How to protect WP from XSS or cross site scripting

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • lakerslive
    Confirmed User
    • Aug 2012
    • 929

    #1

    How to protect WP from XSS or cross site scripting

    Should i just remove all plugins and just go with default wp theme and thats it?

    (yes, i always update but it still not enough) tnx

    ive tried alot of the plugins,ex wordpence = junk

    but they are still about to insert these effing files into my wordpress folders with encoded crap and turn my vps into a spam bot. I'm really desperate now.
  • lakerslive
    Confirmed User
    • Aug 2012
    • 929

    #2
    Originally posted by lakerslive
    Should i just remove all plugins and just go with default wp theme and thats it?

    (yes, i always update but it still not enough) tnx

    ive tried alot of the plugins,ex wordpence = junk

    but they are still about to insert these effing files into my wordpress folders with encoded crap and turn my vps into a spam bot. I'm really desperate now.
    Has anyone tried using wordpress without any plugins? how did that turn out for u guys

    Comment

    • Sarn
      WW3
      • Sep 2015
      • 12405

      #3
      noscript plugin + firefox good work for XSS detection.
      make backups, read logs, fix problem
      ----

      Comment

      • Barry-xlovecam
        It's 42
        • Jun 2010
        • 18083

        #4
        Keep the server's MySQL version patched and up to date. If you cannot do it yourself -- find a shared host that keeps their servers up to date.

        That is the first line of defense.

        Comment

        • gnawledge
          confirmed loser
          • Jul 2012
          • 1092

          #5
          What are the permissions set on those folders?

          I use a lot of WordPress sites and never have those issues. I don't know if your host has permissions set differently. Because I have a server that's SUPHP and one is DSOHANLDER and I have to mess around with permissions to get things working right.

          I googled your conundrum... take a look at this. Maybe you saw it maybe not.

          https://hackertarget.com/xss-tutorial/
          Wikifap Cams
          Eporn List
          Is Chaturbate Still Number 1?

          Comment

          • just a punk
            So fuckin' bored
            • Jun 2003
            • 32393

            #6
            Originally posted by lakerslive
            How to protect WP from XSS or cross site scripting
            The only 100% solution is to stop using all the vulnerable plugins. Unfortunately there is no universal solution which will give you a 100% guaranty. Also you can hire a coder who will check your plugins/themes for the XSS vulnerability and fix it if needed.

            Originally posted by Sarn
            noscript plugin + firefox good work for XSS detection.
            make backups, read logs, fix problem
            Obey the Cowgod

            Comment

            • Colmike9
              (>^_^)b
              • Dec 2011
              • 7230

              #7
              You could put this in php.ini to stop it (But if the site relies on any of these functions then you'll have to find an alternate or allow individually if necessary)
              Code:
              allow_url_fopen = off
              allow_url_include = off
              disable_functions = "apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd, eval, exec, fp, fput, ftp_connect, ftp_exec, ftp_get, ftp_login, ftp_nb_fput, ftp_put, ftp_raw, ftp_rawlist, highlight_file, ini_alter, ini_get_all, ini_restore, inject_code, mysql_pconnect, openlog, passthru, php_uname, phpAds_remoteInfo, phpAds_XmlRpc, phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid, posix_setuid, posix_uname, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode"
              Then remove the base64 code that you see, de-encode it if you want to see what it's doing.
              Then update things, remove plugins that you don't need or use, set your permissions to a safe level, etc.
              Join the BEST cam affiliate program on the internet!
              I've referred over $1.7mil in spending this past year, you should join in.
              I make a lot more money in the medical field in a lab now, fuck you guys. Don't ask me to come back, but do join Chaturbate in my sig, it still makes bank without me touching shit for years..

              Comment

              • Sarn
                WW3
                • Sep 2015
                • 12405

                #8
                Originally posted by CyberSEO
                The only 100% solution is to stop using all the vulnerable plugins. Unfortunately there is no universal solution which will give you a 100% guaranty. Also you can hire a coder who will check your plugins/themes for the XSS vulnerability and fix it if needed.
                Что тебе не нравится клоун? ты уже посоветовал не использовать твой плагин и еще фейспалмишь мне?
                ----

                Comment

                • PornDiscounts-V
                  Confirmed User
                  • Oct 2003
                  • 5744

                  #9
                  It sounds like your server has dozens of backdoor scripts added to it. Your best bet is to export your posts via export tool, then delete everything. All of it. Then recreate it and import the posts. Then stop using themes from crappy sources and only use plugins you actually need.
                  Blog Posts - Contextual Links - Hardlinks on 600+ Blog Network
                  * Handwritten * 180 C Class IPs * Permanent! * Many Niches! * Bulk Discounts! GFYPosts /at/ J2Media.net

                  Comment

                  • just a punk
                    So fuckin' bored
                    • Jun 2003
                    • 32393

                    #10
                    Originally posted by sarn
                    Что тебе не нравится клоун? ты уже посоветовал не использовать твой плагин и еще фейспалмишь мне?
                    Клоун это ты. Читай посты людей выше и учи английский уже, дебил блять.

                    P.s. Или дело не в английском? Ты может вообще ущербный и даже по-русски не понимаешь, что такое "защитить wp сайт от xss"? Так хрена ли ты вообще делаешь на этом форуме?
                    Obey the Cowgod

                    Comment

                    • lordaRaG0n
                      Confirmed User
                      • Nov 2013
                      • 93

                      #11
                      If you're on an Apache 2 server try using the recommendations from securityheaders.io.
                      You should be able to implement the following without tweaks:
                      X-XSS-Protection
                      X-Frame-Options
                      X-Content-Type-Options

                      But for Content-Security-Policy you must whitelist in the headers every host/script that's allowed to use src= queries in your code. This is a bit tricky because you really need to review your code and you'll end up with a very long header if you got code from third parties and not internal, but it's doable.

                      The basic code without Content-Security-Policy can look like this in your .htaccess:

                      <IfModule mod_headers.c>
                      Header set X-XSS-Protection "1; mode=block"
                      Header set X-Frame-Options SAMEORIGIN
                      Header set X-Content-Type-Options nosniff
                      Header set Strict-Transport-Security "max-age=31536000; includeSubdomains"
                      </IfModule>

                      Also using mod_rewrite you can set additional restrictions on very specific strings which will help if you don't set a Content-Security-Policy:

                      RewriteEngine On
                      RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
                      RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
                      RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
                      RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
                      RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
                      RewriteRule ^(.*)$ index_error.php [F,L]
                      RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
                      RewriteRule .* - [F]

                      You can replace index_error.php to whatever error page you wish the use.

                      Hope it helps :D

                      Comment

                      • PornDiscounts-V
                        Confirmed User
                        • Oct 2003
                        • 5744

                        #12
                        His problem isn't xss. It is that he got hacked and they dropped shells all over his server.
                        Blog Posts - Contextual Links - Hardlinks on 600+ Blog Network
                        * Handwritten * 180 C Class IPs * Permanent! * Many Niches! * Bulk Discounts! GFYPosts /at/ J2Media.net

                        Comment

                        • lakerslive
                          Confirmed User
                          • Aug 2012
                          • 929

                          #13
                          not just 1 server, 2 different servers.. they not even linked to each other. I am not a server literate type guy.

                          I know some whm things... installing wp, customizing it, i knowledge here and there. But i have server knowledge of a 10 year old

                          Comment

                          • just a punk
                            So fuckin' bored
                            • Jun 2003
                            • 32393

                            #14
                            Originally posted by vvvvv
                            His problem isn't xss. It is that he got hacked and they dropped shells all over his server.
                            In this case the suggestion is as simply as this: don't download any themes/plugins from the unknown sources. According to the recent reports, over 90% of all that nulled/hacked shit floating online is stuffed with built-in backdoors.
                            Obey the Cowgod

                            Comment

                            • lakerslive
                              Confirmed User
                              • Aug 2012
                              • 929

                              #15
                              just found out my server software is not upto date since i moved with liquidweb a month ago, when i first started them , there wasnt many xss injections, but a month later, they all started showing up,

                              Comment

                              • lakerslive
                                Confirmed User
                                • Aug 2012
                                • 929

                                #16
                                i only use plugins from wordpress admin.. =(

                                Comment

                                • just a punk
                                  So fuckin' bored
                                  • Jun 2003
                                  • 32393

                                  #17
                                  Originally posted by lakerslive
                                  i only use plugins from wordpress admin.. =(
                                  From what? You have to download them from wordpress.org (not every plugin is seriously tested even there) and from the trusted 3rd-party sources only.
                                  Obey the Cowgod

                                  Comment

                                  • Sarn
                                    WW3
                                    • Sep 2015
                                    • 12405

                                    #18
                                    Originally posted by CyberSEO
                                    Клоун это ты. Читай посты людей выше и учи английский уже, дебил блять.

                                    P.s. Или дело не в английском? Ты может вообще ущербный и даже по-русски не понимаешь, что такое "защитить wp сайт от xss"? Так хрена ли ты вообще делаешь на этом форуме?
                                    а ты еще и буйный дурачек И проблема не в языке а в твоей тупости.
                                    что я делаю на форуме тебя вообще не должно ебать, понимаешь?
                                    Любое решение проблем с безопастностью начинается с диагностики и чтения логов, чтобы из за пары идиотов не переделывать работу дважды а то и больше. Поэтому вешаешь плагин носкрипт лазишь по сайту и смотришь откуда у тя xss - далее читаешь логи и смотришь куда что залили. Далее фильтруешь в коде баги.
                                    ----

                                    Comment

                                    • just a punk
                                      So fuckin' bored
                                      • Jun 2003
                                      • 32393

                                      #19
                                      Originally posted by Sarn
                                      что я делаю на форуме тебя вообще не должно ебать, понимаешь?
                                      Да мне насрать. Тут и без тебя дураков хватет. Одним - больше, одним - меньше.

                                      Originally posted by Sarn
                                      Любое решение проблем с безопастностью начинается с диагностики и чтения логов, чтобы из за пары идиотов не переделывать работу дважды а то и больше.
                                      А, ну да, ну да... Стандартный анализ на XSS уязвимость это ж ни о чем, да? ;)

                                      Originally posted by Sarn
                                      вешаешь плагин носкрипт
                                      Obey the Cowgod

                                      Comment

                                      • hdbuilder
                                        Confirmed User
                                        • Jun 2012
                                        • 1338

                                        #20
                                        If both of your servers are hacked your home PC is probably the source, run ComboFix on it, then change all servers panel, FTP, root... passwords, then you can clean your servers

                                        ROBO SCRIPTS | WP CAM PLUGIN - Scripts To Promote Cam Sites - Chaturbate, BongaCams, Streamate, LiveJasmin, Stripchat...

                                        The Cam Site Builder, The Cam Multi Site Builder -> MULTIPLE CAM SITES IN ONE

                                        Comment

                                        • Venum
                                          Confirmed User
                                          • Nov 2014
                                          • 182

                                          #21
                                          Serve cached pages. Use nginx as a proxy cache to the front of the web, and keep infra behind proxy.

                                          Comment

                                          • The Porn Nerd
                                            Living The Dream
                                            • Jun 2009
                                            • 19787

                                            #22
                                            This thread is filled with nerds. LOL
                                            My Affiliate Programs:
                                            Porn Nerd Cash | Porn Showcase | Aggressive Gold

                                            Over 90 paysites to promote!
                                            Now on Teams: peabodymedia

                                            Comment

                                            • EvgenUA
                                              Confirmed User
                                              • Dec 2009
                                              • 110

                                              #23
                                              and russian hackers

                                              Comment

                                              • Coup
                                                🚨 PBBC International 🚨
                                                • Apr 2010
                                                • 9931

                                                #24
                                                OP I would suggest that you search for the names of the plugins and themes that you use here:

                                                https://wpvulndb.com/plugins
                                                https://wpvulndb.com/themes

                                                Remove any that you find listed. You're likely using one or more that is a security vulnerability.

                                                Comment

                                                • xXXtesy10
                                                  Fakecoin Investor
                                                  • Jul 2012
                                                  • 7127

                                                  #25
                                                  cyberseo trash garbage junk shit
                                                  WARNING: Stay Away From Marlboroack aka aka Brandon Ackerman
                                                  http://gfy.com/21169705-post8.html
                                                  Donny Long is Felon, Stalker, Scammer & Coward
                                                  http://www.ripoffreport.com/reports/...lon-int-761244

                                                  Comment

                                                  • just a punk
                                                    So fuckin' bored
                                                    • Jun 2003
                                                    • 32393

                                                    #26
                                                    Originally posted by xXXtesy10
                                                    cyberseo trash garbage junk shit
                                                    Put that slogan into your signature and link it to my site. I will give you $10, which is enough to feed up all your village
                                                    Obey the Cowgod

                                                    Comment

                                                    • Sarn
                                                      WW3
                                                      • Sep 2015
                                                      • 12405

                                                      #27
                                                      Originally posted by EvgenUA
                                                      and russian hackers
                                                      white hat. because who has not cracked the can not protect.
                                                      but if Putin asked


                                                      PS:restrict access to the admin panel wordpress only with your ip, even if you lose all your password all be safe. but it is better to detect and Fix xss in php code

                                                      .htaccess
                                                      <Files "wp-login.php">
                                                      Order deny,allow
                                                      Deny from All
                                                      Allow from 8.8.8.8
                                                      </Files>

                                                      8.8.8.8 - you static ip
                                                      ----

                                                      Comment

                                                      Working...