How to Fix Cross-Site Scripting (XSS) in WordPress
Cross-Site Scripting (XSS) lets an attacker inject malicious JavaScript into pages your visitors see — stealing sessions, defacing content, or redirecting users. On WordPress it almost always comes from an outdated plugin or theme, or from custom code that outputs unsanitized data.
- 1
Update the vulnerable plugin or theme
Most WordPress XSS flaws are already patched in a newer release. Update every plugin, theme, and WordPress core to the latest version. If a plugin has an unpatched XSS and no fix is available, deactivate and remove it.
- 2
Escape all output in custom code
Never echo raw data. Use WordPress escaping functions on every dynamic value depending on context — esc_html(), esc_attr(), esc_url(), and wp_kses_post() for allowed HTML.
echo esc_html( $user_supplied ); printf( '<a href="%s">%s</a>', esc_url( $link ), esc_html( $text ) ); - 3
Sanitize input on the way in
Validate and sanitize data before saving it with sanitize_text_field(), sanitize_email(), or absint() as appropriate, and verify nonces on form submissions.
- 4
Add a Content-Security-Policy header
A CSP limits which scripts can run, blocking most injected payloads even if one slips through. Add it via your theme, a security plugin, or your server config.
Content-Security-Policy: default-src 'self'; script-src 'self'
Related concept: Cross-Site Scripting (XSS)
Is your site affected?
Run a free external scan — 36 checks, no login or plugin required.
More fix guides
Patch vulnerable plugins and use $wpdb->prepare() for every query with user input.
Block xmlrpc.php unless you need it — it enables brute-force amplification and pingback DDoS.
Add HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
Block ?author= scans, restrict the users REST endpoint, and use generic login errors.