SecurityMedium

WordPress cookies missing Secure, HttpOnly or SameSite flags

WordPress session cookies (PHPSESSID, wordpress_logged_in, etc.) do not all have the recommended security attributes.

Why it matters

Without HttpOnly, an XSS script can steal session cookies. Without Secure, they can be transmitted over HTTP. Without SameSite, they are vulnerable to CSRF attacks.

How to fix

  1. 1

    Configure WordPress cookies via wp-config.php

    php
    // Force WordPress cookies to use HTTPS
define('COOKIE_DOMAIN', '.yourdomain.com');
define('COOKIEPATH', '/');
define('ADMIN_COOKIE_PATH', '/wp-admin');

// In functions.php or a plugin
add_action('send_headers', function() {
  session_set_cookie_params([
    'secure'   => true,
    'httponly' => true,
    'samesite' => 'Lax',
  ]);
});
  2. 2

    Via .htaccess for all cookies

    apache
    <IfModule mod_headers.c>
  Header always edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=Lax
</IfModule>
  3. 3

    Via Nginx

    nginx
    proxy_cookie_flags ~ secure httponly samesite=lax;

Related articles

SecurityMissing HSTS header on your WordPress siteSecurityInvalid or expiring SSL certificateSecurityContent Security Policy (CSP) missing on WordPress

Ready to fix this issue on your site?

Audit my site for free →