WordPress Pluigin Security Verification

The beginnings of a list of WordPress and theme and plugin-specific security verification checks

Verify that plugin “uninstall” works correctly

The app will have either an “uninstall” hook, or an uninstall.php file – see http://codex.wordpress.org/Function_Reference/register_uninstall_hook for more details on how they work.
1. Make sure that uninstall deletes all db tables, stored procedures, and theme files which were installed.
2. When using ‘uninstall.php’ the plugin should always check for the WP_UNINSTALL_PLUGIN constant, before executing. The WP_UNINSTALL_PLUGIN constant is defined by WordPress at runtime during a plugin uninstall, it will not be present if ‘uninstall.php’ is requested directly.

CSRF Protection

Make sure that sensitive requests are protected from CSRF using the native WordPress nonce functions. See: http://codex.wordpress.org/WordPress_Nonces

Authentication/Authorization Issues

When a form is submitted, verify that the submitter has authority and intention to perform the requested function.
In a nutshell, the app should check for is_admin() or current_user_can() to make sure unauthorized users can’t submit the form.

Check for Correct Data Validation


Check the WP docs for expected usage, defaults, etc, to verify whether the call is going to perform the way the developer intended. It’s usually worth digging into the WordPress sources to see how these are actually implemented, and give that a sanity check.

The WordPress Core Source Browser is at: http://core.trac.wordpress.org/browser

Links to PHP sanitization/validation function docs are below:

1 Output Sanitation

4 Changelog

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s