WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
3 likes2,376 views
Secure Wordpress Coding The document provides an overview of secure coding practices for Wordpress websites. It discusses common security vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). It emphasizes the importance of filtering user input to prevent exploits. The document also covers secure theme development practices, such as using built-in Wordpress functions and filters. Maintaining and updating Wordpress core, plugins, and themes is key to keeping sites secure.
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
- 1. Secure Wordpress Coding Aaron Saray
- 2. Why Trust This Guy? ● PHP programmer > than a decade ● Nerd since 8 yrs old ● MKEPUG ● Author ● you paid? :)
- 3. Why at WordCamp? ● I use WordPress ○ even programmers do, yup ● I like WordPress ● WordPress is everywhere ○ I actually care about the world... you should too!
- 4. What is Security? ● Physical, mental, emotional, resources ● Secure programming? ○ protecting the user from... ■ themselves ■ the bad guys ■ glitches
- 5. Why you should care? Yay - it's time for everyone's favorite game show!
- 6. Myth: ... Fact: you should care - you're a nice person. Otherwise you wouldn't be here...
- 7. Myth: No one will attack me Fact: Yes they will. ● No one cares about my little website ● I'm not doing anything important ● They can have it all, I have nothing they want
- 9. Examples: ● Testing Credit Cards ● Hosting bad stuff ● Stealing User Accounts (and passwords) ● installing trojans ○ google now hates you ● Who cares about Google ads? ○ They're only $0.02...
- 10. $132,994.97
- 11. Myth: PHP is so insecure that... ● Bank vault is insecure with the door open ● Haters be hatin' ● PHP users ○ Facebook ○ Yahoo ○ etc ■ if it were so bad, then why?
- 12. What Security Concerns in Web Projects Do We Have? ● HTML begat PHP begat WordPress ● SQL Injection ● XSS ● CSRF *NOTE: examples are simple, and not necessarily indicative of real code.
- 13. SQL Injection ● An attack that injects unknown SQL commands ○ usually done through a form filed ○ can be done in a query string ● Consequence? ○ read all data ○ write / update / delete ○ drop tables!
- 15. SQL Injection Example $sql = "select * from user where email='me@aaronsaray.com' and password='monkey'
- 16. SQL Injection Example What about password of ... say... x' or userid=1; -- $sql = "select * from user where email='me@aaronsaray. com' and password='x' or userid=1; --'";
- 17. SQL Injection Solution Filter user input!!
- 18. Cross Site Scripting (XSS) ● An attack that allows a third party to add and execute client side scripts into a web page ○ Client side scripting (such as javascript) is fine (and useful) ○ but not if the site creator didn't approve it ● Consequence? ○ form submission ○ steal cookie (login token) ○ Sammy!
- 19. XSS Example
- 20. XSS Example
- 21. Is this really that bad? Yup.
- 22. XSS Solution Filter user input!!
- 23. Cross Site Request Forgery (CSRF) ● An attack that sends a request from a malicious site masquerading as a legitimate request. ● Submission or action originating not on your website ● Consequence? ○ forms submitted ○ any user action done ■ potentially authorized users without knowledge
- 24. CSRF Example
- 25. CSRF Example
- 26. CSRF Solution Multi pronged: ● Use POST for data changes (RFC 2616) ● Use $_POST, not $_REQUEST ● Use a token ○ in Wordpress, they're called "nonce"
- 27. CSRF Solution
- 28. CSRF Solution
- 29. CSRF Solution in Wordpress
- 30. ... so, who cares? Wordpress is a web project ● It's PHP ● It's HTML ● It's Javascript ● It's CSS ● It takes user input ● It displays user input
- 31. What can I do about it? Thanks for asking! ● Security Scanning Plugin ● Theme Creation Security ● Practice safe plugin'
- 32. If you remember just one thing... Use these Security Plugins: ● Secure Wordpress http://wordpress.org/extend/plugins/secure-wordpress/ ● WP Security http://wordpress.org/extend/plugins/wp-security-scan/
- 33. Secure Themes ● This isn't just filler ○ people focus on plugins usually. *slap* ● Things to consider: ○ when using other themes or child themes ○ creating your own theme
- 34. Themes that you... borrow ● Everyone grabs a theme ○ be smart about it ○ if it's too good to be true... ● Things to remember: ○ update themes when they ask you to ■ Remember the TimThumb-amo! ○ take a look at them ■ cdn.google.com/jquery.js ■ myhotbride.ru/funfreemoney.js
- 35. Themes that you sorta borrow ● If you see a cool theme... ○ Child theme it! ○ Stay up to date with the parent security
- 36. and if you're in a rush... ● Theme Authenticity Checker ○ http://builtbackwards.com/projects/tac/
- 37. so which security issues exist? ● All of them!
- 38. Let's check out some best practices
- 39. Use built in functions ● set_theme_mod() ● Settings API
- 40. Use built in filters ● esc_attr() ● esc_html() ● esc_textarea() ● esc_url() ● esc_js() ● wp_filter_kses()
- 41. Filter example
- 42. Security through Obscurity ● Not always that bad... ○ automated tools - why give them a freebie? ● remove versions from your themes
- 44. O.P.P. ● Other People's Plugins!
- 45. General Security ● Security is really shared between plugins and themes ● These can be applied to all of your programming, or other people's programming. ○ For security's sake - be careful when you're hacking other people's plugins.
- 46. 2 Parts Left:
- 47. First, and foremost ● Clean yo' house
- 48. Clean it up ● Update your Wordpress ● Delete old things: ○ plugins ○ themes ○ user uploads from that hot babe ● http://codex.wordpress.org/Hardening_WordPress
- 49. #2, Code Securely ● Use NONCE ● Don't let AJAX files sit around ● Watch your SQL
- 50. Use $wpdb ● It is a global variable ○ yup, I hate it too ● Use these methods instead of creating your new wheel http://codex.wordpress.org/Function_Reference/wpdb_Class
- 51. $wpdb example
- 52. My Final Advice It's Open Source Software for a reason
- 53. Aaron Saray Open Source Developer Milwaukee, WI Questions? http://aaronsaray.com ● Questions about @aaronsaray Secure Wordpress Coding? Milwaukee PHP Users Group http://mkepug.org @mkepug