Title: WP Security Question Last modified: August 20, 2016 --- # WP Security Question * [subigya](https://wordpress.org/support/users/subigya/) * (@subigya) * [14 years, 6 months ago](https://wordpress.org/support/topic/wp-security-question/) * IT security keeps on asking me this question. * “ Every time I do one of these scans I do some more reading and research about the issue and I’m still not completely convinced that WP is doing a good job of handling their session cookies and that they may be vulnerable to session hi-jacking. * ….if WP can be made to set the cookies as secure; and failing that, what damage could or couldn’t be done by hijacking the user’s cookies? Knowing the answer to these questions will help us decide how to proceed.” * An answer from the WP developer community would be ideal. Thank you. * We have security measures like blocked IP, forced SSL login/session, table name changes, version changes etc… but i don’t know much about the session cookies and security. I’ve directed them to the what I’ve done – Hardening WordPress etc.. Viewing 6 replies - 1 through 6 (of 6 total) * Thread Starter [subigya](https://wordpress.org/support/users/subigya/) * (@subigya) * [14 years, 6 months ago](https://wordpress.org/support/topic/wp-security-question/#post-2392599) * I have SSL installed and activated. All works fine. What plugins are you talking about? * Apart from having SSL enabled and forcing SSL logins, what are other ways to avoid cookie hijacking or even securing cookies completely? * [MickeyRoush](https://wordpress.org/support/users/mickeyroush/) * (@mickeyroush) * [14 years, 6 months ago](https://wordpress.org/support/topic/wp-security-question/#post-2392630) * In php.ini you’ll need to set the following: * session.cookie_httponly = 1 * > Attackers will often exploit Cross Site Scripting (XSS) flaws in web applications > to inject JavaScript into pages, which could be used to steal session cookies. > By setting the php.ini directive: you restrict JavaScript from accessing your > cookies. This setting can effectively help to reduce identity theft through > XSS attacks (although it is not supported by all browsers). * session.cookie_secure = On * > session.cookie_secure specifies whether cookies should only be sent over secure > connections. Defaults to off. This setting was added in PHP 4.0.4. See also > session_get_cookie_params() and session_set_cookie_params(). * session.referer_check = your_url.tld * > Where your_url.tld could be: > example.com > session.referer_check = example.com * > Another small security feature is allowing PHP to check HTTP referer values > > so that session information is only passed internally while a user is viewing > an application. This prevents users from accidentally publishing session information > in a way that would allow external users to follow links and steal a session. > This is especially useful if session information is being passed in a URL that > could accidentally be published to a mailing list or web site. * You maybe also interested in Session Fixation. * > This is where an attacker explicitly sets the session identifier of a session > for a user. Typically in PHP it’s done by giving them a url like [http://www.example.com/index…](http://www.example.com/index…);? > session_name=sessionid. Once the attacker gives the url to the client, the > attack is the same as a session hijacking attack. > There are a few ways to prevent session fixation (do all of them): > * Set session.use_trans_sid = 0 in your php.ini file. This will tell PHP not > to include the identifier in the URL, and not to read the URL for identifiers. > Defaults to 0 (disabled). > * Set session.use_only_cookies = 1 in your php.ini file. This will tell PHP > to never use URLs with session identifiers. Defaults to 1 (enabled) since PHP > 5.3.0. * session.use_trans_sid = 0 session.use_only_cookies = 1 * **\*\*NOTE\*\*** These are not just WordPress specific, but can be applied to other web apps written in PHP. * Thread Starter [subigya](https://wordpress.org/support/users/subigya/) * (@subigya) * [14 years, 6 months ago](https://wordpress.org/support/topic/wp-security-question/#post-2392653) * Thank you [@woocommerce](https://wordpress.org/support/users/woocommerce/) and [@mickeyroush](https://wordpress.org/support/users/mickeyroush/) for your help. [@mickeyroush](https://wordpress.org/support/users/mickeyroush/), but we’re talking WP specific security here. * How does WP handle cookies when SSL if forced ? * Are they vulnerable to session hi-jacking even when SSL is forced ? * [MickeyRoush](https://wordpress.org/support/users/mickeyroush/) * (@mickeyroush) * [14 years, 6 months ago](https://wordpress.org/support/topic/wp-security-question/#post-2392681) * > [@mickeyroush](https://wordpress.org/support/users/mickeyroush/), but we’re > talking WP specific security here. * I assumed that’s what you were implying. Thus my response. * Thread Starter [subigya](https://wordpress.org/support/users/subigya/) * (@subigya) * [14 years, 6 months ago](https://wordpress.org/support/topic/wp-security-question/#post-2392737) * great @MickeyRouch. I’ll see what my admins have in place and work on strenghthening session security as you’ve directed. Thanks. Let me know if there’s more info out there. * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [7 years, 5 months ago](https://wordpress.org/support/topic/wp-security-question/#post-10941154) * [@mayank908](https://wordpress.org/support/users/mayank908/) Do not report topics unless they’re spam or abuse. Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘WP Security Question’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 6 replies * 3 participants * Last reply from: [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * Last activity: [7 years, 5 months ago](https://wordpress.org/support/topic/wp-security-question/#post-10941154) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics