XSS Protection For WordPress 4.2


Hello everyone,

It’s been a while we have been updating so quick but whenever we get time, we will try to give you best from us, we are soon changing the content we provide you to a more high quality content and niche, just let you know this new update and changes to wordpress.

WordPress 4.2 XSS Vulerabilities:

WordPress has been updated to very new version to adopt great changes, increase security and features. They try to keep best security efforts in their wordpress and keep the wordpress sites more faster and secure, but this time with their pre-releases and general updates on WordPress 4.2.x or later that left an effect on themes, they forgot to update some inner circle codes that has allowed hackers to execute XSS vulnerabilites over wordpress sites.

More than 10 million sites sites have been affected with this vulnerability and people has started trending to find out how to solve this issue, so we thought to take the initiative to help people solve this little but critical bug.

You have to do some updates over your theme and scripts and work with the best play round on security. If you don’t know what you are doing, just don’t follow the guide or you will RIP your wordpress website/blog yourself before the hackers do.

How to Check If Your wordpress is vulnerable:

  • Go to your website or blog running wordpress 4.2 or later.
  • Now, add the follow query string to the search of your wordpress site.
http://www.MyWordpressSite.com/?s=<svg onload="prompt(document.cookie);"><style>body  {background-image: url("http://cs317325.vk.me/v317325776/1361/3EeIxU9YC0k.jpg");}</style>
  • If you see your website being trolled, then your website is vulnerable.


Note: Keep in mind, that to check this your a developer browser like Firefox since Chrome has inbuild security features to don’t execute malicious code.



How to Secure WordPress 4.2 for XSS:

  • Firstly, we recommend to take the backup of all your database and files before you make any future changes.
  • After you have taken the backups, lets begin with the XSS protection for your blog or wordpress website.
  • Open any of your FTP clients and login to your server where you host your wordpress site.
  • Browse to your public_html or www folder and go to wp-content/themes/Your-Chosen-Theme/
  • Now, look for a file that says search.php and open it with your favorite editor and now use the find/search function in file.
  • Now what you have to look for is the variable $s by default that is used as a query string in the GET Request of PHP (http://somewebsite.com/?s=My+Search+String)
  • Now file the exact match for $s and you will find your first $s nearly line 70 but we are not sure in your case since you might be using a different theme.
  • Here is the main point, be careful, what you have to do is add the line below just before the previous php tag is closed in the file and the new tag is started where it contained first $s
$s = htmlentities($s, ENT_QUOTES, "UTF-8");
  • Save the file and you are done!
  • Now check if you the XSS issue is solved or not!

Leave your feedback’s and ideas, or any help you need as comment below and we will reply you as soon as possible we are on.

#Wordpress #XSS #Hackers #Security