WordPress CSRF Attacks: Vulnerability and Prevention
Cross-Site Request Forgery (known as CSRF or XSRF) is one of the most severe hacks faced by WordPress websites. This hack takes place because of vulnerabilities present in WordPress plugins installed on the site.
Here, hackers trick website users into carrying out malicious actions that are harmful to both the website owner and the user. CSRF attacks can have devastating repercussions for both parties and need to be prevented from the get-go!
Using CSRF, a hacker can gain full control of your website and use it to run any kind of malicious activity they want. They could redirect your visitors to other malicious sites or dupe them into downloading malware. They can also go to the extent of stealing funds from you and your customers!
If you’re a victim of this hack or wish to prevent it, we’ve got you covered. In this article, we’ll show you how to fix a CSRF attack and how to prevent it.
TL;DR: If your website has been hacked, you need to fix it immediately. We’d suggest downloading and installing the CSRF Attack Removal Plugin on your website to run a deep scan of your website & cleaning it instantly. Once your website is clean, the plugin will protect your site from future hack attempts.
Table of Content
What Is a CSRF Attack (Cross-Site Request Forgery)?
The CSRF WordPress attack is slightly complicated to understand but we’re going to break it down as much as we can.
On a website that has user subscriptions, members, or logins, each user has privileged access into their own account on the site. For example, an Amazon account, Gmail account or even an online banking account.
Such a website gives its users login credentials – usernames and passwords. This is done to authenticate the user. So, when a user wants to log in, they enter the username and password to verify themselves. This way, the website can establish trust with the user and their browser.
In a CSRF attack, a hacker tricks this authenticated user into performing malicious actions.
1. Understanding ‘Cross Site’
To explain how this happens, let’s use an example. Say, the user has logged in to Site A and has left it open on a tab in the browser. (Remember that this Site A is logged into – it’s important.)
Now, let’s assume the hacker has the user’s email address. They send an email to the user about incredible discounts that are going to expire in the next few hours. The user is duped into clicking on the link in the email. This opens up a website called Site B (which is run by the hacker).
On Site B, they are required to fill out a form or enter their email address to claim the discount. The user clicks on a seemingly normal button to ‘submit’ the form.
But behind the scenes of this ‘submit’ button on Site B, a hacker has inserted their malicious scripts.
Now remember Site A that’s open on another tab. This script sends a request to Site A and runs malicious actions on it. This is why it is known as ‘cross-site’.
2. Understanding Request
The hackers script sends a request from Site B to Site A on behalf of the user. The unwanted malicious action could be anything from changing admin passwords to even transferring funds out of bank accounts!
3. Understanding ‘Forgery’
Lastly, because the hacker uses the authentication of the user to fool Site A, it’s a ‘forgery’. Thus the name ‘Cross-site Request Forgery’.
In a nutshell, the hacker makes Site A think that their malicious instruction is a legitimate request sent from the authenticated user. But how is it possible for Site B to send a request to Site A? We’ll go deeper into how this happens in the next section.
Note: This section is technical and caters to seasoned WordPress users or developers. If you want to skip it and go directly to preventing CSRF attacks on your site, jump ahead to CSRF Preventive Measures for WordPress Site Owners.
How Did The WordPress CSRF Vulnerability Occur on Your Site?
To explain how the vulnerability takes place, we need to understand how the user’s browser and a website communicate.
1. Understanding Browser Requests
Here, we’ll discuss two kinds of HTTP requests and browser cookies:
i. HTTP GET Request
When you visit a website, you send an HTTP GET request to the server of that website. This request will ask for the data that is needed to display the front-end of the site. The web server will respond and send the data requested. Then, the contents of the website will load on your browser.
When a person is not logged into a site, they are an unauthenticated user. So when GET and POST requests are sent, no cookies are used. There are no security issues in this scenario. But when the user has logged in, they are now an authenticated user.
ii. The CSRF Process
We’ll explain this with an example. Here, we’ll show you how a hacker can take control of a user’s account and then use it to hack your website using a CSRF vulnerability.
→ What Happens On The User Side?
- A user is logged into targetwebsite.com on their browser.
- Next, the hacker lures this user into clicking on trickwebsite.com by sending them an email that tells them to visit this site and sign up to receive $50 in their account. (These links can also be inserted on the targetwebsite.com itself using other vulnerabilities)
- We’re going to assume that the victim thinks this trick website is legitimate and falls for the scam. Here, they fill up a form with their details and click on ‘Submit’.
- On trickwebsite.com, the hacker has already placed HTML code behind this ‘Submit’ button. When clicked upon, it will send a POST request to targetwebsite.com (where the user is already logged in) on behalf of this user.
→ What Happens On The Website Side?
- Using cookies, targetwebsite.com verifies the user (and the browser) and allows the request. This request will look legitimate as it’s coming from the authenticated user.
- But the POST request sent contains malicious script that could do harm to the website. For instance, the script could contain a command to change the current account password to “newpassword123”.
- When the request is accepted by targetwebsite.com, the code will run and change the password. Then, the hacker will be able to login to the account using the new password and take full control.
- Next, the hacker can now run further attacks on the website. Depending on the privileges granted to this user, they might be able to access targetwebsite.com’s database and take control of functionality as well.
This is just one example of what a hacker can do using CSRF attacks. There are plenty of other scenarios that can take place. But both the user and the website will be affected by this hack.
How To Prevent a CSRF Attack on a WordPress Website?
WordPress websites become exposed to CSRF attacks because plugins have vulnerabilities that allow it to happen.
According to a full disclosure report by PluginVulnerabilities.com, many of the popular plugins they checked had security issues that made websites vulnerable to CSRF attacks. To prevent CSRF hacks, developers of plugins need to implement certain security measures. We’ll touch upon these measures briefly and then tell you what you, as a WordPress site owner, can do to stop CSRF attacks.
i. CSRF Preventive Measures for Plugin Developers
If you are a plugin developer, here are a few measures you can take to help prevent CSRF attacks:
1. Anti-CSRF Tokens
An anti-CSRF token is a hidden value that is sent with the particular user’s cookies and request. This is how it works:
- The web server generates this token and is placed as a hidden field on the form.
- When the user fills and submits the form, the token is included in the POST request.
- The server will compare the token generated and the token sent by the user.
If it matches, the request will be valid. If it doesn’t match, the request is deemed invalid. This prevents CSRF attacks from taking place.
A developer can add these tokens while creating or updating their plugin.
2. Using Nonces
Although used interchangeably, Anti-CSRF Tokens and Nonces are different. A nonce value (numbers used once) is like a one-time password that is generated for the request.
When an HTTP request is submitted, the nonce is generated to verify the request. But once used, the nonce is invalidated and the user cannot submit the form again using the same nonce value.
3. Same-Site Cookies
CSRF attacks are possible because of cross-site requests made using the same cookies. A same-site cookie means a cookie can be sent only if the request is made from the same website the cookie was created.
The problem with this method is that expect Chrome and Firefox and a few other browsers, not all browsers support same-site cookies.
This can be used as an additional defense layer but shouldn’t be used alone to prevent CSRF attacks.
We won’t go into further details of these preventive measures because almost all of them can be bypassed by hackers nowadays. Hackers are only getting smart by the day and developing new techniques to overcome the preventive measures we take.
We’ll move on to what proactive and reactive measures you can take as a WordPress site owner to protect yourself against these CSRF attacks.
ii. CSRF Preventive Measures For WordPress Site Owners
As we mentioned above, creators of plugins should take measures to make their application safe. But what if they don’t? How do you know which plugins have implemented anti-CSRF measures?
WordPress rarely stands on its own. Plugins play an important role in the functionality and design of a website. So while WordPress sites need plugins, do you just blindly trust that these plugins have taken appropriate security measures?
No! Website owners need to be on guard and take their own security measures even if plugin developers don’t.
Here’s what you can do to protect yourself from CSRF attacks:
1. Use Anti-CSRF Plugins
There aren’t many plugins available in the WordPress repository that are dedicated to CSRF attacks. Here are two that we found:
(A) Comment Form CSRF Protection – This WordPress plugin adds an anti-CSRF token to your comment forms. The token has a unique value that is kept secret and is impractical to guess. So if a user submits a form, the secret token will be submitted along with it. Only if it matches, the form submission request will be accepted.
(B) Same-site cookies – This plugin works on supported browsers that include Chrome, Firefox, IE and Edge. It ensures that when HTTP requests are submitted, the cookies that are sent are from the same site. This blocks any cross-site requests and therefore, blocks all CSRF attacks.
2. Install an All-round WordPress Security Plugin
There are plenty of security plugins available for WordPress websites. These plugins can keep your site safe from all kinds of hackers including the CSRF kind. But not all security plugins provide you with the same level of security.
Plus, the CSRF attack is tricky to find. Hackers disguise it well from the site owner and the user, so it goes unnoticed. You need a plugin that will be able to detect such disguised malware.
While choosing a security plugin, you need to ensure it does the following in order to stay protected against CSRF attacks:
- Regularly scans your website for any malicious scripts.
- Combs through all files and databases of your website.
- Has the ability to spot any kind of malware – including new, hidden or disguised. (Some plugins only search for already-discovered malware.)
- Alerts you if there is any suspicious activity on your website.
- Gives you an independent dashboard so that you can clean up your website even if a hacker locks you out of your own admin account.
A plugin that gives you such protection and features is MalCare. Once you install the plugin on your WordPress website, it will enable you to get rid of any CSRF attack. It will also get rid of WordPress malware a hacker might’ve added to your site during the hack.
Your website will be protected with a proactive firewall that will block malicious IP addresses and bad bots from visiting your website.
If a hacker manages to hack your site using a malicious cross-site request, this WordPress security plugin will alert you immediately. You can then take action immediately using the same plugin.
3. Harden Your Website
WordPress recommends that you take certain measures to harden your website. This will make it extremely difficult for hackers to break in. We’ve covered a few measures in brief but we recommend reading our extensive guide of WordPress Hardening.
As many of these points are a bit technical, the detailed guide will help you get a better understanding of it. Here are a few hardening measures to prevent or reduce the damage caused by CSRF attacks include:
a. Use Two-Factor Authentication
Having two-factor authentication adds an extra layer of verification of users. A user will have to enter their login credentials, after which a second password will be required. This could be a one-time password sent to the registered email or phone number of the user. It could also be an authentication number generated by an app like Google Authenticator.
b. Block PHP Execution in Untrusted Folders
If a CSRF attack enables a hacker to get access to the files of your website, they can execute PHP functions to perform malicious tasks. (PHP function is a block of code written in a program). You can also disable the PHP executions in places where it doesn’t need to happen.
c. Disable File Editor
If a hacker gets access to your WordPress Administrator account, they can take full control of your website. On the dashboard, they can access “Editor” under your plugins or themes. Here, they can edit or upload their own scripts to display their content, deface your site, SEO spam your users, etc.
d. Change Security Keys
You might’ve noticed you don’t have to enter your login credentials every single time you want to access your WordPress account. It’s already populated in the designated fields. To ensure this information is safe from hackers, WordPress uses security keys that encrypts and stores this data.If a hacker breaks into your site using a CSRF attack, they might get access to this information. They can then change it to something else and use it to keep logging into the admin account of your website when they want.
- You can apply these hardening measures manually as explained in the guide we recommended. Or you can use MalCare to implement them in just a few clicks.
4. Delete All Unused Themes & Plugins
The more plugins and themes you have installed on your website, the more opportunities the hackers have to exploit. It’s best to delete any unused plugins and themes and keep only the ones you use.
CSRF attacks have serious repercussions for both the user and the website.
If a hacker is successful in running their scripts through the HTTP request, they can take over your website. After this, there’s no telling what they can do. They could deface your website to display their own propaganda or sell illegal products or drugs. They could also redirect your website’s visitors to their own websites.
These sites will usually be adult sites, ones that sell illegal products, or ones that dupe visitors into downloading malware.
- As a website owner, you need to take measures to ensure you stay safe against these attacks. We advise you to keep a security plugin such as MalCare active on your WordPress site as it will provide you with all-round protection.
- We recommend implementing website hardening measures to make it difficult for hackers to break in.
- Lastly, take precautions while using plugins and themes. Install trusted themes and plugins from the WordPress repository or marketplaces like ThemeForest and CodeCanyon.
We are confident that once you implement these measures on your WordPress website, you will be safe against hackers!
Protect Your WordPress Site With MalCare!
Melinda is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Melinda distils the wisdom gained from building plugins to solve security issues that admins face.