Secure Cookies

Enforcing Secure Cookies in WordPress

Enforcing all cookies are set as secure adds a layer of protection against cross-site scripting (XSS) attacks and is an easy measure to protect your website. By ensuring that cookies are only sent over HTTPS connections, you significantly reduce the risk of sensitive information being intercepted by attackers.

Secure Cookies - Enable or disable

Why Secure Cookies Matter

Secure cookies ensure that cookies are only sent over secure, encrypted connections. This prevents attackers from stealing session cookies or other sensitive data via man-in-the-middle (MITM) attacks. When you set the secure flag on a cookie, it tells the browser to only send that cookie over HTTPS, not HTTP.

Implementing Secure Cookies in WordPress

To implement secure cookies in WordPress, you need to modify your wp-config.php file. This configuration file is essential for your WordPress installation, as it contains your database settings and other critical configuration options.

Add the following lines to your wp-config.php file:

@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);
@ini_set('session.use_only_cookies', true);
  • @ini_set('session.cookie_httponly', true); – This setting ensures that cookies are accessible only through the HTTP protocol, making them inaccessible via JavaScript. This mitigates the risk of XSS attacks.
  • @ini_set('session.cookie_secure', true); – This setting forces cookies to be sent only over HTTPS connections, enhancing security by encrypting data in transit.
  • @ini_set('session.use_only_cookies', true); – This setting ensures that only cookies are used for session management, eliminating the use of URL-based session identifiers which can be more easily intercepted.

Testing Your Configuration

After making these changes, it’s important to test your configuration to ensure everything is working correctly:

  1. Clear Browser Cache: Clear your browser’s cache and cookies to ensure you’re testing with the latest settings.
  2. Inspect Cookies: Use browser developer tools to inspect the cookies set by your site. Ensure that the Secure and HttpOnly flags are set on your cookies.
  3. Security Scans: Run security scans using tools like WP Security Ninja or online services like Qualys SSL Labs to verify that your site is properly configured and secure.

By taking these steps, you can significantly enhance the security of your WordPress site, protecting it from various threats and ensuring a safe experience for your users.

Was this helpful?

Previous Article

Security Headers