Hello @bigbob22,
Thank you for contacting me regarding the “Unauthenticated Blind Server-Side Request Forgery (SSRF)” vulnerability on WordPress Core. I understand your concern about the security of your site.
I am pleased to inform you that the “Headers Security Advanced & HSTS WP” plugin is updated and automatically implements a number of advanced security features that can help mitigate various threats, including the risk of SSRF. Here are some of the security features offered by our plugin:
- X-XSS-Protection (non-standard)
- Expect-CT
- Access-Control-Allow-Origin
- Access-Control-Allow-Methods
- Access-Control-Allow-Headers
- X-Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
- X-Permitted-Cross-Domain-Policies
- X-Powered-By
- Content-Security-Policy
- Referrer-Policy
- HTTP Strict Transport Security (HSTS)
- Clear-Site-Data
- Cross-Origin-Embedder-Policy-Report-Only
- Cross-Origin-Opener-Policy-Report-Only
- Cross-Origin-Embedder-Policy
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy
- Permissions-Policy
- Strict-dynamic
- Strict-Transport-Security
- FLoC (Federated Learning of Cohorts)
The plugin covers a wide range of security headers to protect your site from various vulnerabilities. However, it’s important to note that the specific SSRF vulnerability affects the WordPress core.
What it can do:
- Keep the WordPress Core Updated: Even if there isn’t currently an update available, it’s important to monitor updates to the WordPress core and apply them as they become available.
- Implement Additional Security Measures: Consider implementing additional security measures such as web application firewalls (WAF) and abnormal traffic monitoring to further protect your site.
- Configure the Plugin Correctly: Make sure that our plugin is updated with the latest versions.
If you need further clarification or assistance to configure the plugin optimally, do not hesitate to write to me. I’m here to help you.
