What is WordPress Cross-site Scripting (XSS) and How to prevent it?

WordPress has laid the foundation of about a quarter of sites on the web, from the most influential blogs to small or individual sites for more than a decade. Undoubtedly, this huge CMS is also a sitting target for hackers and malware due to its popularity.

Bad behavior users can attack your WordPress site in various ways. Your site gets hacked due to vulnerability plugin installation. Some bots simply guess and try your username and password many times until finding the right one. Web hosting companies are considered a vulnerability source as well.

Besides these security risks, you should also pay extra attention to cross-site scripting (XSS) which appears as the most common and serious source of vulnerabilities.

You may be surprised how easy it is for bad people to attack your site via XSS. Luckily, there are still ways to protect your WordPress website from this dangerous vulnerability. Here are ways to prevent it. Before getting into details, let’s understand clearly what cross-site scripting is, how it works, and types of XSS.

What is WordPress Cross-Site Scripting?

Cross-site scripting (XSS) refers to a type of attack found in poorly secured WordPress websites. Hackers will inject malicious JavaScript code in scripting language into your site without your knowledge or approval by posting comments in the comment field. And that malicious script is run when other users visit the page.

The rogue JavaScript will typically redirect users to a fraudulent website that will attempt to steal their password or other identifying data.

In 2017, hackers exploited eBay’s stored XSS vulnerabilities to steal customer account credentials. These fraudsters still remained on eBay’s websites for over a month before being removed.

Types of XSS attacks

There are 3 different types of XSS vulnerability, including Indirect or Reflected XSS, Stored XSS, and DOM-based XSS.

1. Indirect or Reflected XSS

An attacker sends out an evil email with a malicious URL. When a user clicks on that link, it will send back a request to the vulnerable website. The vulnerable website then takes the request and includes a valid web page in the URL to make the user’s browser trust it. As a consequence, attackers can steal the users’ browser information such as their cookies and accounts.

2. Stored or Persistent XSS

Considered as the worst case, stored XSS happens when a website or web application stores user input in the webserver. It will be released whenever a page is accessed from a browser.

Blogs and forums are persistent attackers’ favorites. To take one example, a user’s credential information is stored in a database. When he clicks on the link to the post with a harmful script, the script is activated and steals his information.

3. DOM-based XSS

The last type of cross-site scripting attack is a DOM-based one. Different from the other two types, DOM-based XSS doesn’t go through your server.

The DOM-based cross-site scripting requires the user to open an infected page. When this happens, a script on the web page selects the URL variable and executes the code it contains.

How to find and test for XSS vulnerabilities

You can use web vulnerability scanners to quickly find out XSS vulnerabilities. It’s possible for you to manually test for reflected and stored XSS as well. To do so, you need to submit some simple unique input into every entry point in your WordPress site. Then, identify the locations that are submitted to see if it’s returned in HTTP responses.

To find out DOM-based XSS, you can follow this process:

  • Place a unique input in the parameter
  • Use the browser’s developer tools to search the DOM
  • Test each location to check if it’s exploitable

3 ways to protect your WordPress site from XSS

You’re able to apply several methods to remove XSS from your WordPress site. In fact, this is much harder than what you think, depending on the types of XSS your site gets attacked.

Preventing cross-site scripting is trivial in some cases but it can be much harder depending on the complexity of the application and the ways it handles user-controllable data.

In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures:

1. Escaping data

The first method to prevent XSS vulnerabilities is to escape user input. The most likely explanation is that you take the data your WordPress site has received and make sure that it’s secure before executing it for the end-users.

Once escaping user input, you can fill out and disallow malicious characters in the data received such as “< and >” ones. These are the most suspicious characters that could harm your website or your users.

It would be easier if you don’t allow users to add their own code to your pages, the rich text in a forum or a comment on a post, for example. You can escape any HTML, URL, and JavaScript entities. However, in case you permit users to input entries like leaving a comment, you need to select which HTML to escape carefully.

2. Validating input

While you need to take out data you’ve already received when escaping data, validating data means ensuring any new data from the outside is checked and rendered before getting to your site. This helps prevent malicious and untrusted data from doing harm to the site, database, and users.

Input validation is likely more common in SQL injection, you can also use it to stop XSS effectively. This solution proves useful to prevent cross-site scripting in forms on your WordPress website, since it blocks users from entering special characters into fields.

3. Sanitizing data

Last but not least, you can protect users against cross-site scripting by sanitizing user input. Although this method is really effective, you shouldn’t use it as the only way to prevent XSS.

WordPress includes a range of sanitization functions that are designed for specific use cases. For example,





absint(‘-123ABC’) 123 Sanitizes positive integers. [docs]
sanitize_email(“!#$%^&*()__+=-{}|\][:\”\’;<>?/.,[email protected]”) !#$%^&*__+=-{}|’?/[email protected] Sanitize email addresses. [docs]
sanitize_file_name(‘.-_/path/to/file–name.txt’); pathtofile-name.txt Sanitize filenames. [docs]
sanitize_html_class(‘class!@#$%^&*()-name_here.’); class-name_here Sanitize CSS class names. [docs]


Save your WordPress site from XSS

XSS vulnerabilities have shown up quite often in a lot of WordPress sites. Once attacked, all important information and data on your site will be stolen, such as the user cookies or session tokens.

There are 3 ways you can apply to protect your site from the cross-site scripting, including escaping, validating, and sanitizing data. You can try all 3 methods to make sure your WordPress site is totally secure.

To be noticed, “prevention is always better than cure”. Before letting XSS attacks break your site then find ways to deal with it, you need to protect your site at the beginning. Always keep a WordPress security plugin active on your site. Make sure your WordPress website is frequently updated. Using an SSL certificate to ensure data transmitted from and to your website is always encrypted. And remember to back up your website regularly.

Still have a burning question about how to prevent cross-site scripting? Let us know in the comment section below.