Please add a sane default CSP | ww.wp.xz.cn

alexgleason
(@alexgleason)

2 years, 10 months ago
I’ve just spent 2 days recovering a hacked WordPress site. WordPress makes up about 40% of the internet and infamous for its security vulnerabilities. Why has CSP still not been added? CSP is a basic protection. I’ve implemented it on my own server through Apache, but plugins, themes, and maybe even WordPress itself use unsafe-inline JS everywhere. You need to push for plugin/theme developers to update their projects to be compliant with at least a very basic non-disruptive CSP policy like:
```
default-src 'self' https: data:;
```
Here’s what I suggest:

1. Create an opt-in CSP option under Settings > General
2. Warn users on the dashboard that this will become default in a later version
3. Turn it on by default, with a configurable text box

Please take this seriously and do not ignore it. I understand that you don’t want to break things, but things break when sites get hacked. It’s up to you to pass good security hygiene onto developers.

Viewing 1 replies (of 1 total)

Joy
(@joyously)

2 years, 10 months ago

Please write this in a core ticket: https://core.trac.ww.wp.xz.cn/
so the developers will see it. (search first because it might be there already)
And if you have a patch that you can attach, it will make it go faster.

Viewing 1 replies (of 1 total)

The topic ‘Please add a sane default CSP’ is closed to new replies.

Tags

CSP

In: Requests and Feedback
1 reply
2 participants
Last reply from: Joy
Last activity: 2 years, 10 months ago
Status: not a support question

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics