50 Shades of WordPress

50 Shades
of
WordPress
WordCamp Raleigh 2012
#wcraleigh #50shadesofwp
@theandystratton

Tim Was Never Safe
(His PHP Vulnerability)

Authors admitted to
using code they never
reviewed.

“And to be honest we
did not know that we
have a function like this in
our code[...]”

“Neither do we
understand what it does
right now [...]”

“We got the backbone of
our WP themes [...] from
some other [...] author”

“[...] and just [built] a
theme on it.”

Unsecured Third-Party
Code Libraries.
(Without Protection)
TimThumb without proper config
Server permissions, setup, etc.

Missing Key
Security Practices.
Escaping input and outputs
Attributes, URLs, html
Nonces and form security

GPL Non-Adherence.
Encrypted code: base64, ioncube
Requiring footer links (site shutdowns,
database injections)
Use of malware tactics to advertise!

Poor Support.
Freelancers
Commercial Products

(Some) Freelancers.
Taking money without providing value.
Extremely late or never finish.
Can’t do what they say they can.

(Some)
Commercial Products.
1000 downloads, 4000 support requests.
Users publicly dissatisfied on boards.
Minimal enforcement by marketplaces.

Code Compatibility.
Not using Core API’s.
Turning off core actions/filters.
Breaking shortcodes/plugins.

Show Me Yours.
Have you experienced any shadiness?

How Do We Balance
This Stuff?

Report Bugs.
To WordPress Core (Trac).
To products and themes.

To be fair:
If they don’t know,
they can’t fix it.

Demand Support.
Based on what you paid/what’s offered.
Follow their normal channels.
No response? Escalate.

No Support? Be Loud.
Call out on Twitter/Blog
Recommend others not to use
Tell your friends/clients

Referrals.
For Products.
For Freelancers.
Look at real world examples.
Ask People. Don’t feel weird.

Referrals.
For products and freelancers.
Look at real world examples.
Ask People. Don’t feel weird.

Do You Build Products?
Are You a Freelancer?

You’re a
User/Client/Customer?

Support GPL
Adherent Products.

Support Quality,
GPL Adherent Products.

More Related Content