We may think we know WordPress security. But we can’t underestimate the task at hand. It seems that surprises lurk around every corner.
Consider a recent report from the security firm We Watch Your Website, for example. The report claims that 60% of hacked WordPress sites stem from stolen session cookies. I sure didn’t see that one coming.
We know about using strong passwords and setting file permissions. We understand the importance of updating our WordPress installs. We may even use a security plugin or two.
However, even the most security-conscious among us can miss things. That one oversight can lead to a hacked website. And that’s despite taking a bevy of security measures.
Stolen session cookies weren’t on the radar. So, what can we do to prevent this from happening? The author of this report has some advice.
How to Prevent Stolen Session Cookies
Thomas J. Raef is the author of “The Real Attack Vector Responsible for 60% of Hacked WordPress Sites in 2023.” His report demonstrates the threat of stolen session cookies in great detail. And a recent appearance on the WP Tavern Jukebox podcast shed more light on the subject.
But what about remedies? How do we stop these attacks from impacting our websites? I asked Raef for some preventative tips. The answer is as simple as logging out.
Our interview was lightly edited for clarity and brevity.
How do session cookies get stolen?
Thomas J. Raef: If it’s not WordPress, they’re frequently stolen via cross-site scripting. However, WordPress uses the HttpOnly option in the headers. So, that prevents cookie theft in WordPress via XSS.
The main way is by info stealers. If you Google the term, you’ll see it’s almost as popular as ransomware. Some ransomware hackers are starting to use info stealers more for their infections. Info stealers are designed to evade detection from most anti-malware programs. Some are dedicated to evading detection on Windows, others on Macs.
They typically steal everything possible in about 10 seconds. Some ask, why would they bother stealing WordPress session cookies if they’re also stealing bank logins, etc. But look at the cybercriminal industry. What do they need for the majority of their attacks? Oh, a legitimate website to infect unsuspecting visitors.
They steal the session cookies because it totally bypasses 2FA (Two-Factor Authentication), MFA, etc. because the user is still authenticated. As long as the cookie hasn’t expired.
How can we secure our devices against this type of threat?
TJR: The easiest way is to remember to log out. That’s it! When you log out you expire the cookie. If you just close your browser window, it leaves the cookie active. So, if it’s stolen, it can be used by anyone.
One simple prevention is using SolidWP (Solid Security). Their Trusted Devices feature uses the IP address to generate the session cookie. If it’s stolen, it can’t be used anywhere other than where it was originally created. Those two things are the best way to prevent session cookies from being used against your sites.
Are there any changes the WordPress project could take to increase the security of session cookies?
TJR: Possibly. If there was a procedure that checked for inactivity after 30 minutes, and then automatically logged out the user, that might help. But I believe that would involve JavaScript and that’s getting too complicated. They already include the HttpOnly option, so they’re doing a lot to prevent this from being even bigger.
Do you have any other advice for web designers managing WordPress sites?
TJR: Make sure that everyone with admin access to your site is also focused on sanitary procedures for all local devices. We’re seeing more and more sites being infected due to malware on the local device of an admin. It can steal usernames, passwords, and session cookies.
2FA can stop the usage of username and password, but not session cookies. Tell all devs to log out! It’s quite simple and 100% effective.
One thing we’re starting to see more of is hackers attacking from the local device. Not stealing session cookies or anything else, just piggybacking on a legitimate admin session.
We see the legit IP address of an admin, and they’re doing their work and then suddenly from the same IP address at the same time, the legit admin is working – BAM! – a bogus plugin is installed from the same IP address!
The hackers have control over the local device and they’re attacking from that device. This supports the fact that you MUST be concerned about the health and well-being of your local devices.
Your Device Is Also a Factor in Website Security
A compromised computer or mobile device can impact your website’s security. On the surface, this theory makes sense. However, we typically don’t hear much about it.
Website security usually means a focus on the site itself. We attempt to filter out malicious traffic. And we employ various methods to prevent direct attacks.
It’s past time to look at our devices as well. You know, the systems we use to log into our websites. Good security should start there.
An info stealer can do untold damage in mere seconds. We won’t know the consequences until it’s too late. Let’s do something about it.
Follow best practices to secure your device – and encourage your clients and colleagues to do the same. A few simple steps could prevent a catastrophe.
And to follow Raef’s advice: Be sure to log out of your website! An expired session cookie is useless. Thus, it can’t do any harm.
Many thanks to Thomas J. Raef for chatting with us! Check out more of his security advice at We Watch Your Website.
Here’s Why You Should Always Log Out of WordPress Medianic.