Log out
Get PRO

WordCamp Europe

Porto 2022

Really Simple Plugins’ Rogier Lankhorst presented the most overlooked Security Features for WordPress at WordCamp Europe in Porto. Although protecting your website’s back-end is no less important. Protecting your website visitors from malicious attacks and data breaches should be a number 1 priority. You will find our presentation and a quick walkthrough of Really Simple SSL Pro’s most important features below.

Play Video
Rogier Lankhorst

Rogier Lankhorst

Presenter & Co-Owner Really Simple Plugins

Ask a Question

The Short Walkthrough on Security Headers

Protect your Website Visitors
with Really Simple SSL Pro

1

A website visitor is hijacked trying to access your website.

2

The hacker serves a look-a-like website with the purpose to steal e.g. personal data.

HSTS & HSTS Preload

Leveraging your SSL certificate with HSTS is a staple for every website. Force your website over SSL, mitigating risks of malicious counterfeit websites in your name.

Why you need HSTS

  • Prevents stealing login credentials on the front-end
  • Prevents manipulation of data originating from or send to your website
  • Removes unnecessary redirects

X-Frame-Options

Loading another HTML document to your webpage can have its benefits but also opens an array of misuses. Even if you’re not using the iFrame element, you still need to control the options for others.

Why you need X-Frame Options

  • Protecting against Cross Site Request Forgery (CSRF) attacks
  • Clickjacking is mitigated to prevent e.g. Ad Fraud etc.
1

The website visitor expects to enter their payment information or personal data on website A, which seems secure.

2

Website B, controlled by a malicious party, loads an 'invisible' iFrame/Layer in the website to pose as the correct form to enter.

2

The website visitor expects to view an image file, but is downloading a script (Bomb) file.

1

The server does not define the scripts that are allowed for the browser to render a website.

X-Content-Type-Options

Everybody knows about emails that contain malicious malware when you click on a link, but this also happens on websites and pop-ups.

Why you need X-Content-Type-Options

  • Protects against downloads of malware, spyware and other executables.
  • Refrains code from being uploaded or executed that are executed directly and manipulates the website's content without the user knowning.

Referrer Policy

Referrers are websites that send website visitors to your website. Your website can be a referrer to other websites as well. An example can be an affiliate link or a Google Ad campaign.

Why you need a Referrer Policy

  • Another example is personal data in parameters. If a user clicks on an external link when these parameters are present. Your website, including all parameters will show up as referrer.
  • The above example can be misused when login credentials are included in the URL (which is a very common occurence). This will be then available in a third party's statistics tool like Google Analytics
  • For privacy concerns, this also leads to issues with usernames, full-name and region etc.
1

You're logged in to Facebook, and in the URL your login credentials are present. You stumble upon an advert from Amazon and you click it!

2

You visit the Amazon product page, and an Amazon marketeer finds your credentials in their Analytics tool. 

2

Making use of browser settings that might allow browser features, all browser data, even from a camera is collected by a third party. 

1

You visit a webshop to browse the latest sneakers. Suddenly, your webcam turns on. What's happening?

Permission Policy

Browser features are plentiful, but most are not needed on your website. But they might be misused if you don’t actively tell the browser to disable these features.

Why you need a Permissions Policy

  • Use reporting mode to see which features your website needs. Block every feature that is not relevant.
  • Blocks third parties to misuse data collected by microphone, camera or GEO Location for example.

Cross Origin Isolation

One of the most powerful features, and therefore the most complex are the Cross-Origin headers that can isolate your website so any data leaks are minimized.

Why you need Cross Origin Isolation

  • Cross-Origin enables advanced features that are currently disabled, due to known, but not yet overcome vulnerabilities, like 'Spectre'
  • Isolate information exchange between other websites. Fully control in- and outbound of data
  • This header is live, but still in development due to its complexity. Only recommended for advanced users.
2

During the visit, and during the payment, Google's API request is blocked and no data is shared, 'isolating' your website.

1

A PayPal pop-up shows up on top of the Amazon website, used to collect payment information and process the order.

2

The website visitor expects to view an image file, but is downloading a script (Bomb) file.

1

The server does not define the scripts that are allowed for the browser to render a website.

Content Security Policy

The content security policy has many options, so we always recommend starting in ‘report-mode’ to see what’s going on your website, and which files and scripts are loaded. By then, you know what should stay and what is unnecessary or can be misused.

Why you need a Content Security Policy

  • Decide which files from third parties are safe to include
  • Prevent loading of 'unknown' files & scripts and therefore mitigate risks of manipulating your website and tricking visitors.
  • Exclude files from loading when the server communicates with the browser

"Protecting your website visitors from mailicious attacks and data breaches should be your #1 priority"

Improve security with Really Simple SSL Pro

Buy Now

Join our mailing list - 6 Tips & Tricks in your inbox over the next days!

Plugins

© Really Simple Plugins
CoC 70461155
Kalmarweg 14-5
9723 JG, Groningen (NL)

Wordpress Linkedin Github

Get Started

About

Popular articles

Really Simple Plugins