How do I resolve these cookie and checkbox issues on the wordpress login page?
-
Hi everyone,
I was wondering if anyone can help us with a step-by-step breakdown on how to resolve these issues (our website is http://nscarchaeologyunit.wordpress.com)…
A security website scanned it and found the following issues: https://drive.google.com/folderview?id=0B6VMb51VVWTVTFFDdEM2ak5nNUU&usp=sharing
Autocomplete enabled for sensitive HTML form fields – Severe severity – Instances: 1
I think this is when the checkbox in the login window is automatically ticked. Can I switch this off from a user perspective?Click Jacking – Severe severity – Instances: 66
I think I managed to resolve ClickJacking by disabling the RSS feed side bar, but is it enough?Missing HttpOnly Flag from Cookie – Severe severity – Instances: 1
This is a cookie issue with the log-in page…how do I fix it?Missing Secure Flag from SSL Cookie – Severe severity – Instances: 1
This is a cookie issue with the log-in page…how do I fix it?I’ve enabled two-factor authentification in the mean time.
Many thanks for the help in advance.
–Shu
The blog I need help with is: (visible only to logged in users)
-
Hi there,
Autocomplete enabled for sensitive HTML form fields – Severe severity – Instances: 1
I think this is when the checkbox in the login window is automatically ticked. Can I switch this off from a user perspective?The autocomplete issue is citing the wp-admin login page. Many browsers offer users the ability to save their username and passwords and this is only a security threat for your site if you choose to save that information and your machine becomes vulnerable to attack. To protect against such threats we advocate the use of two-factor authentication (which you’ve mentioned enabling) and password managers. We advise you not to save your password with a browser autocomplete feature.
http://en.support.wordpress.com/selecting-a-strong-password/
Explicitly eliminating that autocomplete availability cannot be turned off.
Click Jacking – Severe severity – Instances: 66
I think I managed to resolve ClickJacking by disabling the RSS feed side bar, but is it enough?The reason that RSS feeds are vulnerable to click-jacking is because RSS feeds are designed to be easily fed into other applications’ frameworks.
X-Frame-Options is one popular option for protecting a site from click-jacking using a method called ‘frame breaking.’ Your security tool is sending up an error for every instance X-Frame-Options isn’t used. Adding a protocol like X-Frame-Options is not conducive to the core functionality of RSS feeds.
X-Frame-Options is in place across much of WordPress.com’s functionality, but not in RSS feeds.
Missing HttpOnly Flag from Cookie – Severe severity – Instances: 1
This is a cookie issue with the log-in page…how do I fix it?Missing Secure Flag from SSL Cookie – Severe severity – Instances: 1
This is a cookie issue with the log-in page…how do I fix it?Our internal documentation are showing that cookie to be marked secure, but let me run this by a developer just to double check why this test says otherwise.
Since you have two-factor authentication enabled and HTTPS required to navigate admin pages enabled, you’ll be fine for the time being.
Best,
-Alex G.
-
Hi again,
I had a developer take a look and they’ve pointed out that your Cookie-related errors are flagging the “wordpress_test_cookie”, not the actual login cookies.
That particular cookie is only used to test if cookies are enabled and contains no identifying or secret info. Marking it httponly or secure would not be necessary.
The cookies that are used for login are secured and httponly.
Best,
-Alex G.
-
Dear Alex,
Thanks for your help! I’ll foward this on to our IT department, hopefully they’ll think that sufficiently addresses their concerns.
Best regards,
Shu -
Dear Alex,
Is it possible to remove / close this support page since it has been resolved?
Thanks.
–Shu
-
Dear Alex,
Sorry–IT just got back to me and said that there were no X-frame options found in any page of nscarchaeologyunit, even after RSS has been disabled. Is it possible to set it so that X-frame options or a frame breaking script is used to mitigate clickjacking somehow? I don’t have access to the server as it’s on the wordpress.com account.
Thanks!
–Shu -
Hi Shu,
X-frame-options are built into the core WordPress software since version 3.1.3. The x-frame-options are implemented in the administration areas as this is the clickjacking that actually puts your website at risk.
Implementing further x-frame-options would indeed require access to all files of your site, which we cannot provide here on WordPress.com. If you feel you need more control over your site, I would recommend moving to a self-hosted site using the WordPress.org software.
We have instructions on how to export your content and import it to a self-hosted installation of WordPress here:
http://en.support.wordpress.com/moving-a-blog/#moving-to-wordpress-org
Best,
-Alex G.
- The topic ‘How do I resolve these cookie and checkbox issues on the wordpress login page?’ is closed to new replies.
WordPress.com Forums 