[wp-hackers] XSRF - announcement ! / Plugin WP
Brian Layman
wp-hackers at thecodecave.com
Thu Dec 23 17:10:44 UTC 2010
On 12/23/2010 11:50 AM, Andrew Nacin wrote:
> Correct. security at wordpress.org or plugins at wordpress.org is the proper
> venue
> The patch you suggest on your site is NOT secure. It does nothing at all to
> make the plugin more secure.
>
> You should use wp_nonce_field() with check_admin_referrer() (and other
> related functions) to properly secure forms from CSRF.
>
> Nacin
The GeoLocation plugin is great to look at for security ideas. It
actually has working examples of a majority of the standard WordPress
plugin security techniques. I was so impressed I wrote a review of it here:
http://thecodecave.com/2010/06/22/wordpress-security-a-plugin-done-right/
Among other techniques it shows an example of wp_nonce_field()'s brutish
older brother wp_create_nonce() and their OCD companion wp_verify_nonce().
-Brian Layman
More information about the wp-hackers
mailing list