This section explains how to exclude WordPress CSP settings from the admin screen.
How to deal with WordPress admin screen collapsing or malfunctioning with CSP (Content Security Policy).
CSP (Content Security Policy) specifies how external scripts such as JAVASCRIPT and CSS on a website are loaded into the browser, preventing unauthorized scripts from being loaded into the browsers of users accessing the site, It is a mechanism to prevent cross-site scripting.
However, if CSP is set too strictly, it often results in malfunctions, such as corruption of the WordPress administration screen layout and partial disabling of some functions. However, if the CSP setting is too lax, security will be compromised.
For this reason, it is best to separate the WordPress administration screen from the site’s display area to ensure a high level of security for visitors to the site, and to reduce the possibility of problems with the administration screen.
Apply CSP settings only to the display part of the site and exclude the administration screen.
1 When CSP is output with add_action
For example, if you are outputting CSP settings with the following code
add_action('send_headers', function () {
header(
"Content-Security-Policy: default-src 'self';"
);
});
For the WordPress admin page, you can apply the CSP settings only to the display part of the site by including the IF statement to exclude.
↓Example of modification
add_action('send_headers', function () {
if (is_admin()) {
return;//if wordpress admin screen, do nothing and return.
}
header(
"Content-Security-Policy: default-src 'self';"
);
});
2 If you are outputting CSP with htaccess
If you are using htaccess, use SetEnvIf to exclude CSP adaptation in the admin
<IfModule mod_setenvif.c> SetEnvIf Request_URI "wp-admin" no_csp </IfModule <IfModule mod_headers.c> Header set Content-Security-Policy "default-src 'self'" env=!no_csp </IfModule>
The second line makes Apache recognize the environment variable no_csp if the URL contains wp-admin.
Then on the last line add env=!no_csp to the CSP configuration so that the CSP configuration is output in the header only if the environment variable is not no_csp.
*SetEnvIf seems to work for X server and Sakura, but it may not work for some servers. In this case, it may be better to use the add_action method to set CSP settings to exclude the admin page. However, it seems that the add_action method may not work correctly when used in conjunction with cache plugins. We would appreciate it if you could take this into consideration.
CSP settings that exclude the administration screen as described above can be easily specified with the security plugin we have developed.
Please use it if you wish.
Free WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal]
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
