Lesson 6

Understanding WordPress Security

Two Areas of Security

  • User Security
  • Developer Security

User Security

Keep Core, Themes, & Plugins Up to Date

Never create an "admin" account

But be aware: Security through obscurity is no security at all.

Can offer a small layer of protection against brute force attacks.

Clean Out Old Accounts

Never go with the "default" options

  • Change your table prefix

Always Change Your Salts

Know Where Your Code Comes From

  • Plugins
  • Themes
  • Other Code

Disable File Editing

define( 'DISALLOW_FILE_EDIT', true );

Choose Secure Passwords

Use a password manager like 1Password or LastPass.

Security Plugins

Sucuri Security Scanner

Limit Login Attempts

Clef

Simple Login Log

Coding Security

Validation

Ensures that input is secure before using it in your code.

Whitelisting

What if we had a very narrow set of valid responses?

function ga_validate_yes_no( $some_input ) {
    if ( in_array( $some_input, array( 'yes', 'no' ), true ) ) {
        return $some_input;
    }
}

Whitelisting

Be sure to use strict type checking.

// will evaluate to integer 1 during loose comparisons
$untrusted_input = '1 malicious string';

// == would have evaluated to true, but === evaluates to false
if ( 1 === $untrusted_input ) {
	echo '<p>Valid data</p>';
} else {
	wp_die( 'Invalid data' );
}

PHP Validation Functions

  • is_bool()
  • is_float()
  • is_int()
  • is_numeric()
  • is_string()

Sanitization

Removes the elements we don't want from data.

XKCD: Exploits of a mom

WordPress Sanitization Functions

  • sanitize_text_field()
  • absint()
  • esc_url_raw()
  • sanitize_email()
  • sanitize_file_name()
  • sanitize_key()
  • sanitize_title()

Escaping

  • esc_html()
  • esc_url()
  • esc_js()
  • esc_attr()