Enhance WordPress Security by Expiring Session Cookies Automatically

If you’ve ever experienced a WordPress hack, it often stems from stolen login information stored in a cookie. Fortunately, there’s a method to mitigate this risk effectively that will enhance WordPress security.

Understanding the Risk

According to YourWebsite.com, around 60% of WordPress sites hacked in 2023 were due to stolen cookie sessions, not plugin or theme vulnerabilities. When you log into your WordPress website, a cookie is created on your computer, keeping you logged in across pages. If a hacker gains access to this cookie, they can access your site without needing a password or having to log in.

By default, these cookies expire after two days. However, if you check the “Remember Me” option during login, the cookie’s lifespan extends to two weeks. Hackers can steal these cookies through various methods, including cross-site scripting (XSS) or phishing attacks.

Mitigating the Risk and Enhance WordPress Security

One simple way to protect your site is to log out after each session. This invalidates the session cookie, so even if it’s stolen, it becomes useless. However, remembering to log out every time can be inconvenient. High-security systems often automate this process by expiring cookies or logging users out after a period of inactivity.

Weighing the pros and cons, you must decide whether you can handle logging in again after inactivity or risk your site being hacked for the convenience of staying logged in.

Automating Cookie Expiration

To help you enhance your WordPress site’s security, I’ve created a function that automatically expires your session cookie after a defined period of inactivity. Here’s how it works:

Step-by-Step Implementation

  1. Create a Filter Hook First, create a filter hooked to the auth_cookie_expiration filter:
   add_filter('auth_cookie_expiration', 'custom_cookie_expiration', 10, 3);

   function custom_cookie_expiration($expire, $user_id, $remember) {
       return 300; // Set to 5 minutes (300 seconds)
   }

This function ensures that cookies expire after 5 minutes, regardless of the “Remember Me” setting.

  1. Add an Action to the Init Hook Next, add an action to the init hook:
   add_action('init', 'reset_auth_cookie');

   function reset_auth_cookie() {
       if (defined('DOING_AJAX') && DOING_AJAX) return;
       if (isset($_GET['loggedout']) && $_GET['loggedout'] == 'true') return;

       if (is_user_logged_in()) {
           wp_set_auth_cookie(get_current_user_id(), false, false);
       }
   }

This function prevents resetting the cookie during WordPress heartbeat actions (like auto-saving drafts) and ensures that cookies are only reset for logged-in users, extending their expiration by an additional 5 minutes.

Benefits and Performance

The impact on performance is minimal because the conditional checks prevent unnecessary processing. These checks also prevent users from getting stuck in a loop of continuously resetting their authentication cookie.

Conclusion

With this setup, if you stop using your site for more than 5 minutes, you’ll be logged out automatically. This greatly reduces the risk of having a dormant cookie on your computer stolen by a hacker, thus enhancing your WordPress site’s security.

Feel free to use this function in your projects. You can find the complete code in my GitHub repository.

By implementing these changes, you can significantly reduce the risk of your WordPress site being compromised due to stolen session cookies. Stay secure and happy developing!


Leave a Reply

Your email address will not be published. Required fields are marked *