“VIP Scanner” Plugin Updated with Exports and a Brand New Design

WordPress.com VIP themes and plugins represent over 5 million lines of code, with thousands more committed every day. Since we manually review all of this code, we try to make it as easy as possible for developers to double-check their code against the standards that we look for, streamlining the process for everyone.

Version 0.4 of the VIP Scanner is another step in that direction. We’ve refreshed the interface to make it easier to use: instead of choosing the theme and the type of review you want to run, we’ll automatically show you the results for the current theme. Issues are broken down by severity, with the most pressing issues at the top. And we’ve moved Notes (these are issues that you should be aware of, but are not strictly necessary to fix) to another tab to help reduce clutter.

We’ve also added the ability to export your VIP Scanner results, so you can submit them alongside your theme, to our team for review. We’ll be polishing this a bit more in future iterations, but for now it will simply download a Markdown formatted text file with the details of your review. If you’re using the VIP Theme Review scan, you’ll also be asked a set of standard questions, before you run the export, which will help us understand the thought process involved in building the theme. The answers to these questions will also be included in the export.

As always, pull requests are welcome over on Github.

Andrew Nacin: Scaling WordPress & Optimizing Security

Andrew Nacin, WordPress Lead Developer and Tech Ninja at Audrey Capital, presented two topics at the WordPress in Government Workshop: “A Crash Course in Scaling WordPress” and “WordPress.org & Optimizing Security for your WordPress sites.”

A crash course in scaling WordPress

In this talk Andrew explains how WordPress can scale (spoiler: and it’s easy!) by delving into how nginx can play a role in multiple ways, and tips on tweaks to perform at the PHP and WordPress software levels, as well as hardware.

WordPress.org & Optimizing Security for your WordPress sites

In this presentation Andrew walks through the differences between major and minor WordPress releases, the philosophy on backwards compatibility, and a basic crash course in WordPress security. Click through his slides to learn more.

Want more information about WordPress for government or enterprise sites? Contact WordPress.com VIP Services.

Key Differences Between Validation and Sanitization

VIP Services developer Daniel Bachhuber shares some tips on writing better code for your WordPress site:

Your code works, but is it safe? When writing code for a high-profile environment, you’ll need to be extra cautious of how you handle data coming into WordPress and how it’s presented to the end user. This commonly comes up when building a settings page for your theme, creating and manipulating shortcodes, or saving and rendering extra data associated with a post.

There’s a distinction between how input and output are managed, however.

Validation: Checking User Input

To validate is to ensure the data you’ve requested of the user matches what they’ve submitted. There are several core methods you can use for input validation; usage obviously depends on the type of fields you’d like to validate. Let’s take a look at an example.

Say we have an input area in our form like this:

<input type="text" id="my-zipcode" name="my-zipcode" maxlength="5" />

Just like that, we’ve limited my user to five characters of input, but there’s no limitation on what they can input. They could enter “11221” or “eval(“. If we’re saving to the database, there’s no way we want to give the user unrestricted write access.

This is where validation plays a role. When processing the form, we’ll write code to check each field for its proper data type. If it’s not of the proper data type, we’ll discard it. For instance, to check “my-zipcode” field, we might do something like this:

$safe_zipcode = intval( $_POST['my-zipcode'] );
if ( ! $safe_zipcode )
$safe_zipcode = '';
update_post_meta( $post->ID, 'my_zipcode', $safe_zipcode );

The intval() function casts user input as an integer, and defaults to zero if the input was a non-numeric value. We then check to see if the value ended up as zero. If it did, we’ll save an empty value to the database. Otherwise, we’ll save the properly validated zipcode.

This style of validation most closely follows WordPress’ whitelist philosophy: only allow the user to input what you’re expecting. Luckily, there’s a number of handy helper functions you can use for most every data type.

Sanitization: Escaping Output

For security on the other end of the spectrum, we have sanitization. To sanitize is to take the data you may already have and help secure it prior to rendering it for the end user. WordPress thankfully has a few helper functions we can use for most of what we’ll commonly need to do:

esc_html() we should use anytime our HTML element encloses a section of data we’re outputting.

<h4><?php echo esc_html( $title ); ?></h4>

esc_url() should be used on all URLs, including those in the ‘src’ and ‘href’ attributes of an HTML element.

<img src="<?php echo esc_url( $great_user_picture_url ); ?>" />

esc_js() is intended for inline Javascript.

<a href="#" onclick="<?php echo esc_js( $custom_js ); ?>">Click me</a>

esc_attr() can be used on everything else that’s printed into an HTML element’s attribute.

<ul class="<?php echo esc_attr( $stored_class ); ?>">

It’s important to note that most WordPress functions properly prepare the data for output, and you don’t need to escape again.

<h4><?php the_title(); ?></h4>

Also, as there are always exceptions to the rule, there are a selection of user-submitted data that needs to be validated and sanitized. Freeform text areas would fall into this category. For this, you can run user data through sanitize_text_field() or any of the wp_kses_*() functions.

To recap: follow the whitelist philosophy with data validation, and only allow the user to input data of your expected type. If it’s not the proper type, discard it. Sanitize data as much as possible on output, and a selection needs to be sanitized on input too.

Hit us with your questions or tips in the comments.

Naked Security Joins WordPress.com VIP

The wildly popular and informative Naked Security blog from the leading IT security firm Sophos, recently launched in our WordPress.com VIP program:
http://nakedsecurity.sophos.com/

The mission of the blog is to highlight “various news, opinion, advice and research on computer security issues and the latest internet threats.”

Just this past November, the Naked Security team was bestowed with a very prestigious award — crowning them the “Best IT Security Blog” from the Computer Weekly Blog Awards.

[ Visit Naked Security ]

Ready to become a VIP Services Client? Some of the world’s biggest brands rely on WordPress.com VIP Services.

VaultPress: First Golden Tickets

Very exciting news that invites to VaultPress — a subscription-based protection, security and backup service for WordPress blogs and sites — are now starting to be sent out.

Over the weekend we started to trickle out the first Golden Ticket invites to VaultPress. This means that if you’re on the list you now have a semi-random chance of being one of the first people who can sleep more soundly at night because of VaultPress.

If you didn’t receive your invite yet, there is a way to possibly get one more quickly:

If you’d like to move ahead in the line, write a blog post about why you want to use VaultPress and link it here, or tweet why you need your site protected by VaultPress and use the hash tag #vaultpress.

[ Visit VaultPress.com ]

Tips for Updating Your WordPress and Keeping it Secure

Keeping your WordPress setup up-to-date is a critical component of your overall security strategy along with strong passwords, and a secure hosting environment.

As Matt points out in a recent post, with each new version of WordPress it has become easier to be notified of updates, new plugins, and in WordPress 2.5 there is even a one-click auto-update feature for plugins.

In addition, one-click updating of the core WordPress software is something that’s being actively tackled for future versions of WordPress.

So what’s the best way to update your WordPress ? Matt has a good summary:

  1. Upgrade your blog to the latest WP. This shouldn’t be hard. There are plugins for it, if you’re techy use Subversion, there is the standard FTP method, and finally Media Temple, Dreamhost, and Bluehost (through SimpleScripts) all have been pretty good about having their one-click upgrade systems ready with new versions within a day or two of a release. If your host is chronically behind, vote with your wallet and switch.
    • If you need someone to help you upgrade, consider hiring help on the wp-pro mailing list. (It has close to a thousand subscribers and consultants on it.) Or you could always ply a geeky friend with caffeine, libations, food, or gadgets. Just get them to setup a system lik the above so you can do it yourself next time.
  2. Change your passwords, for yourself and any other users you have on the system. If the attacker grabbed your password when you were on an old version, they can still log in after you’ve upgraded if you don’t change it. There’s a new password strength meter in 2.5 helps you pick a good password.
  3. Search through your posts for any that might have been modified, and comb through the directories on your web server looking for anything out of the ordinary. Your host may be able to help you with the latter.

And big picture, if maintaining and upgrading doesn’t sound like something that your organization wants to tackle and you are hosting your blogs on your own infrastructure, consider hosting with a provider that offers one-click upgrades ( we list a few here ) or hosting on WordPress.com VIP.

[ via Photomatt ]