OWASP Top 10 & WordPress Security (Page 12)

Please note: this post is incomplete & pending review.

More Vulnerabilities & Considerations

The top 10 list is only the tip of the security ice burg, heres a few more that apply directly to WordPress. Don’t let the small size of these fool you, each of these are just as important.

Cross-Site Request Forgery (CSRF)

CSRF attacks happen when the source of a submission or request isn’t verified. This means an attacker can send the destination data, without having the correct origin. For example, submitting a form without actually filling out a form, just sending bad data for collection or processing. To counter this WordPress uses nonce’s to ensure theres nothing malicious occurring. Think of nonce’s as a authorization token from source to destination:

  • wp_nonce_field() adds token to forms
  • wp_nonce_url() adds token to URL
  • wp_verify_nonce() checks the token validity server side
  • check_admin_referer() checks the token validity server side and came from admin screen – however, this code does not exit if failed, only returns false. Use carefully.

SSL/TLS

Ensure all API you’re interacting with, all CURL’s made, and that your onsite or the sites you’re working on are https://. With LetsEncrypt and hosts like netlify making SSL a breeze, there’s no reason any service should not be SSL protected.

Open Redirect

  • wp_safe_redirect() should always be used in place of wp_redirect() as if the input is not sanitized or validated it could lead to vulnerabilities.

Executing Commands

When writing or auditing a plugin, the following functions are “red flags”, by default they will not break or open a door, but you have to be very very careful and aware of what they’re doing and why, and that they can run and execute code on the server, which if exploited could be given the attacker server access.

  • system()
  • exec()
  • eval()
  • assert()
  • passthru()
  • shell_exec()
  • preg_replace() (regex modifier will cause PHP to execute the replacement value as code)

Leave a Reply