Content Security Policy (CSP) is a computer security standard introduced to prevent cross-site scripting (XSS), clickjacking and other code injection attacks resulting from execution of malicious content in the trusted web page context.
Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications.
XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.
A cross-site scripting vulnerability may be used by attackers to bypass access controls like the same-origin policy.
Looking at National Vulnerability Database run by US NIST,
more than 900 (March 2024) vulnerabilities are reported as
XSS for Wordpress' plugins and themes.
Keeping your site up-to-date with the latest versions of plugins and themes is the
first line of defense to ensure your site's security.
The second thing to do, is to
deploy a strict Content Security Policy.
Automatic installation
- Plugin admin panel and
add new
option.
- Search in the text box
No unsafe-inline
.
- Position yourself on the description of this plugin and select install.
- Activate the plugin from the WordPress admin panel.
Manual installation of ZIP file
- Download the .ZIP file from this screen.
- Select add plugin option from the admin panel.
- Select
upload
option at the top and select the file you downloaded.
- Confirm installation and activation of the plugin from the administration panel.
Manual FTP installation
- Download the .ZIP file from this screen and unzip it.
- FTP access to your folder on the web server.
- Copy the whole
no-unsafe-inline
folder to the /wp-content/plugins/
directory
- Activate the plugin from the WordPress admin panel.