wp-admin Β» What is πŸ”€πŸ’» Cross-Site Request Forgery (CSRF) and How to prevent WordPress CSRF attacks

What is πŸ”€πŸ’» Cross-Site Request Forgery (CSRF) and How to prevent WordPress CSRF attacks

Cross-Site Request Forgery (CSRF) is an attack that forces logged-in users to submit a request to a WordPress website where they are currently authenticated. CSRF attacks exploit the trust a WordPress website has in an authenticated user.

wp csrf example 1024x431 - What is πŸ”€πŸ’» Cross-Site Request Forgery (CSRF) and How to prevent WordPress CSRF attacks

CSRF attacks are aimed at your WordPress website users to make them do various actions on your website:

  • Submit or delete information from the database
  • Purchase a product or submit a transaction
  • Change user email address or password
  • Send message to the user or other visitors

CSRF attacks are linked with phishing: on social media or via phishing emails

Phishing emails, iframes, or fake social media ads are sent to your website users that contain malicious links. This tricks the user into clicking a URL that contains a maliciously crafted, unauthorized request for your WordPress website.


🔴 CVE-2019-9787 is CSRF vulnerability in WordPress prior to version 5.1.1 that can lead to Remote Code Execution by authenticated users.

/wp-includes/comment.php file is used to create comments on WordPress, so a logged-in user that clicks such a link with additional parameters will unknowingly post a comment on your website.

As a security measure to prevent this from happening, WordPress uses “nonces” that are validating if the user is active on the website, if its not, the comment is sanitized – stripped from any code.

image 6 - What is πŸ”€πŸ’» Cross-Site Request Forgery (CSRF) and How to prevent WordPress CSRF attacks
/wp-includes/comment.php

The fact that users can unknowingly add HTML code to your website can be further exploited to launch XSS or Remote Code Execution attacks when the administrator views the comment, for example, hovers the comment (that has an iframe with onmouseover event handler) from the frontend which is not protected by the X-Frame-Options header by WordPress itself.


For an attacker to carry out a successful CSRF attack, the following is needed:

See also  What is ℹ️ Data breach (information disclosure) and How to prevent WordPress information disclosure
user is logged inThe attack will only be successful if the user is in an active session with the vulnerable WordPress website.
right URLA valid URL to the vulnerable script is needed that has a state-changing effect on the target application.
right valuesAn attacker has to find the right values for the URL parameters.

WordPress CSRF attacks happen due to vulnerabilities in WordPress core, plugins or theme, so the best way for any WordPress website owner to protect from CSRF attacks is to regularly update software.

For WordPress theme/plugin developers the recommended method to prevent CSRF exploits is to use WordPress nonces (Number used ONCE).


Regular updates ensure that all code is part of a secure development lifecycle (SDLC). Meaning that if there are known vulnerabilities inside earlier versions, they are fixed in newer versions and your website is safe from attacks that exploit those vulnerabilities.

When a new version of a plugin or theme is available, an alert bubble is displayed in your WordPress Admin Menu and the corresponding theme or plugin is highlighted on Themes and Plugins Screens.

helphub updates bubbles - What is 🔀💻 Cross-Site Request Forgery (CSRF) and How to prevent WordPress CSRF attacks

Since WordPress 5.5, automatic updates are available and you can enable/disable auto-updates on a plugin-by-plugin and theme-by-theme basis.

helphub update theme enable - What is πŸ”€πŸ’» Cross-Site Request Forgery (CSRF) and How to prevent WordPress CSRF attacks
helphub update plugins enable 1 1024x368 - What is πŸ”€πŸ’» Cross-Site Request Forgery (CSRF) and How to prevent WordPress CSRF attacks

By default, WordPress runs auto-updates twice per day and sends email notifications when updates happen.


The recommended method is to include a WordPress nonce in your forms, then verify the nonce every time you process the POST request.

at the beginning of the form:

<form id="test-form" method="POST">
    <input name="form_nonce" type="hidden" value="<?=wp_create_nonce('test-nonce')?>" />
    ....

then check the nonce on POST requests:

if (isset($_POST['form_nonce']) && wp_verify_nonce($_POST['form_nonce'],'test-nonce') && isset($_POST['new_email']) && is_user_logged_in()) {

Note: nonces (Number used ONCE) have a limited lifetime but are not used only once, meaning that if an attacker gets the user nonce he can still bypass this check until the nonce is regenerated.

Was this post helpful?

Leave a Comment

I enjoy constructive responses and professional comments to my posts, and invite anyone to comment or link to my site.

Recommended