Handling WordPress-Specific Challenges

2 min read Web Security Fundamentals

Handling WordPress-Specific Challenges

WordPress's unique architecture requires specific solutions for common CSP implementation challenges.

Managing Inline Scripts:

// Function to make WordPress inline scripts CSP-compliant
function wp_csp_inline_script_handler() {
    add_filter('wp_inline_script_tag', function($tag, $handle, $script) {
        $nonce = wp_create_nonce('csp_inline_script');
        
        // Add nonce to inline script tags
        if (strpos($tag, 'nonce=') === false) {
            $tag = str_replace('<script', '<script nonce="' . esc_attr($nonce) . '"', $tag);
        }
        
        return $tag;
    }, 10, 3);
}

// Handle WordPress admin inline scripts
function wp_admin_csp_compatibility() {
    ?>
    <script nonce="<?php echo esc_attr(wp_create_nonce('admin_inline')); ?>">
        // Move inline event handlers to addEventListener
        document.addEventListener('DOMContentLoaded', function() {
            // Replace inline onclick handlers
            document.querySelectorAll('[onclick]').forEach(function(element) {
                const handler = element.getAttribute('onclick');
                element.removeAttribute('onclick');
                element.addEventListener('click', new Function(handler));
            });
        });
    </script>
    <?php
}
add_action('admin_footer', 'wp_admin_csp_compatibility');

Plugin Compatibility Layer:

class WP_CSP_Plugin_Compatibility {
    private $plugin_configs = [];
    
    public function __construct() {
        $this->load_plugin_configs();
        add_filter('wp_csp_directives', [$this, 'apply_plugin_configs']);
    }
    
    private function load_plugin_configs() {
        // WooCommerce
        $this->plugin_configs['woocommerce'] = [
            'script-src' => [
                'https://checkout.stripe.com',
                'https://js.stripe.com',
                'https://www.paypal.com'
            ],
            'frame-src' => [
                'https://checkout.stripe.com',
                'https://www.paypal.com'
            ],
            'connect-src' => [
                'https://api.stripe.com'
            ]
        ];
        
        // Yoast SEO
        $this->plugin_configs['wordpress-seo'] = [
            'script-src' => ["'unsafe-inline'"], // Required for schema markup
            'style-src' => ["'unsafe-inline'"]
        ];
        
        // Elementor
        $this->plugin_configs['elementor'] = [
            'script-src' => ["'unsafe-eval'"],
            'style-src' => ["'unsafe-inline'"],
            'font-src' => ['https://fonts.googleapis.com']
        ];
        
        // Contact Form 7 with reCAPTCHA
        $this->plugin_configs['contact-form-7'] = [
            'script-src' => [
                'https://www.google.com/recaptcha/',
                'https://www.gstatic.com/recaptcha/'
            ],
            'frame-src' => [
                'https://www.google.com/recaptcha/'
            ]
        ];
    }
    
    public function apply_plugin_configs($directives) {
        $active_plugins = get_option('active_plugins');
        
        foreach ($active_plugins as $plugin) {
            $plugin_dir = dirname($plugin);
            
            if (isset($this->plugin_configs[$plugin_dir])) {
                foreach ($this->plugin_configs[$plugin_dir] as $directive => $sources) {
                    if (!isset($directives[$directive])) {
                        $directives[$directive] = [];
                    }
                    $directives[$directive] = array_merge(
                        $directives[$directive], 
                        $sources
                    );
                }
            }
        }
        
        return $directives;
    }
}