Are Our Sites At Risk Of XSS Attacks?

blog cover image
41
6.3K followers

Yes, I know that look...

You are thinking... Stanley, what the heck is this XSS thing you are talking about?

I was reading an article about XSS or Cross-Site Scripting and that the number of XSS hacking attacks on WordPress sites has increased in 2019.

So, I naturally thought about our WordPress websites at WA.

What Is XSS?

Cross-Site Scripting (XSS) attacks are like an injection. Malicious scripts are injected into websites by an attacker using a web application, usually in the form of a browser side script, to a different end user.

Widespread flaws exists and these attacks can occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

The following describes a possible scenario:

  • Attacker use XSS to send malicious script to an unsuspecting user
  • The end user’s browser has no way to know that the script should not be trusted
  • It will execute the script as it thinks the script came from a trusted source (these malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site)
  • These scripts will inject itself or rewrite the content of the HTML page

Can You Trust Your Plug-in?

A plug-in used extensively in about 16,000 sites, called "Rich Reviews" is exposed to the risk of stored XSS attacks.

Rich Reviews is a plug-in that enables a simple way to collect user reviews and star ratings, to improve SEO. Websites let visitors review specific products, categories or the entire website.

According to Wordfence, these attacks are already happening and sites running the plugin are vulnerable to unauthenticated plugin option updates, which can be used to deliver malware payloads.

Attackers are currently abusing this exploit chain to inject malvertising code into target websites,

Now you know where all those unwanted pop-up ads come from...

What Should You Do?

We just want to run our business... let Site Support worry about that.

Yes, I am sure the technical guys at WA are already working on security but we have a role in prevention.

  • Make sure you computer and browser is clean because you access you website most
  • Make sure you plug-ins can be trusted, Google and check before using
  • Check you website using you browser inccognito mode to see if there are any unexpected behavior
  • Site Support is available should you get attacked

Prevention is best but we never know what will happen in this connected world.

Lastly, back-up habits may save a lot of the work you have put in. You can practice the generational approach, Grandfather, father and son.

  • Grandfather back-up - Monthly
  • Father back-up - Weekly
  • Son back-up - Daily

You can also change it to you frequency of updates like, weekly/bi-weekly/monthly etc. The idea is you can roll-back 3 generations of back-up because the malicious code maybe in the back-up as well.

Now, that you website is a business to you. You have to protect you asset.

"To Be Prepared Is Half The Victory"

- Miguel de Cervantes


Login
Create Your Free Wealthy Affiliate Account Today!
icon
4-Steps to Success Class
icon
One Profit Ready Website
icon
Market Research & Analysis Tools
icon
Millionaire Mentorship
icon
Core “Business Start Up” Training

Recent Comments

56

It's great that we have such a fantastic team at site support that help keep our websites safe. But, like you said, prevention is best. I like to back up my sites after every change I make. This includes before updating plugins. One never knows what an update might bring. Jim

Great practice, Jim. Got to do our part too.

hey hi Stanley --- very helpful research and findings by you .... would you happen to know about DNS hijacking? .... just came across this past days and haven't had a chance to do anything with it ... if you have the time and inclination -- would you do a post on it, if you think it might be helpful for the community ....

thanks tons .... :)

Yes, I do. Let me look into that...

ok -- wonderful! ... kindly let me know when you're posting ... :)

Thank you Stanley for all this information...I'm not tech minded at all. So I do hope and trust that site support has it covered but I do try to check that I am as secure as possible but admit I wouldn't always recognise the signs of hacking.
I will be more vigilante in future and now I intend to do more research and learning in this area.

Louise

Yes, support is always there. Just something we all need to live with. Cheers.

The good, the bad and the ugly...

Yes, indeed.

Thank your for sharing these news...

You are welcome. Cheers!

See more comments

Login
Create Your Free Wealthy Affiliate Account Today!
icon
4-Steps to Success Class
icon
One Profit Ready Website
icon
Market Research & Analysis Tools
icon
Millionaire Mentorship
icon
Core “Business Start Up” Training