« Back to Glossary Index

XSS, Cross-Site Scripting, is a common security vulnerability where an attacker injects malicious JavaScript code into a webpage, which then runs directly in other visitors' browsers when they load that page. It's one of the more common attack vectors against WordPress sites.

  • An attacker finds a way to inject malicious script into a page — often through an unprotected comment field or form input
  • That injected script gets stored, or reflected directly back, within the page's own content
  • Other visitors' browsers then unknowingly execute that malicious script when the page loads
  • The script can steal cookies, hijack a session, or redirect a visitor entirely elsewhere
  • Stored XSS — the malicious script is permanently saved on the actual server (e.g., in a comment)
  • Reflected XSS — the malicious script is embedded directly in a URL, and executes when that specific link is clicked
  • Keep WordPress core, themes, and plugins consistently updated
  • Use a security plugin with genuine XSS protection built in — Wordfence, for instance
  • Properly sanitize and validate any user input accepted on the site
  • Implement a Content Security Policy (CSP) to help restrict which scripts are allowed to run
« Back to Index
Share This