Cross-Site Request Forgery (known as CSRF or XSRF) is one of the most severe hacks faced by WordPress websites. This hack takes place because of vulnerabilities present in WordPress plugins installed on the site.

Here, hackers trick website users into carrying out malicious actions that are harmful to both the website owner and the user. CSRF attacks can have devastating repercussions for both parties and need to be prevented from the get-go!

Using CSRF, a hacker can gain full control of your website and use it to run any kind of malicious activity they want. They could redirect your visitors to other malicious sites or dupe them into downloading malware. They can also go to the extent of stealing funds from you and your customers!

If you’re a victim of this hack or wish to prevent it, we’ve got you covered. In this article, we’ll show you how to fix a CSRF attack and how to prevent it.

What Is a CSRF Attack (Cross-Site Request Forgery)?

The CSRF WordPress attack is slightly complicated to understand but we’re going to break it down as much as we can.

On a website that has user subscriptions, members, or logins, each user has privileged access into their own account on the site. For example, an Amazon account, Gmail account or even an online banking account.

Such a website gives its users login credentials – usernames and passwords. This is done to authenticate the user. So, when a user wants to log in, they enter the username and password to verify themselves. This way, the website can establish trust with the user and their browser.

WordPress form login

In a CSRF attack, a hacker tricks this authenticated user into performing malicious actions.

1. Understanding ‘Cross Site’

To explain how this happens, let’s use an example. Say, the user has logged in to Site A and has left it open on a tab in the browser. (Remember that this Site A is logged into – it’s important.)

Now, let’s assume the hacker has the user’s email address. They send an email to the user about incredible discounts that are going to expire in the next few hours. The user is duped into clicking on the link in the email. This opens up a website called Site B (which is run by the hacker).

On Site B, they are required to fill out a form or enter their email address to claim the discount. The user clicks on a seemingly normal button to ‘submit’ the form.

Contact form

But behind the scenes of this ‘submit’ button on Site B, a hacker has inserted their malicious scripts.

Now remember Site A that’s open on another tab. This script sends a request to Site A and runs malicious actions on it. This is why it is known as ‘cross-site’.

2. Understanding Request

The hackers script sends a request from Site B to Site A on behalf of the user. The unwanted malicious action could be anything from changing admin passwords to even transferring funds out of bank accounts!

3. Understanding ‘Forgery’

Lastly, because the hacker uses the authentication of the user to fool Site A, it’s a ‘forgery’. Thus the name ‘Cross-site Request Forgery’.

In a nutshell, the hacker makes Site A think that their malicious instruction is a legitimate request sent from the authenticated user. But how is it possible for Site B to send a request to Site A? We’ll go deeper into how this happens in the next section.