It is Never Too Soon to be Fitted for a Tinfoil Hat

What are we going to learn today?

About Jim

Also....

@cleo_patchra

Security in Code

Security in Code

Sanitize Input / Escape Output

Security in Code / Sanitization & Escaping

Within PHP

Security in Code / Sanitization & Escaping

Within WordPress - Sanitization

Mostly used with form fields.

Security in Code / Sanitization & Escaping

Within WordPress - Escaping

Used when outputting data.

Security in Code / Sanitization & Escaping

Within WordPress - Escaping


<h3>Hello <?php echo esc_html( $audience ); ?></h3>
<p>This is an example of where you would escape output.</p>
<p>
	<a href="<?php echo esc_url( $funky_url ); ?>" title="<?php esc_attr( $funky_title ); ?>">
		<?php echo esc_html( $funky_text ); ?></a>
</p>
<p>
	<?php echo wp_kses_post( $some_content ); ?>
</p>
				
			
Security in Code / Sanitization & Escaping

Within WordPress - Escaping

Escape late.

Security in Code / SQL Injections

Prevent SQL Injections

Security in Code
Security in Code / SQL Injections

But, if you must...

Take advantage of the $wpdb global


global $wpdb;
if ( 'category' === $column ) {
	// @codingStandardsIgnoreStart
	$term_ids = $wpdb->get_col( $wpdb->prepare(
		"SELECT term.term_taxonomy_id FROM {$wpdb->term_relationships} as term "
		. "JOIN {$wpdb->term_taxonomy} as tax "
		. "ON term.term_taxonomy_id = tax.term_id "
		. "JOIN {$wpdb->posts} as post "
		. "ON term.object_id = post.ID "
		. "JOIN {$wpdb->comments} as comments "
		. "ON post.ID = comments.comment_post_ID "
		. "WHERE tax.taxonomy = 'category' "
		. "AND comments.comment_ID = '%s'",
		$comment_id
) );
				
			
Security in Code

Nonces

Nonces are single used numbers that can verify the user and time a field was modified.

Security in Code / Nonces

$content .= '<p><label for="jr_caption"><strong>Caption</strong></label>
	<textarea id="jr_caption" name="jr_caption" class="fm-element" rows="3" style="width: 100%;">'
		 . esc_html( $caption_data ) .
		 '</textarea></p>';
$content .= wp_nonce_field( 'jr_caption', 'jr_caption_nonce', true, false );
				
				
function save_field( $post_id, $field_name ) {
	if ( isset( $_POST[ $field_name . '_nonce' ] ) && wp_verify_nonce( $_POST[ $field_name . '_nonce' ], $field_name ) ) {
		// Do a bunch of stuff if the nonce checks out.
	}
}
				
			

Security on Server

Security on Server

Hosting Choices

WordPress Managed Hosting

Security on Server / Hosting

Shared Hosting

Security on Server

Roll Your Own

Security on Server

Other suggestions

Security Plugins

Resources

Questions

Thank You

Jim Reevior

@hirozed
jim@jimreevior.com