wordcamp milwaukee 2012 - aaron saray - secure wordpress coding
DESCRIPTION
A description of common security issues that exit in PHP/MySQL and HTML/Javascript based websites, how to mitigate, and then how WordPress can helpTRANSCRIPT
![Page 1: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/1.jpg)
Secure Wordpress CodingAaron Saray
![Page 2: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/2.jpg)
Why Trust This Guy?
● PHP programmer > than a decade
● Nerd since 8 yrs old
● MKEPUG● Author ● you paid? :)
![Page 3: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/3.jpg)
Why at WordCamp?
● I use WordPress○ even programmers do, yup
● I like WordPress
● WordPress is everywhere○ I actually care about the
world... you should too!
![Page 4: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/4.jpg)
What is Security?
● Physical, mental, emotional, resources
● Secure programming?○ protecting the user from...
■ themselves■ the bad guys■ glitches
![Page 5: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/5.jpg)
Why you should care?
Yay - it's time for everyone's favorite game show!
![Page 6: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/6.jpg)
Myth: ...
Fact: you should care - you're a nice person. Otherwise you wouldn't be here...
![Page 7: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/7.jpg)
Myth: No one will attack me
Fact: Yes they will. ● No one cares about my little website
● I'm not doing anything important
● They can have it all, I have nothing they want
![Page 8: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/8.jpg)
That's Wrong!
![Page 9: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/9.jpg)
Examples:
● Testing Credit Cards
● Hosting bad stuff
● Stealing User Accounts (and passwords)
● installing trojans ○ google now hates you
● Who cares about Google ads?○ They're only $0.02...
![Page 10: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/10.jpg)
$132,994.97
![Page 11: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/11.jpg)
Myth: PHP is so insecure that...
● Bank vault is insecure with the door open
● Haters be hatin'
● PHP users○ Facebook○ Yahoo○ etc
■ if it were so bad, then why?
![Page 12: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/12.jpg)
What Security Concerns in Web Projects Do We Have?
● HTML begat PHP begat WordPress
● SQL Injection
● XSS
● CSRF
*NOTE: examples are simple, and not necessarily indicative of real code.
![Page 13: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/13.jpg)
SQL Injection
● An attack that injects unknown SQL commands○ usually done through a form filed○ can be done in a query string
● Consequence?○ read all data○ write / update / delete○ drop tables!
![Page 14: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/14.jpg)
SQL Injection Example
![Page 15: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/15.jpg)
SQL Injection Example
$sql = "select * from user where email='[email protected]' and password='monkey'
![Page 16: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/16.jpg)
SQL Injection Example
$sql = "select * from user where email='[email protected]' and password='x' or userid=1; --'";
What about password of ... say... x' or userid=1; --
![Page 17: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/17.jpg)
SQL Injection SolutionFilter user input!!
![Page 18: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/18.jpg)
Cross Site Scripting (XSS)
● An attack that allows a third party to add and execute client side scripts into a web page○ Client side scripting (such as javascript) is fine (and
useful)○ but not if the site creator didn't approve it
● Consequence?○ form submission○ steal cookie (login token)○ Sammy!
![Page 19: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/19.jpg)
XSS Example
![Page 20: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/20.jpg)
XSS Example
![Page 21: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/21.jpg)
Yup.
Is this really that bad?
![Page 22: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/22.jpg)
XSS SolutionFilter user input!!
![Page 23: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/23.jpg)
Cross Site Request Forgery (CSRF)
● An attack that sends a request from a malicious site masquerading as a legitimate request.
● Submission or action originating not on your website
● Consequence?○ forms submitted○ any user action done
■ potentially authorized users without knowledge
![Page 24: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/24.jpg)
CSRF Example
![Page 25: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/25.jpg)
CSRF Example
![Page 26: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/26.jpg)
CSRF SolutionMulti pronged:
● Use POST for data changes (RFC 2616)● Use $_POST, not $_REQUEST● Use a token
○ in Wordpress, they're called "nonce"
![Page 27: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/27.jpg)
CSRF Solution
![Page 28: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/28.jpg)
CSRF Solution
![Page 29: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/29.jpg)
CSRF Solution in Wordpress
![Page 30: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/30.jpg)
... so, who cares?
Wordpress is a web project ● It's PHP● It's HTML● It's Javascript● It's CSS● It takes user input● It displays user input
![Page 31: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/31.jpg)
What can I do about it?
Thanks for asking! ● Security Scanning Plugin
● Theme Creation Security
● Practice safe plugin'
![Page 32: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/32.jpg)
If you remember just one thing...
Use these Security Plugins: ● Secure Wordpress
http://wordpress.org/extend/plugins/secure-wordpress/
● WP Securityhttp://wordpress.org/extend/plugins/wp-security-scan/
![Page 33: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/33.jpg)
Secure Themes
● This isn't just filler○ people focus on plugins usually. *slap*
● Things to consider:○ when using other themes or child themes○ creating your own theme
![Page 34: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/34.jpg)
Themes that you... borrow
● Everyone grabs a theme○ be smart about it○ if it's too good to be true...
● Things to remember:○ update themes when they ask you to
■ Remember the TimThumb-amo!○ take a look at them
■ cdn.google.com/jquery.js■ myhotbride.ru/funfreemoney.js
![Page 35: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/35.jpg)
Themes that you sorta borrow
● If you see a cool theme...○ Child theme it!○ Stay up to date with the parent security
![Page 36: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/36.jpg)
and if you're in a rush...
● Theme Authenticity Checker○ http://builtbackwards.com/projects/tac/
![Page 37: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/37.jpg)
so which security issues exist?
● All of them!
![Page 38: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/38.jpg)
Let's check out some best practices
![Page 39: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/39.jpg)
Use built in functions
● set_theme_mod()● Settings API
![Page 40: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/40.jpg)
Use built in filters
● esc_attr()● esc_html()● esc_textarea()● esc_url()● esc_js()● wp_filter_kses()
![Page 41: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/41.jpg)
Filter example
![Page 42: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/42.jpg)
Security through Obscurity
● Not always that bad...○ automated tools - why give them a freebie?
● remove versions from your themes
![Page 43: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/43.jpg)
Version examples...
![Page 44: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/44.jpg)
O.P.P.
● Other People'sPlugins!
![Page 45: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/45.jpg)
General Security
● Security is really shared between plugins and themes
● These can be applied to all of your programming, or other people's programming.○ For security's sake - be careful when you're hacking other people's
plugins.
![Page 46: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/46.jpg)
2 Parts Left:
![Page 47: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/47.jpg)
First, and foremost
● Clean yo' house
![Page 48: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/48.jpg)
Clean it up
● Update your Wordpress
● Delete old things:○ plugins○ themes○ user uploads from that hot babe
● http://codex.wordpress.org/Hardening_WordPress
![Page 49: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/49.jpg)
#2, Code Securely
● Use NONCE
● Don't let AJAX files sit around
● Watch your SQL
![Page 50: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/50.jpg)
Use $wpdb
● It is a global variable○ yup, I hate it too
● Use these methods instead of creating your new wheel
http://codex.wordpress.org/Function_Reference/wpdb_Class
![Page 51: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/51.jpg)
$wpdb example
![Page 52: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/52.jpg)
My Final Advice
It's Open Source Software for a reason
![Page 53: WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding](https://reader034.vdocument.in/reader034/viewer/2022051413/55525e38b4c905d41d8b4ae5/html5/thumbnails/53.jpg)
Questions?
● Questions about Secure Wordpress Coding?
Aaron SarayOpen Source DeveloperMilwaukee, WI http://aaronsaray.com @aaronsaray Milwaukee PHP Users Grouphttp://mkepug.org@mkepug