XSS attacks are particularly devious. And especially popular with hackers. We show how you can protect yourself against the hijacking of yours site - as a website operator and as a user.
1599 WordPress - the security provider Wordfence Plugins has over 14 months analyses and the most common weakness of all were so-called XSS vulnerabilities. Almost 47 percent of the gaps found were related to cross-site scripting - XSS for short. Reason enough to take a closer look at the type of attack, where hackers infiltrate yours site with malicious code and virtually hijack it. The attackers use your blog, your shop or your company website as a vehicle for their illegal activities.
XSS vulnerabilities always become dangerous when user input is forwarded to the web server without verification, for example in contact forms or comment fields. Once successful, hackers can steal data, integrate yours site into a botnet or infect your visitors' computers. Fortunately, there are some very simple protective measures against XSS attacks.
XSS is equally relevant for visitors and site operators
It is important to understand that XSS vulnerabilities are based on WordPress sites are equally relevant for site operators and visitors. Site operators are exploited to fulfill the lower aims of hackers and site visitors are often the victims, for example by stealing data or spreading malicious code.
In principle, XSS attacks start where users send data to the web server of the site operator. Code is smuggled in at these neuralgic points, which - if the user input is not critically checked, e.g. by a firewall - can site infect it. The different types of XSS attacks are described in our article for you on the subject of WooCommerce.
Most important: Regular WordPress -Updates
The vulnerabilities used by hackers to introduce the malicious code are either in the WordPress core, in Plugins or in Themes. This is exactly why regular updating of all these components are also so important. This is because in these updates, the weaknesses that have been found to date are being corrected.
It also makes sense to regularly read the update details of the respective manufacturers to get a feeling for the security holes that are regularly closed by the updates. For the maintenance and security updates of the WordPress -Core, this information is documented for example in the WordPress -Blog. The best example is the latest security update, WordPress 4.7.5.
Firewalls and whitelists against simple XSS attacks
Another simple protective measure against XSS attacks are so-called Web application firewallsor WAF. These firewalls are the heart of great securityPlugins and are fed with the latest vulnerabilities by the respective research team of the manufacturer. A WAF is in general a procedure that Web applications from attacks via the Hypertext Transfer Protocol (HTTP) protects.
But even these protective mechanisms have their limits. This is because in some XSS attacks the attack takes place via the database. Therefore, checking user input for malicious code is one of the central security mechanisms in the fight against XSS attacks. For example, the content of comments on suspicious character strings scanned and sorted out if necessary.
The data output should also be secured
Programming knowledge is required to implement this. A developer or CTO, for example, can easily implement this data output protection.
A healthy degree of scepticism: How users protect themselves
But not only site operators, also site visitors are affected by XSS attacks. Many XSS attacks can already be prevented by a critical and careful handling in connection with "foreign" links. Users have the possibility, for example, NoScript Addons to use. These prevent the execution of scripts, i.e. the malicious lines of code that steal data, for example.
Conclusion: XSS attacks are partly very complex, but the protection is partly quite simple
XSS poses a danger for you as a website operator as well as for your visitors and customers. Again and again weak points in Plugins or become Themes known. For example with the Plugin WP Statisticswith more than 400,000 active installations, or with WooCommerce and jetpackwith more than three million active installations each.
But if you keep yours Plugins and Themes up-to-date and use a WAF, you have already taken a big step in the right direction. If you also use whitelists for incoming and outgoing code, you've already secured yourssite . However, the last two measures in particular are not easy to implement without programming skills.
Compared to the rather primitive Brute Force Attacks the more complex XSS attacks are unfortunately still relatively often successful. However, there are significantly fewer of these so-called complex attacks than there are Brute Force Attacks on WordPress sites gives. Nevertheless, you should make it as difficult as possible for attackers. Because a successful hack not only costs time and money for removing the scripts, but can also endanger your position in search engines.
Maybe you have already had experience with XSS attacks? What are you doing to protect yourself from this?