What is Cross-site Scripting?

Cross-site Scripting, also referred to as “XSS”, are are the most common attacks on the web where malicious scripts are injected into a website. These malicious scripts could be injected into normally trusted websites via a number of different methods. Because the browser expects the script to be part of the trusted website, it is hard to identify as a malicious script. Once a malicious script has been injected into a WordPress website, the attacker can perform all kinds of attacks:

  • The information on your website in may be changed in the users browser. For example, the attacker could change the bank account number displayed on your site
  • Your websites visitors could be show advertisements or redirected to different  websites (often gambling, porn or crypto scam related)
  • Your website visitors browsers could be used to mine crypto currencies or make them participating in attacks on other websites
  • The attacker could steal sensitive user information from your website
  • The attacker could steal authentication cookies, hijack the user’s session and take over the account

Cross-site scripting attacks and WordPress

The cause of Cross-site Scripting vulnerabilities in your website is almost always due to insecure code in WordPress or installed plugins & themes. No longer supported versions of WordPress, plugins & themes and nulled / pirated plugins & themes are a high risk. But even WordPress and many plugins & themes developed by experienced and trusted developers have had known vulnerabilities in the past. A good developer will usually fix a known vulnerability fast, mostly before it is even known to the public.

Thus, the most important thing you can do to protect against Cross-site scripting is to keep your WordPress version and all plugins & themes up-to-date.  There will be times when there are unfixed vulnerabilities in WordPress, plugins & themes though. In this case many Cross-site Scripting attacks can still be prevented by setting a good Content Security Policy for your site.


Lightweight plugin, Heavyweight Security features. Get Pro and leverage your SSL certificate for WordPress security standards.