This page explains how to set Content-Security-Policy (CSP) in WordPress to prevent unauthorized execution of externally loaded JAVASCRIPT.
What is Content-Security-Policy?
Content-Security-Policy is used to specify conditions for JAVASCRIPT, font loading, Iframe execution, etc. in the communication header of the page data.
The browser reads this specification and executes external JAVASCRIPT, etc. according to that setting, thus acting as a bulwark to prevent users from executing JAVASCRIPT from malware-infected sites.
If WordPress has the appropriate values in Content-Security-Policy, it can prevent users from executing malicious JAVASCRIPTs on the page in case the site is infected with malware or other vulnerabilities, thereby minimizing the damage to users. This can minimize the damage to the user.
In this article, we will explain how to configure Content-Security-Policy to prevent unauthorized external loading scripts from being executed.
How to embed Content-Security-Policy in the WordPress header
The code below is for outputting the Content-Security-Policy JAVASCRIPT execution settings in the header section of WordPress. It works by putting it in your theme’s functions.php or other file.
WordPress function my_add_security_headers($headers) {
$headers['Content-Security-Policy'] = "script-src 'self';";
return $headers;
}
add_filter('wp_headers', 'my_add_security_headers',1,1);
The ‘wp_headers’ filter allows you to add Content-Security-Policy to the WordPress header output.
“script-src ‘self’;” is the strictest setting, allowing only .js files on its own domain to load.
With this setting, many sites will be limited to loading JAVASCRIPT, which can cause site display and functionality malfunctions, so this setting can be lax if necessary.
script-src 'self' 'unsafe-inline' 'unsafe-eval';
would also allow inline JAVASCRIPT and eval functions.
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.google-analytics.com *.googlesyndication.com *.gstatic.com *. google.com wordpress.com *.wp.com;.
would also allow Google Tag Manager, Google Analytics, other Google ads, and Jetpack-related wordpress.com JAVASCRIPT embedding.
In most cases, this setting will not cause any problems with the JAVASCRIPT-related settings in Content-Security-Policy.
(** means that any string matches the condition.
If you are using other external affiliate or access analysis scripts
In this case, you will need to add the domain of the site that loads that external JAVASCRIPT to the end of the script-src setting in Content-Security-Policy.
Example *.example.com
script-src 'self' 'unsafe-inline' 'unsafe-eval' *.googletagmanager.com *.google-analytics.com *.googlesyndication.com *.gstatic.com *. google.com wordpress.com *.wp.com *.example.com;.
Prevent your site from being infected with malware or exploited for vulnerabilities.
Content-Security-Policy is only a bulwark on the user side; it is also important on the operational side to prevent malware infection or, if the site is infected with malware, to remove the malware and prevent vulnerabilities from occurring on the site.
We also recommend the use of security-related plug-ins that provide malware scanning and removal, vulnerability scanning, and security enhancement functions.
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
