[wp-hackers] XSRF - announcement ! / Plugin WP
wp-hackers at thecodecave.com
Thu Dec 23 17:10:44 UTC 2010
On 12/23/2010 11:50 AM, Andrew Nacin wrote:
> Correct. security at wordpress.org or plugins at wordpress.org is the proper
> The patch you suggest on your site is NOT secure. It does nothing at all to
> make the plugin more secure.
> You should use wp_nonce_field() with check_admin_referrer() (and other
> related functions) to properly secure forms from CSRF.
The GeoLocation plugin is great to look at for security ideas. It
actually has working examples of a majority of the standard WordPress
plugin security techniques. I was so impressed I wrote a review of it here:
Among other techniques it shows an example of wp_nonce_field()'s brutish
older brother wp_create_nonce() and their OCD companion wp_verify_nonce().
More information about the wp-hackers