This course is designed to provide an overview of the concepts and techniques necessary to build secure web applications in WordPress. It is designed for intermediate-level WordPress developers interested in acquiring these tools, but is also appropriate for experienced engineers new to the WordPress API. For those seeking an introduction to the WordPress API, or an overview of how to write basic themes and plugins for WordPress, there are myriad resources available at learn.wordpress.org.
The OWASP Top 10
The course is framed around the Open Worldwide Application Security Project‘s (OWASP) top 10 list of the world’s most critical web vulnerabilities, or as it is popularly known, the OWASP Top 10. We’ll focus particularly on five of these vulnerabilities that most impact the work of those building secure applications in WordPress.
OWASP
Our first, perhaps most profound, focus is on injection vulnerabilities and the various tools WordPress provides to mitigate them. We then turn to access control issues in WordPress, including a deep dive into the WordPress role and capability system and related matters. We then take up three other OWASP vulnerabilities: security configuration, vulnerable and outdated components, and server-side request forgery.