WordPress CSRF Attacks: Vulnerability and Prevention


One of the most critical hacks that WordPress websites face is Cross-Site Request Forgery (also known as CSRF or XSRF). Because of vulnerabilities in WordPress plugins built on the web, this hack occurs.

Hackers use this technique to trick website users into doing malicious acts that damage both the website owner and the user. CSRF attacks can have catastrophic consequences for all parties and should be avoided at all costs!

A hacker may use CSRF to gain complete control of your website and use it to carry out any malicious operation they want. They could take your visitors to malicious websites or trick them into downloading malware. They can even go so far as to steal money from you and your clients!

That’s not it. Things could get even worse, with Google blacklisting your domain and your hosting company suspending it.

We’ve got you covered whether you’ve been a victim of this hack or want to stop it. We’ll show you how to patch and avoid a CSRF attack in this post.

TL;DR version

If your website has been hacked, you must immediately rectify the situation. To run a deep scan of your website and clean it instantly, we recommend downloading and installing the CSRF Attack Removal Plugin. The plugin will shield your website from potential hacking attempts once it is clean.

What Is a CSRF Attack (Cross-Site Request Forgery)?

The CSRF WordPress attack is a little difficult to comprehend, but we’ll try to simplify it as much as possible.

Each user has privileged access to their own account on a website with user subscriptions, members, or logins. An Amazon account, a Gmail account, or even an online banking account, for example.

Users are issued login credentials – usernames and passwords – by such a website. This is required to check the user’s identity. As a result, when a user tries to log in, they must first check their identity by entering their username and password. This allows the website to gain the user’s and browser’s interest.

A hacker uses a CSRF attack to trick an authenticated user into performing malicious acts.

Understanding ‘Cross Site’

Let’s look at an example and see how this works. Let’s say the user has logged in to Site A and left it open in a browser tab. (It’s important to note the Site A is logged in.)

Assume the hacker has access to the user’s email address. They send the customer an email with amazing deals that will expire in the next few hours. The user is fooled into clicking on the email’s connection. This will take you to a website called Site B. (which is run by the hacker).

To claim the discount on Site B, they must fill out a form or enter their email address. To ‘submit’ the form, the user clicks on a seemingly normal button.

However, a hacker has hidden their malicious scripts behind the scenes of Site B’s “send” button.

Now recall Site A, which is open in a separate tab. This script sends a request to Site A, which it then uses to carry out malicious acts. This is why it’s called a’cross-site’ attack.

Understanding Request

On behalf of the user, the hackers script sends a message from Site B to Site A. Anything from changing admin passwords to moving funds out of bank accounts might be the unwelcome malicious action!

Understanding ‘Forgery’

Finally, it’s a ‘forgery’ because the hacker uses the user’s authentication to deceive Site A. As a result, the term “Cross-site Request Forgery” was coined.

In a nutshell, the hacker deceives Site A into believing that their malicious instruction is a legitimate request submitted by a trusted customer. But how will Site B be able to submit a request to Site A? In the following part, we’ll go further into how this occurs.

This section is technical in nature and is intended for experienced WordPress users or developers. Skip ahead to CSRF Preventive Measures for WordPress Domain Owners if you want to skip ahead to avoiding CSRF attacks on your site.

How Did The WordPress CSRF Vulnerability Occur on Your Site?

To grasp how the vulnerability happens, we must first comprehend how a user’s browser and a website interact.

Understanding Browser Requests

We’ll talk about two forms of HTTP requests and browser cookies in this section:

HTTP GET Request

You give an HTTP GET request to the server of a website when you visit it. This request will request the data required to view the site’s front-end. The web server will respond by sending the requested information. The website’s contents will then load in your browser.

Unauthenticated users are those who are not logged into a website. As a result, no cookies are used when GET and POST requests are sent. In this case, there are no security risks. When a user logs in, however, they are already an authenticated user.

Cookies are used by the website to identify and appeal to this user. These cookies could be used to generate data specific to that unique ID. It allows them to quickly log in to the user, display advertisements tailored to the user’s tastes, or display items the user loves, among other things.

The CSRF Process

Now let’s return to how a CSRF vulnerability occurs. The hacker must use an authenticated user who uses cookies in order for this attack to be successful.

We’ll use an example to demonstrate this. We’ll show you how a hacker can take control of a user’s account and then use it to hack your website by exploiting a CSRF flaw.

What Happens On The User Side?

  1. In their browser, a user is logged into targetwebsite.com.
  2. The hacker then sends this user an email instructing them to go to trickwebsite.com and sign up to earn $50 in their account. (Other vulnerabilities may also be used to insert these links on targetwebsite.com.)
  3. We’ll say the victim believes the fake website is real and falls for the con. They fill out a form with their information and submit it.
  4. The hacker has already put HTML code behind this ‘Submit’ button on trickwebsite.com. It will submit a POST request on behalf of this user to targetwebsite.com (where the user is already logged in).

What Happens On The Website Side?

  1. Targetwebsite.com verifies the user (and the browser) and accepts the request using cookies. Since it comes from an authenticated person, this request would appear to be valid.
  2. However, the POST request that was sent contained malicious script that could cause the website to crash. The script could, for example, include a command to change the current account password to “newpassword123.”
  3. When targetwebsite.com accepts the order, the code runs and changes the password. The hacker would then be able to access the account with the new password and take complete control.
  4. The hacker will now carry out further attacks on the website. This user will be able to access targetwebsite.com’s database and control features, depending on the privileges given to them.

This is only one example of what CSRF attacks can accomplish. There are several other situations that may occur. However, this hack would have an effect on both the user and the website.

How To Prevent a CSRF Attack on a WordPress Website?

Since plugins have vulnerabilities that enable for CSRF attacks, WordPress websites become vulnerable.

Many of the common plugins reviewed by PluginVulnerabilities.com had security problems that made websites vulnerable to CSRF attacks, according to a full disclosure study. Plugin developers must enforce such security measures to avoid CSRF hacks. We’ll go through these steps briefly before telling you what you should do as a WordPress site owner to prevent CSRF attacks.

CSRF Preventive Measures for Plugin Developers

Here are some steps you should take as a plugin creator to help avoid CSRF attacks:

Anti-CSRF Tokens

An anti-CSRF token is a secret value that is sent along with the cookies and requests of a specific user. The following is how it works:

  • This token is generated by the web server and stored as a hidden field on the form.
  • The token is included in the POST request when the user fills out and submits the form.
  • The token created by the server will be compared to the token sent by the user.

The request will be true if it matches. The request is considered invalid if it does not fit. This removes the risk of CSRF assaults.

These tokens can be added by a developer when building or upgrading a plugin.

Using Nonces

Anti-CSRF Tokens and Nonces are not the same thing, despite the fact that they are often used interchangeably. A nonce value (single-use number) is similar to a one-time password created for the request.

The nonce is created when an HTTP request is sent to validate the request. The nonce, however, is invalidated once used, and the user cannot apply the form using the same nonce value again.

Same-Site Cookies

Cross-site requests made with the same cookies make CSRF attacks possible. A same-site cookie can only be submitted if the request comes from the same website that created the cookie.

The issue with this approach is that, with the exception of Chrome and Firefox, not all browsers support same-site cookies.

This can be used as a secondary layer of security, but it should not be relied on to avoid CSRF attacks.

We won’t go into great detail about these safeguards because hackers can now circumvent almost all of them. Hackers are becoming more sophisticated by the day, creating new strategies to circumvent the safeguards we put in place.

After that, we’ll discuss what constructive and reactive steps you should take as a WordPress site owner to defend yourself from CSRF attacks.

CSRF Preventive Measures For WordPress Site Owners

As previously stated, plugin developers should take care to ensure that their applications are safe. What happens if they don’t? How do you know which plugins have anti-CSRF steps in place?

WordPress is rarely self-contained. Plugins play an important role in a website’s functionality and design. So, while WordPress sites need plugins, do you simply trust that these plugins have taken the requisite security precautions?

No way! Even if plugin developers don’t take security precautions, website owners must be vigilant and take precautions of their own.

Here’s how you can defend yourself from CSRF attacks:

Use Anti-CSRF Plugins

There aren’t many plugins dedicated to CSRF attacks available in the WordPress repository. Here are two examples of what we discovered:

(A) Message Form CSRF Security – This WordPress plugin protects your comment forms by adding an anti-CSRF token. The token has a one-of-a-kind attribute that is kept hidden and impossible to guess. As a consequence, when a user submits a form, the secret token is also submitted. The type submission request will be considered only if it matches.

(B) Same-site cookies – This plugin is compatible with Chrome, Firefox, Internet Explorer, and Edge. It ensures that when HTTP requests are sent, the cookies sent are from the same domain. This prevents all cross-site requests and, as a result, all CSRF attacks.

Install an All-round WordPress Security Plugin

For WordPress websites, there are a plethora of security plugins. These plugins will secure your site from all forms of hackers, including CSRF attacks. However, not all security plugins provide the same degree of protection.

Furthermore, the CSRF assault is difficult to detect. Hackers effectively conceal it from both the site owner and the user, allowing it to go unnoticed. You’ll need a plugin that can detect malware that has been disguised.

In order to stay safe against CSRF attacks, make sure the protection plugin you select does the following:

  • Scans your website for malicious scripts on a regular basis.
  • Examines all of the website’s archives and databases.
  • Is capable of detecting any form of malware, including recent, secret, or concealed threats. (Some plugins only look for malware that has already been identified.)
  • If there is some unusual activity on your website, it will alert you.
  • Provides you with your own dashboard, allowing you to clean up your website even though a hacker locks you out of your own admin account.

MalCare is a plugin that provides certain security and functionality. Once you’ve installed the plugin on your WordPress account, you’ll be able to protect yourself from CSRF attacks. It will also remove any WordPress malware that a hacker might have installed on your site during the break-in.

Your website will be safeguarded by a proactive firewall that will prevent malicious IP addresses and bad bots from accessing it.

This WordPress security plugin will warn you immediately if a hacker tries to access your site using a malicious cross-site request. The same plugin can then be used to take urgent action.

Harden Your Website

WordPress suggests that you take a few precautions to make your website more secure. Hackers would find it incredibly difficult to obtain access as a result of this. We’ve only touched on a few steps here, but we suggest reading our in-depth WordPress Hardening guide.

Since many of these points are a little more technical, the comprehensive guide will help you understand them better. The following are several hardening steps to avoid or mitigate the harm caused by CSRF attacks:

a. Use Two-Factor Authentication

Two-factor authentication provides an additional layer of protection to users’ accounts. A user will be asked to enter their login credentials, followed by a second password. A one-time password could be sent to the user’s registered email or phone number. It may also be a code created by a third-party app such as Google Authenticator.

b. Block PHP Execution in Untrusted Folders

If a hacker gains access to your website’s files via a CSRF attack, they can use PHP functions to perform malicious tasks. (A PHP function is a section of code in a program.) You can also turn off PHP executions in areas where they aren’t needed.

c. Disable File Editor

A hacker who gains access to your WordPress Administrator account has total control over your website. They can find “Editor” in your plugins or themes section of the dashboard. They can use this area to edit or upload their own scripts in order to view their content, deface your site, spam your users with SEO, and so on. d. Change Security Keys

You may have noticed that you do not need to enter your login credentials every time you access your WordPress account. In the designated areas, it’s already filled in. WordPress uses encryption keys to encrypt and archive this data in order to keep it secure from hackers. If a hacker uses a CSRF attack to gain access to your site, they can have access to this information. They can then change it to something else and use it to log into your website’s admin account whenever they want.

These hardening steps can be applied manually, as discussed in the guide we recommended. You may also use MalCare to quickly put them in place.

Delete All Unused Themes & Plugins

Hackers have more chances to hack the more plugins and themes you have built on your website. It’s best to get rid of any plugins and themes you don’t need and hold only the ones you use.

Aside from these, you can take additional security steps such as switching your site to HTTPS, installing a security plugin, and securing the login page.

Last Thoughts

Both the user and the website are at risk when a CSRF attack occurs.

A hacker will take control of your website if they are successful in running their scripts via the HTTP request. There’s no knowing what they’ll be capable of after that. They can deface your website in order to spread their own propaganda or sell illegal goods or drugs. They can also use your website’s visitors to guide them to their own.

Adult sites, sites that sell illicit goods, and sites that trick visitors into installing malware are the most popular examples.

  • As a website owner, you must take care to protect your site from these attacks.
  • We recommend that you keep a security plugin like MalCare active on your WordPress site because it provides all-around support.
  • To make it more difficult for hackers to break in, we suggest putting in place website hardening steps.
  • Finally, use caution when downloading plugins and themes. Download trustworthy WordPress themes and plugins from the WordPress repository or marketplaces such as ThemeForest and CodeCanyon.

We are sure that if you placed these protections in place on your WordPress website, you will be protected from hackers!