Security researcher Scott Helme discovered a new type of attack that could affect most of the world’s websites. The cryptomining supply chain attack affected the UK Information Commissioner’s office, UK National Health Service websites, an Australian provincial government website, and many others.
Since the exploit was discovered there has been a steep rise in such attacks. The exploit potentially affects any site that loads external scripts. If you have administrator access to your WordPress site, here’s how you can prevent it.
This is an advanced tutorial that assumes you have a basic understanding of PHP, the WordPress file structure, and WordPress filters and hooks. Back up all files before making any changes. You should only implement this fix for scripts that you know will not be auto-updated by the script provider; otherwise, the update may break your site. Please read the entire WordFence article before beginning.
Create a file called hash.php
. You can have 2 choices about where to put this: create a dedicated plugin and include it with the plugin assets, or include it in your child theme’s assets. Don’t try this with a parent theme, because it will be overwritten the first time the theme is updated. Add the following code to the new file.
<?php
/*
* Hash external javascripts
*/
function myprefix_hash_js($tag, $handle) {
if ('my_script_handle' === $handle) {
return str_replace( ' src', ' integrity="$hash" crossorigin="anonymous" src', $tag);
} elseif ('my_other_script_handle' === $handle) {
return str_replace( ' src', ' integrity="$hash" crossorigin="anonymous" src', $tag);
} // Add more elseif rules as needed
return $tag;
}
add_filter( 'script_loader_tag', 'myprefix_hash_js', 9, 2);
?>
- Use Chrome developer tools to find all externally loaded scripts on your web site
- Replace
my_script_handle
andmy_other_script_handle
with the actual handles used to load the scripts - For each script:
- Copy the URL of the script
- Visit https://report-uri.com/home/sri_hash
- Paste the URL of the loaded script into the form and click “HASH”
- Copy the resulting hash (between double-quotation marks after
integrity=
, e.g.,sha256-MxBycAbJaZ […] 4YCfL/tHgTc+EQ==
) - Replace $hash with the copied hash
The result should look something like this:
<?php
/*
* Hash external javascripts
*/
function myprefix_hash_js($tag, $handle) {
if ('my_script_handle' === $handle) {
return str_replace( ' src', ' integrity="sha256-MxBycAbJaZYkVUCna8pQ6wfU77HziLeBohh5jnr1ttI= sha384-QhyIsV4cMbD/J98vDzsBwRu1nfO161k77O0WzpGUZRTFwnYL+2lEtFyy3MWDwpbq sha512-sV15SgKJmAotz/5w617K9C4qN4Wj3YMk9Xf65+jzgQmPqfjwSPbwwQKdWE1hj/WjDGESqbqh4YCfL/tHgTc+EQ==" crossorigin="anonymous" src', $tag);
} elseif ('my_other_script_handle' === $handle) {
return str_replace( ' src', ' integrity="sha256-mWjIE4FAMgUEB4FhgndyTGeQoEULqnYtlaIU8x697zs= sha384-SlaS10JGlLAGVWg0ubLxkhJrt8djAGrU2WsggQXZ7XqIuEX+TowLSnkgbT475t4s sha512-IB7NSySDRedVEsYsOVuzN5O5jwRjV2ewVVmkDFIgE0yNu11GreBCOMv07i7hlQck41T+sTXSL05/cG+De4cZDw==" crossorigin="anonymous" src', $tag);
} // Add more elseif rules as needed
return $tag;
}
add_filter( 'script_loader_tag', 'myprefix_hash_js', 9, 2);
?>
In your plugin file or theme functions.php
, register the new file via an include declaration.
For a plugin, put this in your main plugin file: include( plugin_dir_path( __FILE__ ) . 'path/to/hash.php');
For a child theme, add this to your functions.php
: include_once( trailingslashit( get_stylesheet_directory() ). 'path/to/hash.php' );
Replace path/to/hash.php
with the appopriate relative path. Visit your website and ensure that you didn’t break anything, then inspect the page source to see if the hashes were added to the correct script links.
Good luck!