How to protect WP from XSS or cross site scripting

[lakerslive]

Should i just remove all plugins and just go with default wp theme and thats it?

(yes, i always update but it still not enough) tnx

ive tried alot of the plugins,ex wordpence = junk

but they are still about to insert these effing files into my wordpress folders with encoded crap and turn my vps into a spam bot. I'm really desperate now.

[lakerslive]

Quote:

Originally Posted by lakerslive

Should i just remove all plugins and just go with default wp theme and thats it?

(yes, i always update but it still not enough) tnx

ive tried alot of the plugins,ex wordpence = junk

but they are still about to insert these effing files into my wordpress folders with encoded crap and turn my vps into a spam bot. I'm really desperate now.

Has anyone tried using wordpress without any plugins? how did that turn out for u guys

[Sarn]

noscript plugin + firefox good work for XSS detection.
make backups, read logs, fix problem

[Barry-xlovecam]

Keep the server's MySQL version patched and up to date. If you cannot do it yourself -- find a shared host that keeps their servers up to date.

That is the first line of defense.

[gnawledge]

What are the permissions set on those folders?

I use a lot of WordPress sites and never have those issues. I don't know if your host has permissions set differently. Because I have a server that's SUPHP and one is DSOHANLDER and I have to mess around with permissions to get things working right.

I googled your conundrum... take a look at this. Maybe you saw it maybe not.

https://hackertarget.com/xss-tutorial/

[just a punk]

Quote:

Originally Posted by lakerslive

How to protect WP from XSS or cross site scripting

The only 100% solution is to stop using all the vulnerable plugins. Unfortunately there is no universal solution which will give you a 100% guaranty. Also you can hire a coder who will check your plugins/themes for the XSS vulnerability and fix it if needed.

Quote:

Originally Posted by Sarn

noscript plugin + firefox good work for XSS detection.
make backups, read logs, fix problem

[Colmike9]

You could put this in php.ini to stop it (But if the site relies on any of these functions then you'll have to find an alternate or allow individually if necessary)

Code:

allow_url_fopen = off
allow_url_include = off
disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"

Then remove the base64 code that you see, de-encode it if you want to see what it's doing.
Then update things, remove plugins that you don't need or use, set your permissions to a safe level, etc.

[Sarn]

Quote:

Originally Posted by CyberSEO

The only 100% solution is to stop using all the vulnerable plugins. Unfortunately there is no universal solution which will give you a 100% guaranty. Also you can hire a coder who will check your plugins/themes for the XSS vulnerability and fix it if needed.

Что тебе не нравится клоун? ты уже посоветовал не использовать твой плагин и еще фейспалмишь мне?

[PornDiscounts-V]

It sounds like your server has dozens of backdoor scripts added to it. Your best bet is to export your posts via export tool, then delete everything. All of it. Then recreate it and import the posts. Then stop using themes from crappy sources and only use plugins you actually need.

[just a punk]

Quote:

Originally Posted by sarn

Что тебе не нравится клоун? ты уже посоветовал не использовать твой плагин и еще фейспалмишь мне?

Клоун это ты. Читай посты людей выше и учи английский уже, дебил блять.

P.s. Или дело не в английском? Ты может вообще ущербный и даже по-русски не понимаешь, что такое "защитить wp сайт от xss"? Так хрена ли ты вообще делаешь на этом форуме?

[lordaRaG0n]

If you're on an Apache 2 server try using the recommendations from securityheaders.io.
You should be able to implement the following without tweaks:
X-XSS-Protection
X-Frame-Options
X-Content-Type-Options

But for Content-Security-Policy you must whitelist in the headers every host/script that's allowed to use src= queries in your code. This is a bit tricky because you really need to review your code and you'll end up with a very long header if you got code from third parties and not internal, but it's doable.

The basic code without Content-Security-Policy can look like this in your .htaccess:

<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security "max-age=31536000; includeSubdomains"
</IfModule>

Also using mod_rewrite you can set additional restrictions on very specific strings which will help if you don't set a Content-Security-Policy:

RewriteEngine On
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index_error.php [F,L]
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

You can replace index_error.php to whatever error page you wish the use.

Hope it helps :D

[PornDiscounts-V]

His problem isn't xss. It is that he got hacked and they dropped shells all over his server.

[lakerslive]

not just 1 server, 2 different servers.. they not even linked to each other. I am not a server literate type guy.

I know some whm things... installing wp, customizing it, i knowledge here and there. But i have server knowledge of a 10 year old

[just a punk]

Quote:

Originally Posted by vvvvv

His problem isn't xss. It is that he got hacked and they dropped shells all over his server.

In this case the suggestion is as simply as this: don't download any themes/plugins from the unknown sources. According to the recent reports, over 90% of all that nulled/hacked shit floating online is stuffed with built-in backdoors.

[lakerslive]

just found out my server software is not upto date since i moved with liquidweb a month ago, when i first started them , there wasnt many xss injections, but a month later, they all started showing up,

[lakerslive]

i only use plugins from wordpress admin.. =(

[just a punk]

Quote:

Originally Posted by lakerslive

i only use plugins from wordpress admin.. =(

From what? You have to download them from wordpress.org (not every plugin is seriously tested even there) and from the trusted 3rd-party sources only.

[Sarn]

Quote:

Originally Posted by CyberSEO

Клоун это ты. Читай посты людей выше и учи английский уже, дебил блять.

P.s. Или дело не в английском? Ты может вообще ущербный и даже по-русски не понимаешь, что такое "защитить wp сайт от xss"? Так хрена ли ты вообще делаешь на этом форуме?

а ты еще и буйный дурачек И проблема не в языке а в твоей тупости.
что я делаю на форуме тебя вообще не должно ебать, понимаешь?
Любое решение проблем с безопастностью начинается с диагностики и чтения логов, чтобы из за пары идиотов не переделывать работу дважды а то и больше. Поэтому вешаешь плагин носкрипт лазишь по сайту и смотришь откуда у тя xss - далее читаешь логи и смотришь куда что залили. Далее фильтруешь в коде баги.

[just a punk]

Quote:

Originally Posted by Sarn

что я делаю на форуме тебя вообще не должно ебать, понимаешь?

Да мне насрать. Тут и без тебя дураков хватет. Одним - больше, одним - меньше.

Quote:

Originally Posted by Sarn

Любое решение проблем с безопастностью начинается с диагностики и чтения логов, чтобы из за пары идиотов не переделывать работу дважды а то и больше.

А, ну да, ну да... Стандартный анализ на XSS уязвимость это ж ни о чем, да? ;)

Quote:

Originally Posted by Sarn

вешаешь плагин носкрипт

[hdbuilder]

If both of your servers are hacked your home PC is probably the source, run ComboFix on it, then change all servers panel, FTP, root... passwords, then you can clean your servers

[Venum]

Serve cached pages. Use nginx as a proxy cache to the front of the web, and keep infra behind proxy.

[The Porn Nerd]

This thread is filled with nerds. LOL

[EvgenUA]

and russian hackers

[Coup]

OP I would suggest that you search for the names of the plugins and themes that you use here:

https://wpvulndb.com/plugins
https://wpvulndb.com/themes

Remove any that you find listed. You're likely using one or more that is a security vulnerability.

[xXXtesy10]

cyberseo trash garbage junk shit

[just a punk]

Quote:

Originally Posted by xXXtesy10

cyberseo trash garbage junk shit

Put that slogan into your signature and link it to my site. I will give you $10, which is enough to feed up all your village

[Sarn]

Quote:

Originally Posted by EvgenUA

and russian hackers

white hat. because who has not cracked the can not protect.
but if Putin asked


PS:restrict access to the admin panel wordpress only with your ip, even if you lose all your password all be safe. but it is better to detect and Fix xss in php code

.htaccess
<Files "wp-login.php">
Order deny,allow
Deny from All
Allow from 8.8.8.8
</Files>

8.8.8.8 - you static ip