XXS vulnerabilities in WordPress

The thing with the XXS vulnerability in WordPress and even many so-called security plug-ins now have shortcomings and represent an additional security risk instead of providing efficient protection or prevention. A nice example for the fact that plugins in WordPress are always a risk, no matter what purpose they serve. Recently, the Sucuri WordPress firewall was hit by a vulnerability to cross-site scripting, which could be circumvented. Not necessarily what users expect from a firewall, because exactly such attacks should be blocked and prevented from the beginning. However, no firewall offers one hundred percent protection, as even experts have repeatedly pointed out and pointed out.

Sucuri Firewall simply tricked

Discovered the gap Rafay Balocha leading Pakistani security expert. who tested and experimented, found a weakness and reported on his blog in detail about it. He himself was interested because Web application firewalls either don't work properly or generate vast amounts of false results, i.e. lock out normal users. So he took the Sucuri Security Website Firewall (CloudProxy) and test a few things, with the result that the firewall can be configured with a simple " can be circumvented. Very interesting article, although very technical and quite long.

There is no ultimate protection

In general the method shows how easy it is to circumvent firewalls and security plugins. In general these offer an additional protection, but the ultimate armored door for WordPress is not available. No matter how much security you think you have, if someone is really interested in hacking your blog, they will probably succeed. Maybe because some plugin infiltrates the vulnerability, maybe because your theme uses outdated functions and calls, maybe because basic security precautions have not been taken.

More important than any security plugin are continuous backups to be able to quickly restore the correct state in case of a hack and then correct the corresponding vulnerabilities. This does not mean that a firewall is always a bad idea. I personally am a small fan of Ninja firewallBut Sucuri and Co. also do their job, even if not always perfectly, as the example above shows.

Security has many faces

Finally, as mentioned above, there is no one hundred percent protection for WordPress. If you really want more security, you can achieve this with some plugins, but they might bring new gaps and problems, or lock out normal users because they block them accidentally. Security starts with programming, proper operation, monitoring your own websites, strong firewalls and blockades, in the end it is a lot of manual work and nothing a little blogger could really afford.

After all, there are experts in this field for a reason, and as great and nice as it may sound, they cannot simply be replaced by an automatic and often even free plugin. Security on the web remains a very elastic term and nobody should feel too secure. The Standards for security in WordPress should be followed and security plugins are per se not a bad idea, despite the occasional vulnerabilities.


About Christian

My name is Christian and I am co-founder of the platform fastWP. Here in the magazine I am responsible for the more "technical" topics but I like to write about SEO, which has been my passion for over 10 years now.

Leave a Comment

Your email address will not be published. Required fields are marked *