Content Security Policy and how to set it up in WordPress.


Content Security PolicyWhat is Content Security Policy (CSP)?

A Content Security Policy (CSP) is a set of rules that tells the browser whether or not Javascript, Iframes, and other elements contained in a page can be executed or embedded for security reasons.
The browser follows the CSP and executes the code on the page, so if there are illegal Javascripts or Iframes embedded in the page, it will block them according to the CSP. This may help to reduce the damage to the user if the site is tampered with.

The following items can be set by CSP.

The domain from which JAVASCRIPT and CSS are loaded and allowed to be loaded.
The domain from which frames (Iframes) are allowed to be loaded.
The domain from which images, videos, and font files are allowed to be loaded and the domains from which they are allowed to be loaded.

Do I need to set up a content security policy?

If set too strictly or misconfigured, content security policies can inhibit hacker activity as well as the loading of external advertisements and the execution of code on pages delivered via CDN, which can have a negative impact on site operation.
This technology is still new, so there is no need to rush into setting it up.

However, if you have a corporate site and want to prevent users from being redirected to execute malicious scripts due to cross-site scripting or hacker tampering, you may want to configure this setting.

How to set up a content security policy on your WordPress site

CSP can be configured with the Content Security Policy Manager plugin.

After installing the plugin, activate it and go to Settings > CSP Manager
and go to Settings > CSP Manager (CSP settings in the display section of the site) to activate it and configure each item.

Check the Enable checkbox for each item here, and enter the setting values in the text area below.

The setting items are as follows. The setting items must be enclosed in single quotation marks.

'self' → Allow only your domain
'none' → Allow none
'unsafe-inline' → Allow inline script execution
'unsafe-eval' → Allow script eval functions

If there is more than one, use line breaks to line up the above settings.

The meaning of each item is explained in detail below.
Content Security Policy (CSP) Directive Summary

Free WordPress:Malware Scanning & Security Plugin [Malware and Virus Detection and Removal].

Related Posts:

  1. Vulnerability in tagDiv Composer plugin bundled with WordPress Newspaper theme allows database rewriting
    A vulnerability in tagDiv Composer, a plugin included with the WordPress Newspaper theme, has been discovered that allows the database to be rewritten....
  2. 5 characteristics of malware files that infect WordPress
    Here are some characteristics of malware files that can infect WordPress. If such a file is found on the server, it is most likely malware....
  3. What to do when a WordPress site displays a red screen saying “This site may cause damage to your computer.
    This section explains how site operators can deal with a red screen on a WordPress site that says “This site may cause damage to your computer....
  4. 10 files in which malformed JAVASCRIPT code is embedded when WordPress is tampered with.
    This section describes a file in which redirect hack code is often embedded, which causes a WordPress-created site to jump to another site when accessed (redirect)....
  5. WordPress malware Redirect to fake login page
    Recently, there have been an increasing number of cases of malware that direct users to a new type of fake login page. We will explain this malware....
  6. What is the most common vulnerability cross-site scripting in WordPress?
    The most common vulnerability in WordPress is called Cross Site Scripting (XSS). We would like to explain about this vulnerability....