It is Never Too Soon to be Fitted for a Tinfoil Hat
What are we going to learn today?
- About Jim
- Security in Code
- Security on Server
- Security Plugins
- Questions
About Jim
- Web developer for STAT
- Co-Organize:
- BostonWP
- WordCamp Boston
- New England GiveCamp
- In the technolgy realm for over 20 years.
- Web developer for 7 years
- Studying Taekwondo
Sanitize Input / Escape Output
- Never trust the data
- Even your own
Security in Code / Sanitization & Escaping
Within PHP
- is_array();
- is_string();
- is_int();
-
filter_var();
if ( false === filter_var( $stuff, FILTER_VALIDATE_BOOLEAN ) ) { // Magic Happens }
-
filter_input();
$email = filter_input( INPUT_GET, 'email', FILTER_SANITIZE_EMAIL );
- Types of Filters
Security in Code / Sanitization & Escaping
Within WordPress - Sanitization
Mostly used with form fields.
- sanitize_email();
- sanitize_text_field();
- sanitize_title();
- esc_url_raw();
Security in Code / Sanitization & Escaping
Within WordPress - Escaping
Used when outputting data.
- esc_html();
- esc_url();
- esc_attr();
- esc_js();
- wp_kses_post();
Security in Code / Sanitization & Escaping
Within WordPress - Escaping
<h3>Hello <?php echo esc_html( $audience ); ?></h3>
<p>This is an example of where you would escape output.</p>
<p>
<a href="<?php echo esc_url( $funky_url ); ?>" title="<?php esc_attr( $funky_title ); ?>">
<?php echo esc_html( $funky_text ); ?></a>
</p>
<p>
<?php echo wp_kses_post( $some_content ); ?>
</p>
Security in Code / Sanitization & Escaping
Within WordPress - Escaping
Escape late.
Security in Code / SQL Injections
Prevent SQL Injections
- Always try to use the built in WordPress functions
- *That's what they are there for.
- WP_Query;
- wp_update_post();
- wp_delete_post();
- update_option();
- wp_list_pluck(); is your friend
Security in Code / SQL Injections
But, if you must...
Take advantage of the $wpdb global
global $wpdb;
if ( 'category' === $column ) {
$term_ids = $wpdb->get_col( $wpdb->prepare(
"SELECT term.term_taxonomy_id FROM {$wpdb->term_relationships} as term "
. "JOIN {$wpdb->term_taxonomy} as tax "
. "ON term.term_taxonomy_id = tax.term_id "
. "JOIN {$wpdb->posts} as post "
. "ON term.object_id = post.ID "
. "JOIN {$wpdb->comments} as comments "
. "ON post.ID = comments.comment_post_ID "
. "WHERE tax.taxonomy = 'category' "
. "AND comments.comment_ID = '%s'",
$comment_id
) );
Nonces
Nonces are single used numbers that can verify the user and time a field was modified.
- Always include a nonce field when adding meta box fields.
- Used to validate data in the admin.
- Can be used on the front end, but not really meant for that.
Security in Code / Nonces
$content .= '<p><label for="jr_caption"><strong>Caption</strong></label>
<textarea id="jr_caption" name="jr_caption" class="fm-element" rows="3" style="width: 100%;">'
. esc_html( $caption_data ) .
'</textarea></p>';
$content .= wp_nonce_field( 'jr_caption', 'jr_caption_nonce', true, false );
function save_field( $post_id, $field_name ) {
if ( isset( $_POST[ $field_name . '_nonce' ] ) && wp_verify_nonce( $_POST[ $field_name . '_nonce' ], $field_name ) ) {
}
}
Hosting Choices
WordPress Managed Hosting
- Handles server security
- WordPress core updates
- Tuned for WordPress
- More expensive than shared hosting
Security on Server / Hosting
Shared Hosting
- Cheaper than WP Managed
- Some hosts will scan for malware in the html directory
- Handles server security
- Some will have WP "pre-packged"
Roll Your Own
- Maintenance and security updates
are your responsibility
- Not for the faint of heart
Other suggestions
- Move wp-config.php
- Change permissions for core files
- Turn off editing
Add to wp-config.php: define( 'DISALLOW_FILE_EDIT', true );