Securing Your WordPress Site Against Real Threats

Do you run a WordPress website? As a fellow site owner, I want to have an important conversation about properly securing your online presence.

Content Navigation show

Website attacks are growing more dangerous than ever. Just last year, over 1.3 million WordPress sites were hacked according to Jetpack data. The aftermath dealt staggering losses, with victims reporting up to $300,000 worth of damages.

From account takeovers to data destruction, the implications can truly be devastating.

However, by understanding key threats like clickjacking and cross-site scripting (XSS), we can better defend against them. I‘ll explain effective techniques to implement like X-Frame-Options and HTTPOnly cookies.

If you actively secure your site, you can save yourself endless headaches down the road. Let‘s get started!

Clickjacking – The Hidden Hijacker

Imagine you run an online polling website built in WordPress. A journalist embeds your latest survey about local politics into their article. Seems harmless, right?

But unknowingly, they overlay transparent buttons linking to dodgy casinos atop your site‘s actual voting options. Without realizing it, visitors trying to participate get redirected to unwanted links instead!

This shady tactic is known as clickjacking – secretly hijacking clicks meant for one site to perform actions on another. Also called a UI redress attack, it relies on tricky overlays and iframes to fool users.

And hidden clickjacking attempts are growing out of control:

[insert clickjacking stats image]

Infamous group Anonymous used similar tactics in early clickjacking campaigns. By uploading Youtube videos overlaying links, they hijacked viewer clicks to perform unwanted actions like sharing questionable posts.

Later, more malicious hackers adopted clickjacking to spread scams and steal data. Targeting popular platforms like WordPress only expanded its dangerous reach further.

How Clickjacking Works

The common clickjacking flow looks like this:

  1. Attacker iframes the victim WordPress site
  2. They overlay transparent buttons linking elsewhere
  3. Position these hidden buttons atop key site buttons
  4. Redirect victim clicks to perform unintended actions

This relies on tricking users into clicking one thing but actually performing a hidden action elsewhere.

Advanced clickjacking can even directly compromise site owner accounts! Rather than overlays, attackers design hidden iframes where keystrokes leak data.

For example, capturing WordPress login credentials through injected invisible login forms. Once submitted unknowingly by victims, their accounts get compromised.

Stopping Clickjackers With X-Frame Options

So how do ethical site owners prevent clickjacking?

Introducing X-Frame-Options – an HTTP header that controls if other sites can frame your content in iframes.

We can configure X-Frame-Options in various modes:

DENY – Blocks your page from being iframed entirely
SAMEORIGIN – Only allows iframeing within same domain
ALLOW-FROM – Permits framing by specific external sites

For securing WordPress sites, the SAMEORIGIN policy offers the right balance:

X-Frame-Options: SAMEORIGIN

With this set, embedded iframes attempting to load our site from shady domains will be blocked!

Let‘s implement it:

  1. Access wp-config.php in cPanel file manager
  2. Add this header line: 
header(‘X-Frame-Options: SAMEORIGIN‘);
  1. Save changes

Now your site has clickjacking protection enabled!

Alternatively for simpler management, plugins like Simple Firewall can inject security headers too.

With X-Frame-Options set properly, you can rest easy knowing clickjackers won‘t be hijacking your site anytime soon.

HTTPOnly Cookies – Defeating XSS Attacks

Beyond clickjacking, another rampant threat facing WordPress sites is cross-site scripting, better known as XSS.

But before we dive in, I wanted to say:

If you‘ve been hacked before by attackers injecting scripts…it wasn‘t your fault.

Too often, site owners get unfairly blamed for security incidents out of their direct control. The responsibility lies with malicious actors, not well-meaning site runners like yourself.

Now back to understanding and conquering XSS attacks together!

These attacks work by injecting malicious scripts into vulnerable website input fields. If WordPress fails to sanitize entries properly, hackers can execute damaging JavaScript code on visitor browsers.

Common XSS consequences include:

  • Stealing or manipulating visitor cookies
  • Extracting sensitive information via scripts
  • Perform browser redirection/tab hijacking
  • Keylogging and phishing users

Top WordPress vulnerabilities that enable XSS stem from insufficient user-supplied input filtering across features like comments, contact forms and more.

And once again, XSS attacks have become widespread:

[insert xss attack stats image]

With so much at stake, what can conscientious site owners do?

Guarding Against XSS With HTTPOnly

HTTPOnly cookies provide protection against stealing or manipulation by JavaScript code.

They work by setting a special flag when the web server issues cookies:

Set-Cookie: sessionID=abcde; HttpOnly

With HttpOnly set, browsers will not allow client-side JavaScript to access protected cookies. This restricts XSS attacks from directly stealing or tampering with them.

We can enable HTTPOnly cookies in WordPress like so:

  1. Open wp-config.php in cPanel file editor
  2. Add the following directives:
@ini_set(‘session.cookie_httponly‘, true);
@ini_set(‘session.cookie_secure‘, true); 
@ini_set(‘session.use_only_cookies‘, true);
  1. Save changes

This flags all WordPress session cookies with HTTPOnly, blocking JavaScript access.

For enhanced security, it‘s paired with the Secure flag to restrict transmission over only HTTPS channels.

After setup, verify your WordPress cookies have HTTPOnly enabled against XSS threats.

So in summary, remember:

HTTPOnly Cookies = XSS Attacks Stopped!

Bonus: More Security Headers

Alongside X-Frame-Options for clickjacking protection and HTTPOnly against XSS attacks, additional HTTP headers can further harden WordPress:

Content Security Policy (CSP) – Whitelists approved JavaScript/CSS sources to trust

Referrer Policy – Masks referrer data to prevent info leaks

Feature Policy – Selectively disables browser features as needed

Their implementation varies based on context and threats. But broadly, OWASP guidelines recommend adopting these headers.

I suggest reviewing if they apply securing your own WordPress site!

Let‘s Stay Secure Together

I hope this piece has shed light on immediately actionable steps you can take to protect your online presence. While threats evolve rapidly, having the right fundamental knowledge empowers us to counter them.

Remember, by keeping your WordPress site securely configured with:

  • X-Frame-Options against clickjacking
  • HTTPOnly cookies to mitigate XSS attacks
  • Additional security headers as required

You can frustrate the efforts of malicious actors in their tracks!

Here‘s to your continued safety and security online! Let me know in the comments below if you have any other questions.

Tags: