[wp-hackers] XSRF - announcement ! / Plugin WP

Brian Layman wp-hackers at thecodecave.com
Thu Dec 23 17:10:44 UTC 2010

On 12/23/2010 11:50 AM, Andrew Nacin wrote:
> Correct. security at wordpress.org or plugins at wordpress.org is the proper 
> venue
> The patch you suggest on your site is NOT secure. It does nothing at all to
> make the plugin more secure.
> You should use wp_nonce_field() with check_admin_referrer() (and other
> related functions) to properly secure forms from CSRF.
> Nacin

The GeoLocation plugin is great to look at for security ideas. It 
actually has working examples of a majority of the standard WordPress 
plugin security techniques.  I was so impressed I wrote a review of it here:

Among other techniques it shows an example of wp_nonce_field()'s brutish 
older brother wp_create_nonce() and their OCD companion wp_verify_nonce().

-Brian Layman

More information about the wp-hackers mailing list