If you’re concerned about cross-site scripting and how it impacts your WordPress website, you’re definitely not being paranoid. While the vulnerability of cross-site scripting (also known as XSS), is not exclusive to WordPress site owners, its potential negative impacts on WordPress sites are incredibly important to understand.
In this guide, we’ll break down the cross-site scripting (XSS) vulnerabilities you need to keep an eye on. Some of this is going to get a bit technical, but at the end of the guide, you’ll be able to make an informed decision about your overall WordPress site security as it relates to cross-site scripting. In addition, you’ll know exactly what to do to avoid an attack.
Now, let’s dive in.
What is Cross-Site Scripting (XSS)?Cross-site scripting (XSS) is a type of malware attack that’s executed by exploiting cross-site vulnerabilities on any WordPress site. In fact, it’s the most common way for WordPress sites to be hacked because there are so many WordPress plugins that have XSS vulnerabilities.
Cross-Site Scripting Explained
What is cross site scripting in even more technical terms?
This is even more true if you’re running a very large or complex WordPress site with a lot of plugins that work in unison.
The many different types of XSS attacks can be summarized into two distinct categories:
- Malicious script that’s executed in the browser on the client’s side
- Malicious script that’s stored and executed on your server, then served up by a browser
In either of these cases, the hack uses a cross site scripting attack to manipulate the way your site works, or even steal critical site data.
What Makes XSS Attacks Common For WordPress Websites?
As a WordPress user, you may already know how complex some WordPress plugins are. In fact, some plugins that you’re using are even more complex than WordPress core itself.
Unfortunately, the more complex the WordPress plugin, the higher the possibility that you’ll face security issues. Plugin authors know how difficult it is to protect against XSS attacks, and it really does make their job quite a challenge.
Some of the most-esteemed tech giants, such as Facebook, Apple and Google have suffered from XSS attacks in the past. In fact, they employ entire dedicated security teams to minimize the risks of these attacks.
That should help put things in more of a perspective as to how easily an attack can sneak into a WordPress plugin, with far fewer security resources than the tech giants have.
You’re probably wondering how vulnerable your site is to cross site scripting attacks.
First, it’s important to note that if you’re keeping all of your themes and plugins fully updated, you’ve already significantly lowered your risk. However, there is no one guaranteed way to fully protect against an XSS attack.
Most WordPress sites have vulnerabilities that are non-public and hackers can exploit. Because of this, regular scans of your site are vitally important. More on that later.
While the damage that hackers can do with a cross site scripting attack depends on the exact details of their end goal, in the worst cases your entire site can be taken over.
In other cases, hackers will make minor changes to a website, or even redirect a site to a malicious site they’ve set up.
To put it another way, hackers exploiting WordPress cross-site scripting vulnerabilities know how to:
- Hijack your users’ sessions by detecting Session ID’s
- Place redirects and popups that you didn’t authorize
- Spearhead malicious phishing attacks
- Record every keystroke of their victim by installing keyloggers
- Steal your financial information, or the financial information of a site user
What Are the Types of Cross-Site Scripting?
Not all XSS attacks are equally dangerous. In fact, some are a lot more dangerous than others.In some attacks, the hackers will have full access to your WordPress site. At that point, they can basically do anything they want with it.
In other cases, the attack will allow a hacker to modify a portion of your site. While not as dangerous as a full-site XSS hack, this can also be very dangerous because it will serve malware to all of your visitors.
Different cross site scripting attacks require a hacker to be a contributing site member. In cases such as these, the danger posed is significantly lower.
How Does Cross Site Scripting Work?
Seasoned hackers find site vulnerabilities by using automated tools. After they discover the vulnerabilities, it becomes a simple matter of executing the desired hack.
Unfortunately, the entire hacking process can be performed by bots.
There are five different ways that hackers use XSS to carry out their goals.
1. Hijack a User Session
An XSS attack can help hackers gain access to cookies. The most dangerous aspect of this is that this type of attack revealed the session ID of a user.
The majority of websites utilize sessions for each site user to set a unique identifier. Sessions are then stored within session cookies by using a script.
Hackers are able to send a session cookie to the specific site, for example, http://198.178.260.468/ and the request is logged into the server’s access.log file.
When the hacker uses the session information, they can log into any of the accounts you’ve logged into without the need for a password.
2. Unauthorized Activity Execution
For example, they may engage a script that causes a message to pop up in your comments section, and continues to be posted repeatedly.
This type of cross scripting attack typically takes the form of a malicious script that spreads like a virus to your users. It can also be used to deface your site.
3. Phishing Attacks
Often, WordPress cross site scripting vulnerabilities lead hackers into a much larger scheme than a simple XSS attack.
Cross site scripts can lead to phishing attacks on your site.
Typically, a malicious script begins to push a phishing scam on your WordPress site that’ll trick users into providing highly sensitive information.
This is a very dangerous attack.
4. Keylogger Installation
This type of attack involves a hacker implementing a script that will install a keylogger onto a vulnerable WordPress site.
Each time your user types something, this keylogger stores the information and transmits it to the hacker. It’s a quick and easy way to steal credit card info, passwords, medical information, and a lot more.
5. Theft of Sensitive Info
We’ve discussed cookies and how they’re stolen. But this particular attack takes this principle to a different level.
Imagine a scenario where your credit union’s “internet banking” page is under an XSS attack. If a hacker uses a particular script, a hacker could log directly into your checking account without validation.
While this isn’t a new concept, it’s an extension of what hackers are capable of performing by using session cookies.
How Do I Protect My WordPress Site From Cross-Site Scripting Attacks?
The real problem is that professional hackers continue to come up with wiser variations of malicious text that can now bypass even the best cross-site scripting prevention.
It really is a sort of cat and mouse game.
The best way to detect XSS attacks is to use a plugin such as iThemes Security Pro iThemes Security Pro has several website security features to build your frontline of defense against cross-site scripting attacks. (more on that in a bit).
It’s also incredibly important couple your defense with a WordPress backup plugin like BackupBudy that can restore an earlier point in your site’s history, if the worst should happen.
Obviously, in a perfect world, hacks like this would never happen. But XSS attacks are incredibly difficult to protect against, which makes hardened WordPress security your highest priority.
- Information forms
- Search bars
Keep in mind that the data entry field doesn’t necessarily have to be visual. In some cases, it can be a faulty variable within your site code that calls up unsanitized data from a database or any other file.
Persistent Or Stored XSS Attacks
Assume for a moment that your site is a blog that has an open comments section. If one of your users leaves a comment for you, that data is shipped off to the database and stored.
It’s important that your site is configured to sanitize that data prior to being stored in your database. In other words, it should check to see if the user entered a comment that legitimate or if it’s a malicious script.
Without this check in place, it can open an XSS flaw in WordPress.
This is how it works:
1. Hacker Locates and Exploits the Vulnerability
Hackers employ scanners that search the internet and locate sites that have vulnerabilities to cross site scripting attacks. Once a site is found, malicious scripts are planted into the site’s comments section.
Without any checks in place, your site takes the malicious script and ships it to the database.
2. Visitors View Your Infected Page
For an average site visitor, a hacker’s data looks like a standard comment. What this visitor doesn’t know is that a simple comment is an executable code that will steal cookies.
Anyone visiting the page will be negatively impacted.
3. Browser Cookie Theft
Most users typically have several tabs open on their browsers at all times, for things like social media, email, Amazon, YouTube, and their employer’s website.
When a user visits an infected site and views the page that contains a hacker’s comment, the code gets immediately executed and enables a hacker to steal browser cookies.
The attack is called a cross site attack because they’re able to steal the cookies from every website that’s open on any tab.
4. Exploiting the Stolen Cookies
Using the stolen cookies, a hacker poses as an authenticated site user on, for example, shopping sites to make illegal purchases.
Attackers are also able to steal account information, such as passwords and usernames, and hack into emails to send phishing emails to an entire contact list.
The malicious possibilities are seemingly endless.
Non-Persistent Or Reflective XSS Attacks
This is not an attack on site visitors, but an attack on the website.
If you’re a WordPress site owner, you probably have a lot of browser tabs open, yourself.
Often, the WordPress admin dashboard is just one of many different tabs that your routinely leave open. And this is exactly what makes reflective XSS attacks possible.
Here’s how it happens:
1. Site Owner Is Drawn To a Malicious Link
In some cases, a hacker will send a malicious link through to your email in hopes that you’ll fall for their little trick.
In other cases, hackers will place malicious links on other sites.
If you click one of these links, a script loads onto your WordPress site from an external site.
2. Grabbing Session Cookies
When you click on the malicious link, you execute the code they’ve employed. This will enable the hacker to steal your cookies and gain access to the administrator account of your WordPress website.
After they’ve gained full administrative access to the site, they could easily steal sensitive data and login credentials. They could even lock you out of your site or use it to run any number of different hacks.
What’s scary is that they’ll be done in your name.
A properly-executed XSS attack will have major consequences to your business and website, and could irreparably damage your credibility. Recovering from these attacks can take a lot of your precious time and hard-earned money.
That’s why it’s so important to take every possible precaution against it.
WordPress Cross-Site Scripting Prevention: 5 Steps
There’s no easy way to say this, but a foolproof plan for avoiding cybercrime doesn’t exist. The best thing to do is to have a solid plan in place for routine WordPress security audits. Your first step to avoiding XSS attacks is to start preparing right now with these steps.
1. Download and Install the iThemes Security Pro Plugin
To get started securing and protecting your site, download and install the iThemes Security Pro plugin.
2. Secure Your Users from Session HijackingSimply put: you should have session hijacking protection in place for your Admins and Editors on your WordPress website.
Why? As we mentioned before, ordPress generates a session cookie every time you log into your website. And let’s say that you have a browser extension that has been abandoned by the developer and is no longer releasing security updates. Unfortunately for you, the neglected browser extension has a vulnerability. The vulnerability allows bad actors to hijack your browser cookies, including the earlier-mentioned WordPress session cookie. Again, this type of hack is known as Session Hijacking. So, an attacker can exploit the extension vulnerability to piggyback off your login and start making malicious changes with your WordPress user.
The iThemes Security Pro Trusted Devices feature makes Session Hijacking a thing of the past. If a user’s device changes during a session, iThemes Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins.
The Trusted Devices feature in iThemes Security Pro works to identify the devices that you and other users use to login to your WordPress site. After your devices are identified, we can stop session hijackers and other bad actors from doing any damage on your website.
When a user has logged in on an unrecognized device, Trusted Devices can restrict their administrator-level capabilities. This means that if an attacker were able to break into the backend of your WordPress site, they wouldn’t have the ability to make any malicious changes to your website.
In this scenario, you will receive an email that lets you know that someone logged into your site from an unrecognized device. The email includes an option to block the hacker’s device. Then you can just laugh and laugh, knowing that you ruined a bad guy’s day.
Another benefit of Trusted Devices is that it makes Session Hijacking a thing of the past. If a user’s device changes during a session, iThemes Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins.
To start using Trusted Devices, enable them on the main page of the security settings, and then click the Configure Settings button.
In the Trusted Devices settings, decide which users you want to use the feature, and enable then Restrict Capabilities and Session Hijacking Protection features.
After enabling the new Trusted Devices setting, users will receive a notification in the WordPress admin bar about pending unrecognized devices. If your current device hasn’t been added to the trusted devices list, click the Confirm This Device link to send the authorization email.
Click the Confirm Device button in the Unrecognized Login email to add your current devices to the Trusted Devices list.
Once Trusted Devices is enabled, users can manage devices from their WordPress User Profile page. From this screen, you can approve or deny devices from the Trusted Devices list.
Additionally, you have the option to signup for some third-part APIs to improve the accuracy of the Trusted Devices identification and to use static image maps to display the approximate location of an unrecognized login. Check out the Trusted Devices setting to see what integrations are available,
3. Activate Version Management to Keep Your Themes and Plugins Updated
It is hard to keep track of every disclosed WordPress vulnerability—we keep track and share them in our WordPress Vulnerability Roundups—and compare that list to the versions of plugins and themes you have installed on your website. However, this doesn’t stop WordPress hackers from targeting plugins and themes with known vulnerabilities. Having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your website.
The Version Management feature in iThemes Security Pro allows you to auto-update WordPress, plugins, and themes. Beyond that, Version Management also has options to harden your website when you are running outdated software and scan for old websites.
To get started using Version Management, enable the module on the main page of the security settings.
Now click the Configure Settings button to take a closer look at the settings.
4. Turn on the iThemes Security Site Scan
The iThemes Security Pro Site Scan checks your website for known WordPress, plugin, and theme vulnerabilities and applies a patch when one is available.
To enable the Site Scan on new installs, navigate to the iThemes Security Pro settings and click the Enable button on the Site Scan settings module.
To trigger a manual Site Scan, click the Scan Now button on the Site Scan Widget located on the right side-bar of the security settings.
The Site Scan results will display in the widget.
If the Site Scan detects a vulnerability, click the vulnerability link to view the details page.
On the Site Scan vulnerability page, you will see if there is a fix available for the vulnerability. If there is a patch available, you can click the Update Plugin button to apply the fix on your website.
There can be a delay between when a patch is available and the iThemes Security Vulnerability Database getting updated to reflect the fix. In this case, you can mute the notification to not receive any more alerts related to the vulnerability.
Important: You should not mute a vulnerability notification until you have confirmed your current version includes a security fix, or the vulnerability doesn’t affect your site.
5. Turn on File Change Detection
To start monitoring file changes, enable File Change Detection on the main page of the security settings.
Once File Change Detection is enabled, iThemes Security Pro will start scanning all of your website’s files in chunks. Scanning your files in chunks will help to reduce the resources required to monitor file changes.
The initial file change scan will create an index of your website’s files and their file hashes. A file hash is a shortened, nonhuman readable version of the content of the file.
After the initial scan completes, iThemes Security Pro will continue to scan your file in chunks. If a file hash changes on one of the subsequent scans, that means the contents of the file have changed.
You can also run a manual file change by clicking the Scan Files Now button in the File Change Detection settings
Wrapping Up: Cross-Site Scripting and Protecting Your WordPress Site
We hope this guide helped you understand the risk of cross-site scripting on your WordPress site. By implementing a few WordPress security best practices, along with the 5 steps above, you’ll have a better line of defense.
Kristen has been writing tutorials to help WordPress users since 2011. You can usually find her working on new articles for the iThemes blog or developing resources for #WPprosper. Outside of work, Kristen enjoys journaling (she’s written two books!), hiking and camping, cooking, and daily adventures with her family, hoping to live a more present life.