Please add a sane default CSP
-
I’ve just spent 2 days recovering a hacked WordPress site. WordPress makes up about 40% of the internet and infamous for its security vulnerabilities. Why has CSP still not been added? CSP is a basic protection. I’ve implemented it on my own server through Apache, but plugins, themes, and maybe even WordPress itself use unsafe-inline JS everywhere. You need to push for plugin/theme developers to update their projects to be compliant with at least a very basic non-disruptive CSP policy like:
default-src 'self' https: data:;
Here’s what I suggest:
1. Create an opt-in CSP option under Settings > General
2. Warn users on the dashboard that this will become default in a later version
3. Turn it on by default, with a configurable text boxPlease take this seriously and do not ignore it. I understand that you don’t want to break things, but things break when sites get hacked. It’s up to you to pass good security hygiene onto developers.
- The topic ‘Please add a sane default CSP’ is closed to new replies.