|
How to protect WP from XSS or cross site scripting
Should i just remove all plugins and just go with default wp theme and thats it?
(yes, i always update but it still not enough) tnx ive tried alot of the plugins,ex wordpence = junk but they are still about to insert these effing files into my wordpress folders with encoded crap and turn my vps into a spam bot. I'm really desperate now. |
Quote:
|
noscript plugin + firefox good work for XSS detection.
make backups, read logs, fix problem |
Keep the server's MySQL version patched and up to date. If you cannot do it yourself -- find a shared host that keeps their servers up to date.
That is the first line of defense. |
What are the permissions set on those folders?
I use a lot of WordPress sites and never have those issues. I don't know if your host has permissions set differently. Because I have a server that's SUPHP and one is DSOHANLDER and I have to mess around with permissions to get things working right. I googled your conundrum... take a look at this. Maybe you saw it maybe not. https://hackertarget.com/xss-tutorial/ |
Quote:
Quote:
|
You could put this in php.ini to stop it (But if the site relies on any of these functions then you'll have to find an alternate or allow individually if necessary)
Code:
allow_url_fopen = offThen update things, remove plugins that you don't need or use, set your permissions to a safe level, etc. |
Quote:
|
It sounds like your server has dozens of backdoor scripts added to it. Your best bet is to export your posts via export tool, then delete everything. All of it. Then recreate it and import the posts. Then stop using themes from crappy sources and only use plugins you actually need.
|
Quote:
P.s. Или дело не в английском? Ты может вообще ущербный и даже по-русски не понимаешь, что такое "защитить wp сайт от xss"? Так хрена ли ты вообще делаешь на этом форуме? |
If you're on an Apache 2 server try using the recommendations from securityheaders.io.
You should be able to implement the following without tweaks: X-XSS-Protection X-Frame-Options X-Content-Type-Options But for Content-Security-Policy you must whitelist in the headers every host/script that's allowed to use src= queries in your code. This is a bit tricky because you really need to review your code and you'll end up with a very long header if you got code from third parties and not internal, but it's doable. The basic code without Content-Security-Policy can look like this in your .htaccess: <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff Header set Strict-Transport-Security "max-age=31536000; includeSubdomains" </IfModule> Also using mod_rewrite you can set additional restrictions on very specific strings which will help if you don't set a Content-Security-Policy: RewriteEngine On RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule ^(.*)$ index_error.php [F,L] RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] You can replace index_error.php to whatever error page you wish the use. Hope it helps :D |
His problem isn't xss. It is that he got hacked and they dropped shells all over his server.
|
not just 1 server, 2 different servers.. they not even linked to each other. I am not a server literate type guy.
I know some whm things... installing wp, customizing it, i knowledge here and there. But i have server knowledge of a 10 year old |
Quote:
|
just found out my server software is not upto date since i moved with liquidweb a month ago, when i first started them , there wasnt many xss injections, but a month later, they all started showing up,
|
i only use plugins from wordpress admin.. =(
|
Quote:
|
Quote:
что я делаю на форуме тебя вообще не должно ебать, понимаешь? Любое решение проблем с безопастностью начинается с диагностики и чтения логов, чтобы из за пары идиотов не переделывать работу дважды а то и больше. Поэтому вешаешь плагин носкрипт лазишь по сайту и смотришь откуда у тя xss - далее читаешь логи и смотришь куда что залили. Далее фильтруешь в коде баги. |
Quote:
Quote:
Quote:
|
If both of your servers are hacked your home PC is probably the source, run ComboFix on it, then change all servers panel, FTP, root... passwords, then you can clean your servers
|
Serve cached pages. Use nginx as a proxy cache to the front of the web, and keep infra behind proxy.
|
This thread is filled with nerds. LOL
|
and russian hackers
|
OP I would suggest that you search for the names of the plugins and themes that you use here:
https://wpvulndb.com/plugins https://wpvulndb.com/themes Remove any that you find listed. You're likely using one or more that is a security vulnerability. |
cyberseo trash garbage junk shit
|
Quote:
|
Quote:
but if Putin asked:1orglaugh PS:restrict access to the admin panel wordpress only with your ip, even if you lose all your password all be safe. but it is better to detect and Fix xss in php code .htaccess <Files "wp-login.php"> Order deny,allow Deny from All Allow from 8.8.8.8 </Files> 8.8.8.8 - you static ip |
| All times are GMT -7. The time now is 08:57 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123