So one of our clients has been running security audits of a WordPress site, and has come back with some questions. To give some background, the site is running in SSL mode (entire site), admin tool is IP blocked, and every plugin is up to date. It's also a site where users can sign-up and have a profile as a subscriber.
There's a few items that I do not really want to address as they are part of the core of WordPress (something I've explicitly said we will not modify under any circumstances), so I was wondering if anyone had any easy fixes for these, or if they need to be added to the WordPress roadmap:
- _wpnonce token passed in URL. I have tracked this down to be solely in the admin tool, and related primarily to deleting items. I have circumvented this issue by IP restricting the admin tool so it is minor, but maybe this is something that should look to using JQuery to enable them as POST requests.
- Session Cookie not set with secure flag. As the site is running completely in SSL mode, cookies need to be set as secure. It is setting the wordpress_sec_XXXXX cookie as secure, but not the wordpress_logged_in_XXXX cookie. Any way to force this to be secure too? I have tried using session_set_cookie_params() and setting that as ssl, but that didn't do the trick.
- Logout link does not destroy the session. When a user clicks the logout, the cookie is deleted, but it does not invalidate the old session making it possible for an attacker to potentially hijack a user's session using the stolen ID even after logging out.
There were some other items like sessions not timing out, but I have highlighted that this is by design as users want to stay logged in.
If anyone has any feedback or tips on how to address those, please let me know.