WordPress Security: Preventing Stolen Session Cookies
When it comes to WordPress security, surprises can be lurking around every corner. A recent report from security firm We Watch Your Website reveals that 60% of hacked WordPress sites are a result of stolen session cookies. This unexpected finding highlights the need for increased vigilance in protecting our websites.
While we may already be familiar with using strong passwords, setting file permissions, and updating our WordPress installations, even the most security-conscious among us can overlook certain vulnerabilities. One oversight can lead to a hacked website, despite taking numerous security measures.
So, how can we prevent stolen session cookies from compromising our websites? Thomas J. Raef, the author of the report mentioned earlier, offers some advice.
Raef explains that session cookies are often stolen through cross-site scripting, although WordPress uses the HttpOnly option in its headers to prevent cookie theft via XSS. The main method of stealing session cookies is through info stealers, which are designed to evade detection from anti-malware programs. These info stealers can quickly steal everything possible, including WordPress session cookies, which bypasses Two-Factor Authentication and other security measures.
To secure our devices against this type of threat, Raef suggests a simple solution: remember to log out. By logging out, we expire the session cookie and prevent it from being used by unauthorized individuals. Additionally, using SolidWP’s Trusted Devices feature, which generates session cookies based on IP addresses, can further prevent stolen cookies from being used elsewhere.
When asked if there are any changes the WordPress project could make to enhance session cookie security, Raef suggests implementing a procedure that automatically logs out users after a period of inactivity. However, he acknowledges that this may involve complex JavaScript and believes that WordPress is already doing a lot to prevent cookie theft.
For web designers managing WordPress sites, Raef advises ensuring that all individuals with admin access follow proper sanitary procedures for their local devices. Malware on an admin’s device can steal usernames, passwords, and session cookies. While Two-Factor Authentication can prevent the use of usernames and passwords, logging out is the most effective way to protect against stolen session cookies.
Raef also warns about hackers attacking from local devices, piggybacking on legitimate admin sessions. This highlights the importance of maintaining the health and security of local devices.
It’s crucial to recognize that compromised computers or mobile devices can impact website security. While we often focus on securing the website itself, taking steps to secure our devices is equally important. Following best practices for device security and encouraging others to do the same can help prevent potential catastrophes.
In conclusion, preventing stolen session cookies requires a combination of logging out, using security features like Trusted Devices, and maintaining the health of our local devices. By implementing these measures, we can enhance WordPress security and protect our websites from unauthorized access.
(Note: This article is based on an interview with Thomas J. Raef, author of “The Real Attack Vector Responsible for 60% of Hacked WordPress Sites in 2023.” For more security advice from Raef, visit We Watch Your Website.)
