It is Never Too Soon to be Fitted for a Tinfoil Hat

What are we going to learn today?

• About Jim
• Security in Code
• Security on Server
• Security Plugins
• Questions

About Jim

• Web developer for STAT
• Co-Organize:
• BostonWP
• WordCamp Boston
• New England GiveCamp
• In the technolgy realm for over 20 years.
• Web developer for 7 years
• Studying Taekwondo

Also....

Security in Code

Sanitize Input / Escape Output

• Never trust the data
• Even your own

Within PHP

• is_array();
• is_string();
• is_int();
• filter_var();
  if ( false === filter_var( $stuff, FILTER_VALIDATE_BOOLEAN ) ) { // Magic Happens }
• filter_input();
  $email = filter_input( INPUT_GET, 'email', FILTER_SANITIZE_EMAIL );
• Types of Filters

Within WordPress - Sanitization

Mostly used with form fields.

• sanitize_email();
• sanitize_text_field();
• sanitize_title();
• esc_url_raw();

Within WordPress - Escaping

Used when outputting data.

• esc_html();
• esc_url();
• esc_attr();
• esc_js();
• wp_kses_post();

Within WordPress - Escaping

				
Hello <?php echo esc_html( $audience ); ?>
This is an example of where you would escape output.

	
		<?php echo esc_html( $funky_text ); ?>


	<?php echo wp_kses_post( $some_content ); ?>

				
			

Within WordPress - Escaping

Escape late.

Prevent SQL Injections

• Always try to use the built in WordPress functions
• ^*That's what they are there for.
• WP_Query;
• wp_update_post();
• wp_delete_post();
• update_option();
• wp_list_pluck(); is your friend

But, if you must...

Take advantage of the $wpdb global

				
global $wpdb;
if ( 'category' === $column ) {
	// @codingStandardsIgnoreStart
	$term_ids = $wpdb->get_col( $wpdb->prepare(
		"SELECT term.term_taxonomy_id FROM {$wpdb->term_relationships} as term "
		. "JOIN {$wpdb->term_taxonomy} as tax "
		. "ON term.term_taxonomy_id = tax.term_id "
		. "JOIN {$wpdb->posts} as post "
		. "ON term.object_id = post.ID "
		. "JOIN {$wpdb->comments} as comments "
		. "ON post.ID = comments.comment_post_ID "
		. "WHERE tax.taxonomy = 'category' "
		. "AND comments.comment_ID = '%s'",
		$comment_id
) );
				
			

Nonces

Nonces are single used numbers that can verify the user and time a field was modified.

• Always include a nonce field when adding meta box fields.
• Used to validate data in the admin.
• Can be used on the front end, but not really meant for that.

				
$content .= '
Caption
	'
		 . esc_html( $caption_data ) .
		 '
';
$content .= wp_nonce_field( 'jr_caption', 'jr_caption_nonce', true, false );
				
				
function save_field( $post_id, $field_name ) {
	if ( isset( $_POST[ $field_name . '_nonce' ] ) && wp_verify_nonce( $_POST[ $field_name . '_nonce' ], $field_name ) ) {
		// Do a bunch of stuff if the nonce checks out.
	}
}
				
			

Security on Server

Hosting Choices

WordPress Managed Hosting

• Handles server security
• WordPress core updates
• Tuned for WordPress
• More expensive than shared hosting

Shared Hosting

• Cheaper than WP Managed
• Some hosts will scan for malware in the html directory
• Handles server security
• Some will have WP "pre-packged"

Roll Your Own

• Maintenance and security updates
  are your responsibility
• Not for the faint of heart

Other suggestions

• Move wp-config.php
• Change permissions for core files
• Turn off editing
  Add to wp-config.php: define( 'DISALLOW_FILE_EDIT', true );

Security Plugins

• Wordfence
• iThemes Security
• Jetpack
• Login Lockdown
• 2 Factor Authentication

Resources

• Mark Jaquith's WC Phoenix 2011 talk
• Hardening WordPress
• Plugin Security
• Theme Security
• Aluminum Foil Hat

Questions

Jim Reevior

@hirozed
jim@jimreevior.com