How to resolve these findings from security audit

by Rajneesh Rana   Last Updated October 12, 2018 05:08 AM

I am working on a corporate project and they are running security audit by consultants and they found the following issues regarding Wordpress. I managed to get a lot of issues resolved using headers in .htaccess but some seem to be part of wordpress core and not sure how to proceed with them.

  • Try using secure method to prevent session hijacking Attack. Session Id should change/get refreshed evert time user get login and log out.
  • login credentials should be encrypted at code level.
  • whene-ever a url manipulation is done at user end it should automatically re-direct to application developed error page.
  • upgrade to latest version of jquery (3.3.1) (WP uses 1.12.4 and it is secure but is it possible to upgrade without breaking admin and other features relying on jQuery?)

-Anti-forgery tokens (also known as request verification tokens) must be utilised.

Is there any way do fix these issues without making changes to core files and is there any document for hardening such things with wordpress for high security environments?



Answers 1


Try using secure method to prevent session hijacking Attack. Session Id should change/get refreshed evert time user get login and log out.

WordPress doesn't use PHP sessions, and doesn't have a static session ID. You must be using a plugin or theme that is.

login credentials should be encrypted at code level.

WordPress' login credentials are encrypted. If you're using some sort of custom system then that's something its author will need to address.

whene-ever a url manipulation is done at user end it should automatically re-direct to application developed error page.

WordPress does redirect to a standard 404 page.

upgrade to latest version of jquery (3.3.1) (WP uses 1.12.4 and it is secure but is it possible to upgrade without breaking admin and other features relying on jQuery?)

It probably will break stuff. Don't make any attempt to replace WordPress' jquery.

Honestly, those first 3 issues sound like problems introduced by 3rd-party code you've developed or included (alongside WordPress, or in themes/plugins), and not issues with WordPress itself.

Jacob Peattie
Jacob Peattie
October 12, 2018 05:01 AM

Related Questions


Brute Force Attack Help

Updated October 05, 2017 15:08 PM




How to Find WordPress site has backdoor login Codes

Updated August 08, 2017 03:08 AM