Support » Fixing WordPress » WP Security Question

  • IT security keeps on asking me this question.

    Every time I do one of these scans I do some more reading and research about the issue and I’m still not completely convinced that WP is doing a good job of handling their session cookies and that they may be vulnerable to session hi-jacking.

    ….if WP can be made to set the cookies as secure; and failing that, what damage could or couldn’t be done by hijacking the user’s cookies? Knowing the answer to these questions will help us decide how to proceed.”

    An answer from the WP developer community would be ideal. Thank you.

    We have security measures like blocked IP, forced SSL login/session, table name changes, version changes etc… but i don’t know much about the session cookies and security. I’ve directed them to the what I’ve done – Hardening WordPress etc..

Viewing 5 replies - 1 through 5 (of 5 total)
  • I have SSL installed and activated. All works fine. What plugins are you talking about?

    Apart from having SSL enabled and forcing SSL logins, what are other ways to avoid cookie hijacking or even securing cookies completely?

    In php.ini you’ll need to set the following:

    session.cookie_httponly = 1

    Attackers will often exploit Cross Site Scripting (XSS) flaws in web applications to inject JavaScript into pages, which could be used to steal session cookies. By setting the php.ini directive: you restrict JavaScript from accessing your cookies. This setting can effectively help to reduce identity theft through XSS attacks (although it is not supported by all browsers).

    session.cookie_secure = On

    session.cookie_secure specifies whether cookies should only be sent over secure connections. Defaults to off. This setting was added in PHP 4.0.4. See also session_get_cookie_params() and session_set_cookie_params().

    session.referer_check = your_url.tld

    Where your_url.tld could be:

    session.referer_check =

    Another small security feature is allowing PHP to check HTTP referer values
    so that session information is only passed internally while a user is viewing an application.
    This prevents users from accidentally publishing session information in a way that would allow external users to follow links and steal a session.
    This is especially useful if session information is being passed in a URL that could accidentally be published to a mailing list or web site.

    You maybe also interested in Session Fixation.

    This is where an attacker explicitly sets the session identifier of a session for a user. Typically in PHP it’s done by giving them a url like…?session_name=sessionid. Once the attacker gives the url to the client, the attack is the same as a session hijacking attack.

    There are a few ways to prevent session fixation (do all of them):

    * Set session.use_trans_sid = 0 in your php.ini file. This will tell PHP not to include the identifier in the URL, and not to read the URL for identifiers. Defaults to 0 (disabled).

    * Set session.use_only_cookies = 1 in your php.ini file. This will tell PHP to never use URLs with session identifiers. Defaults to 1 (enabled) since PHP 5.3.0.

    session.use_trans_sid = 0
    session.use_only_cookies = 1

    **NOTE** These are not just WordPress specific, but can be applied to other web apps written in PHP.

    Thank you @woocommerce and @mickeyroush for your help. @mickeyroush, but we’re talking WP specific security here.

    How does WP handle cookies when SSL if forced ?

    Are they vulnerable to session hi-jacking even when SSL is forced ?

    @mickeyroush, but we’re talking WP specific security here.

    I assumed that’s what you were implying. Thus my response.

    great @MickeyRouch. I’ll see what my admins have in place and work on strenghthening session security as you’ve directed. Thanks. Let me know if there’s more info out there.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘WP Security Question’ is closed to new replies.