Prevent WordPress XSS

I’ll show you how to prevent and fix the WordPress XSS (cross site scripting) vulnerability that seems to make the news a few times a year.

There’s a free plugin for this and I’m seeing someone else sell a plugin for $17 that does this exact same thing. It’s better to not have more plugins running than you need to, so if you can follow a few, simple steps, you’ll be better protected and save some money.

Method #1: Free WordPress Plugin

Here’s a free plugin (Prevent XSS Vulnerability) that does what I explain below and it seems to do a few more things as well:

Prevent XSS Vulnerability plugin

Method #2: Make the Edits Manually (No Plugin Required)

There’s a file in your website hosting called:


It sits in the root (at the beginning) of your hosting, which is the main folder. It’s often called one of the following:

  • public_html
  • www
  • httpsdocs
  • (your domain name)

You can use an FTP program to look at your site’s files, or in the control panel or cPanel, there’s a File Manager usually in the “Files” group:

cPanel File Manager

Once you’re in there, click once on the “.htaccess” file and then click the Edit link at the top:

Edit the .htaccess file

You may see a popup window appear, just click the “Edit” button at the bottom.

The next screen might look like gibberish to you but just pretend it’s a regular document. What you need to do is copy a few lines below and then paste them into the file. It doesn’t matter too much where but a good place is usually at the end. Just hit enter/return to create a new line and then paste this text (code) there (7 lines):

# Extra Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set referrer-policy: no-referrer-when-downgrade

new code in place

Save the file and you’re just about done.

Before closing down the editor window you’re in, open a new tab in your browser and check that your website is working fine. Go to a few pages and make sure you’re not seeing an error screen. If you do see an error screen, then either you did something wrong (remove that code and start over) or this code doesn’t work for your server.

And as long as you’re editing this file, why not make WordPress faster?

More Notes

Here are some good security tips:

  • Keep the core WordPress software, all plugins, and themes up to date.
  • Install a security plugin to help monitor for issues.
  • Install WordFence to detect issues and even block countries that don’t need to see your website.
  • Make sure you have backups running where you can always get to a backup from the night before if needed. Before doing upgrade/updates, make sure you take a backup of the files and the database.
  • If you have been hacked, make sure you change all passwords (all admin passwords and the database password) and then scan the website for hacks. You can then clean them up. You could also try restoring from backup.

My website company develops, hosts, and maintains lots of websites. We really never see websites that are up to date get hacked. It rarely happens. Make sure you do that. If you’re very far behind on updates, you may run into trouble. We have a Website Care service where we do this for you weekly.


Please enter your comment!
Please enter your name here