It is Never Too Soon to be Fitted for a Tinfoil Hat

What are we going to learn today?

About Jim

Also....

@cleo_patchra

Security in Code

Security in Code

Sanitize Input / Escape Output

Security in Code / Sanitization & Escaping

Within PHP

Security in Code / Sanitization & Escaping

Within WordPress - Sanitization

Mostly used with form fields.

Security in Code / Sanitization & Escaping

Within WordPress - Escaping

Used when outputting data.

Security in Code / Sanitization & Escaping

Within WordPress - Escaping

				

Hello <?php echo esc_html( $audience ); ?>

This is an example of where you would escape output.

<?php echo esc_html( $funky_text ); ?>

<?php echo wp_kses_post( $some_content ); ?>

Security in Code / Sanitization & Escaping

Within WordPress - Escaping

Escape late.

Security in Code / SQL Injections

Prevent SQL Injections

Security in Code
Security in Code / SQL Injections

But, if you must...

Take advantage of the $wpdb global

				
global $wpdb;
if ( 'category' === $column ) {
	// @codingStandardsIgnoreStart
	$term_ids = $wpdb->get_col( $wpdb->prepare(
		"SELECT term.term_taxonomy_id FROM {$wpdb->term_relationships} as term "
		. "JOIN {$wpdb->term_taxonomy} as tax "
		. "ON term.term_taxonomy_id = tax.term_id "
		. "JOIN {$wpdb->posts} as post "
		. "ON term.object_id = post.ID "
		. "JOIN {$wpdb->comments} as comments "
		. "ON post.ID = comments.comment_post_ID "
		. "WHERE tax.taxonomy = 'category' "
		. "AND comments.comment_ID = '%s'",
		$comment_id
) );
				
			
Security in Code

Nonces

Nonces are single used numbers that can verify the user and time a field was modified.

Security in Code / Nonces
				
$content .= '

'; $content .= wp_nonce_field( 'jr_caption', 'jr_caption_nonce', true, false );
function save_field( $post_id, $field_name ) { if ( isset( $_POST[ $field_name . '_nonce' ] ) && wp_verify_nonce( $_POST[ $field_name . '_nonce' ], $field_name ) ) { // Do a bunch of stuff if the nonce checks out. } }

Security on Server

Security on Server

Hosting Choices

WordPress Managed Hosting

Security on Server / Hosting

Shared Hosting

Security on Server

Roll Your Own

Security on Server

Other suggestions

Security Plugins

Resources

Questions

Thank You

Jim Reevior

@hirozed
jim@jimreevior.com