BlogSecurity Tips
Security Tips

Cross-Site Request Forgery (CSRF) in WordPress: The Silent Account Hijacker

CSRF attacks trick authenticated WordPress users into performing unintended actions. Learn how these attacks work and why nonce verification is critical.

WPSentry TeamMarch 8, 20262 min read
Table of Contents 4 sections

What is CSRF?

Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated user to perform unwanted actions on a web application. Unlike XSS, which exploits user trust in a site, CSRF exploits a site's trust in the user's browser.

If a WordPress administrator visits a malicious page while logged in, a CSRF attack could silently create a new admin account, change site settings, install a plugin, or delete content — all without the admin's knowledge.

How CSRF Attacks Work

The Attack Flow

  1. The victim logs into their WordPress site (creating an authenticated session)
  2. The victim visits a malicious page (via email link, forum post, or compromised site)
  3. The malicious page contains a hidden form or JavaScript that sends a request to the WordPress site
  4. The browser automatically includes the victim's session cookies with the request
  5. WordPress processes the request as if the admin made it intentionally

Example: Creating an Admin Account via CSRF

<!-- Malicious page hosted on attacker's server -->
<form action="https://target-site.com/wp-admin/user-new.php" method="POST" id="csrf-form">
  <input type="hidden" name="user_login" value="hacker" />
  <input type="hidden" name="email" value="hacker@evil.com" />
  <input type="hidden" name="pass1" value="SuperSecureP@ss" />
  <input type="hidden" name="role" value="administrator" />
  <input type="hidden" name="createuser" value="1" />
</form>
<script>document.getElementById('csrf-form').submit();</script>

If the WordPress site doesn't properly verify nonces, this request will succeed because the browser sends the admin's session cookie.

Common CSRF Targets in WordPress

  • Plugin settings pages — Changing plugin configurations without nonce checks
  • User management — Creating, deleting, or modifying user roles
  • Content management — Publishing, deleting, or modifying posts and pages
  • Theme/plugin installation — Installing backdoored themes or plugins
  • AJAX handlers — Admin-ajax.php endpoints without nonce verification

Preventing CSRF in WordPress

For Site Owners

  1. Keep WordPress and plugins updated — CSRF fixes are common in security patches
  2. Use a security plugin — Many add additional CSRF protections and SameSite cookie configuration
  3. Log out when done — Don't leave admin sessions active while browsing other sites
  4. Use separate browsers — Consider using one browser for admin tasks and another for general browsing

For Developers

  1. Always use nonces — Generate with wp_nonce_field() and verify with wp_verify_nonce() or check_admin_referer()
  2. Verify nonces on all state-changing requests — Every form submission and AJAX call that modifies data must include nonce verification
  3. Use check_ajax_referer() — For AJAX endpoints, this function verifies both the nonce and the referrer
  4. Set SameSite cookie attribute — Configure cookies with SameSite=Strict or SameSite=Lax to prevent cross-origin cookie sending

FAQ

Frequently Asked Questions

CSRF (Cross-Site Request Forgery) is an attack that forces an authenticated user to perform unwanted actions. If a WordPress administrator visits a malicious page while logged in, a CSRF attack could silently create admin accounts, change settings, install plugins, or delete content without the admin's knowledge.

XSS exploits user trust in a site by injecting malicious scripts into the site itself. CSRF exploits a site's trust in the user's browser — it tricks the browser into sending authenticated requests to the site on behalf of the attacker.

WordPress nonces are unique tokens generated with wp_nonce_field() and verified with wp_verify_nonce(). They ensure that form submissions and AJAX requests originate from the actual WordPress site rather than from malicious third-party pages.

Keep WordPress and plugins updated, use security plugins that add CSRF protections, log out of admin sessions when browsing other sites, and consider using separate browsers for admin tasks and general browsing.

Common CSRF targets include plugin settings pages, user management (creating/deleting users), content management (publishing/deleting posts), theme and plugin installation, and AJAX handlers (admin-ajax.php endpoints without nonce verification).

Tags

csrfwordpresssecurityauthenticationnonces

Related Posts

Security Tips

Phishing Attacks Targeting WordPress Sites: Fake Logins, Deceptive Emails, and Credential Theft

WordPress sites are frequently used to host phishing pages or are targeted by phishing campaigns to steal admin credentials. Learn how to protect yourself.

WPSentry Team·Mar 8, 2026
Security Tips

DDoS Attacks on WordPress: How to Keep Your Site Online Under Attack

Distributed Denial of Service attacks can take your WordPress site offline by overwhelming it with traffic. Learn how they work and how to protect against them.

WPSentry Team·Mar 8, 2026
Security Tips

WordPress Malware and Backdoors: How Attackers Maintain Persistent Access

Once a WordPress site is compromised, attackers install backdoors to maintain access even after vulnerabilities are patched. Learn how to detect and remove them.

WPSentry Team·Mar 8, 2026
Back to Blog