- use $wpdb->prepare() mechanism everywhere where you want to directly access to the underlying DBMS (please use it properly by explicitly stating parameter values)
- use wp_create_nonce()/wp_verify_nonce() protection mechanism (especially in AJAX support scripts)
- use the "Principle of least privilege" by using mechanisms like check_admin_referer()/current_user_can()/...
- all SQL statements are vulnerable to SQL injection attacks, not just SELECT-based queries (breaking common misconception)
- use htmlentities()/htmlspecialchars() for each output that is directly or indirectly derived from the user's input and/or is generally untrusted to effectively prevent potential XSS-like attacks
- prevent direct calls to scripts with mechanism like wpframe_stop_direct_call()
Friday, September 9, 2011
Few safety tips to all WordPress plugin writers (from attacker's perspective)
For all of you worried plugin writers that stumbled upon this site searching for some 'how-to's for defending against SQL/XSS/... attacks, here is a small compact list with tips how to write more secure plugins:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment