simplified
Fred Moyer
 
How I started to love design patterns
Samuel ROZE
 
First Steps in Drupal Code Driven Development
Nuvole
 
Introduction to CQRS and Event Sourcing
Samuel ROZE
 
Анатолий Поляков - Drupal.ajax framework from a to z
LEDC 2016
 
Who Needs Ruby When You've Got CodeIgniter
ciconf
 
Symfony CoP: Form component
Samuel ROZE
 
購物車程式架構簡介
Jace Ju
 
DrupalCamp Foz - Novas APIs Drupal 7
chuvainc
 
11. CodeIgniter vederea unei singure inregistrari
Razvan Raducanu, PhD
 
WordPress Theme Workshop: Sidebars
David Bisset
 
Nickolay Shmalenuk.Render api eng.DrupalCamp Kyiv 2011
camp_drupal_ua
 
PHP cart
tumetr1
 
Flask 소수전공 강의자료 - 3차시
Junha Jang
 
Migration to jQuery 3.5.x
StanislavIdolov
 
PHP webboard
tumetr1
 
Система рендеринга в Magento
Magecom Ukraine
 
Ad

Similar to Building secured wordpress themes and plugins (20)

PDF
WordPress Security - WordCamp Phoenix
Mark Jaquith
 
KEY
Unit testing zend framework apps
Michelangelo van Dam
 
PDF
Add edit delete in Codeigniter in PHP
Vineet Kumar Saini
 
PDF
You Don't Know Query (WordCamp Netherlands 2012)
andrewnacin
 
PDF
Unit testing with zend framework tek11
Michelangelo van Dam
 
KEY
Unit testing with zend framework PHPBenelux
Michelangelo van Dam
 
PPTX
Coding for Scale and Sanity
JimKellerES
 
PDF
Secure Coding with WordPress - WordCamp SF 2008
Mark Jaquith
 
DOCX
logic321
logic321
 
PDF
PHP-UK 2025: Ending Injection Vulnerabilities
Craig Francis
 
TXT
Daily notes
meghendra168
 
PPTX
Wp query
Savita Soni
 
PDF
laravel tricks in 50minutes
Barang CK
 
PDF
Min-Maxing Software Costs
Konstantin Kudryashov
 
PDF
Separation of concerns - DPC12
Stephan Hochdörfer
 
PDF
Advanced php testing in action
Jace Ju
 
PDF
(PHPers Wrocław #5) How to write valuable unit test?
RST Software Masters
 
PPTX
[PHP] Zend_Db (Zend Framework)
Jun Shimizu
 
PPTX
Custom Database Queries in WordPress
topher1kenobe
 
PPTX
Using shortcode in plugin development
gskhanal
 
WordPress Security - WordCamp Phoenix
Mark Jaquith
 
Unit testing zend framework apps
Michelangelo van Dam
 
Add edit delete in Codeigniter in PHP
Vineet Kumar Saini
 
You Don't Know Query (WordCamp Netherlands 2012)
andrewnacin
 
Unit testing with zend framework tek11
Michelangelo van Dam
 
Unit testing with zend framework PHPBenelux
Michelangelo van Dam
 
Coding for Scale and Sanity
JimKellerES
 
Secure Coding with WordPress - WordCamp SF 2008
Mark Jaquith
 
logic321
logic321
 
PHP-UK 2025: Ending Injection Vulnerabilities
Craig Francis
 
Daily notes
meghendra168
 
Wp query
Savita Soni
 
laravel tricks in 50minutes
Barang CK
 
Min-Maxing Software Costs
Konstantin Kudryashov
 
Separation of concerns - DPC12
Stephan Hochdörfer
 
Advanced php testing in action
Jace Ju
 
(PHPers Wrocław #5) How to write valuable unit test?
RST Software Masters
 
[PHP] Zend_Db (Zend Framework)
Jun Shimizu
 
Custom Database Queries in WordPress
topher1kenobe
 
Using shortcode in plugin development
gskhanal
 
Ad

Recently uploaded (20)

PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Cloud computing and distributed systems.
kkkkkhan
 
Encapsulation theory and applications.pdf
gurumoop
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Approach and Philosophy of On baking technology
30anthuong17
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 

Building secured wordpress themes and plugins