What are session cookie hacks and why should WordPress users care?

by | Mar 8, 2024 | Website Security | 0 comments

Session cookie hacks are one of the latest techniques hackers use to gain unauthorized access to WordPress websites.

Session cookies are small files stored on a user’s computer that remember login state and preferences.

While convenient, session cookies can be stolen by hackers to hijack a logged-in session and gain access to restricted areas of a WordPress site, like the admin dashboard.

As a WordPress site owner, you should be aware of this threat and take steps to protect your site.

How does HTTPS encryption help protect against session cookie hacks?

Using HTTPS instead of plain HTTP is an important step in protecting your WordPress site from session cookie hacks. HTTPS encrypts all data transmitted between a user’s browser and your web server, including session cookies. This makes it much harder for hackers to intercept and steal cookies.

Can you explain HTTPS encryption in layman’s terms?

Imagine you have a confidential document that contains sensitive information, and you need to send it to your colleague who works in another office. To get the document to your colleague, you have to send it through a delivery service that transports packages between different offices.

Now, think of the internet as a vast network of delivery routes connecting various offices (representing computers). When you send something, like an email or a file, through these routes, it’s like sending your confidential document to your colleague.

HTTPS is like a secure, tamper-proof envelope that keeps everything in it safe and confidential during transit. When you send your document (which represents your data) using HTTPS, it’s like sealing the document inside a sturdy, opaque envelope that nobody else can open or look inside while it’s being delivered to your colleague’s office.

This way, only your colleague can open the envelope and view the document inside when it reaches them.

Similarly, when you use HTTPS to send information on the internet, only the intended recipient computer can see what’s inside, and nobody else can intercept, steal, or alter the information along the way.

What are session cookies in simple language?

Session cookie concept image with a chocolate chip cookie superimposed on a padlock displayed in a browser window

Session cookies are not physical and tasty baked goods. Session cookies are small pieces of data that websites use to remember information about your visit, like your login status or preferences. They’re like sticky notes that the website attaches to your browser, so it can recognize you when you come back or move between different pages on the site.

When you use HTTPS to connect to a website, the secure connection protects the main content you see. It also protects any session cookies sent between your browser and the website. It’s like putting a sticky note inside the secure, tamper-proof envelope with your confidential document.

However, if a website uses regular HTTP instead of HTTPS, the session cookies are sent in plain text. That’s like sending a sticky note without an envelope to protect it. Or, it’s like sending the envelope with the sticky note attached to the outside. This makes it possible for hackers or other malicious actors to intercept and read the information in the session cookie.

Hackers find session cookies tempting because they often contain valuable information, such as:

  1. Login status: If a hacker gets hold of a session cookie that proves you’re logged in, they might be able to use it to access your account without needing your password.
  2. Personal data: Some session cookies contain personal information, like your name or email address, which hackers can use for identity theft or targeted phishing attacks.
  3. Preferences: Session cookies may store your preferences or settings on a website, giving hackers insights into your behavior or interests.

By stealing session cookies, hackers can potentially impersonate you, gain unauthorized access to your accounts, or gather sensitive information about you. That’s why it’s crucial for websites to use HTTPS and for users to be cautious when connecting to websites over unsecured networks, like public Wi-Fi hotspots.

How do I secure my browser session cookies?

Here’s where we get into just a little bit of coding. But it’s pretty simple.

Add (or ask your web developer to add) the following two short lines to your WordPress site’s wp-config.php file:

@ini_set('session.cookie_httponly', true);
@ini_set('session.cookie_secure', true);

What are these lines about? WordPress allows you to enable two important security features on cookies:

  • The httponly flag tells browsers that cookies should only be accessed through HTTP/HTTPS protocols, not client-side (browser-based) scripts. This helps prevent cross-site scripting (XSS) attacks.
  • The secure flag instructs browsers to only send cookies over an HTTPS connection, never unsecured HTTP.

Wait! What is a cross-site scripting (XSS) attack?

Everyone online has had the experience of visiting a popular website that allows users to post comments. You usually trust this website and assume that all the comments you see are legitimate and safe. However, a malicious user can post a comment that contains some dangerous code.

This code is like a hidden message that your web browser can’t distinguish from regular text. When you load the page with the malicious comment, your browser reads the hidden message and unknowingly executes the code.

This type of attack is called a cross-site scripting (XSS) attack. It’s like someone sneaking a harmful note into a pile of legitimate messages, hoping that an unsuspecting person will read it and follow its instructions.

The dangerous code is called a cross-site scripting (XSS) attack. It can do various things, such as:

  1. Steal your session cookies: The code can send your session cookies to the attacker, allowing them to impersonate you and access your account on the website.
  2. Redirect you to a fake website: The code might redirect your browser to a malicious website that looks identical to the real one, tricking you into entering your login credentials or sensitive information.
  3. Alter the website’s appearance: The code can change how the website looks or behaves, potentially tricking you into clicking on dangerous links or buttons.

Can stolen session cookies give hackers access to my WordPress admin dashboard?

Yes! Getting access to your WordPress website’s back-end is the hacker’s main goal when using session cookies from WordPress websites.

Limiting access to your WordPress admin area to only trusted users and admins is another way to prevent session cookie hacks. Review your user permissions regularly and remove accounts that no longer need access.

You can also change your default admin login URL from /wp-admin to something harder to guess. Plugins like WPS Hide Login let you easily customize your admin login URL.

TIP: Be sure to make the new URL really hard to guess by using a series of random characters and numbers to replace the /wp-admin portion of the URL.

Why is keeping plugins and themes updated important for session cookie security?

Plugin and theme vulnerabilities are a common way for hackers to launch XSS attacks and steal cookies. Always keep your WordPress version, plugins, and themes up-to-date with the latest security patches. Remove any plugins or themes you’re no longer using to reduce your attack surface.

WordPress maintenance cycle

Gone are the days of clicking “Update” and hoping for the best. Let Webidextrous manage your maintenance. We’ll give you back your time and peace of mind.

What is a web application firewall and how can it help prevent session cookie hacks?

A web application firewall (WAF) provides an added layer of security by monitoring traffic and blocking suspicious requests. A WAF can help filter out XSS attacks, SQL injection, and other threats before they reach your WordPress site. WAF plugins for WordPress include Wordfence, Sucuri, and Cloudflare.

By using a WAF in combination with other security measures like HTTPS, cookie flags, and restricted admin access, you can greatly reduce the risk of session cookie hacks on your WordPress website.

What can I do to protect myself from hackers stealing my session cookies?

To avoid having your session cookies stolen from your own browser, you can take several precautions:

  1. Use Strong and Unique Passwords: Make a habit of using strong, unique passwords and change them regularly to prevent unauthorized access. Use a password manager like LastPass or 1Password to manage this often difficult task.
  2. Log Out and Clear Cache: Log out of websites when done and clear your browser cache regularly to remove stored cookies.
  3. Avoid Suspicious Links: Avoid clicking on suspicious links or attachments that could lead to cookie theft.
  4. Check URLs and SSL Certificates: Verify the URL and SSL certificate of websites before entering credentials to ensure you are on legitimate sites.
  5. Secure Networks and Devices: Use secure and trusted networks, avoid public or shared computers or Wi-Fi, and keep your devices secure to prevent cookie theft.
  6. Use a Secure Browser: I use the Brave.com browser to shield my computer from all cookies and the massive amounts of ads that tend to follow me all over the web. It allows me to selectively enable cookies if I need them for specific websites.


Securing your WordPress site against session cookie hacks requires a multi-layered approach. Enabling HTTPS, setting cookie security flags, restricting admin access, keeping software updated, and using a web application firewall are all important steps.

Further, taking precautions when browsing websites will help reduce the risk of hackers stealing your session cookies that websites you visit generate on your computer.

If you need help implementing these security measures on your WordPress site, consider partnering with a professional website management service like Webidextrous. Webidextrous offers expert WordPress management and security services to keep your site safe and secure. With Webidextrous handling the technical details, you can focus on growing your business with peace of mind that your WordPress site is in good hands.

The following two tabs change content below.
Rob Watson is the CEO of Webidextrous, a web consultant, and a developer. Beginning in 1996 as a self-taught web designer, he has created websites for everyone from small business owners to multi-national companies. He is the co-organizer of the West Orlando WordPress Meetup and a WordCamp speaker.


Submit a Comment

Your email address will not be published. Required fields are marked *



  • Web Design (10)
  • WordPress (10)
  • Hosting (7)
  • Search Engine Optimization (7)
  • Social Media (7)
  • Customer Service (6)
  • Digital Advertising (4)
  • Website Performance (4)
  • Website Security (4)
  • Accessibility (3)
  • Reset


  • wordpress (17)
  • web design (10)
  • SEO (7)
  • customer service (6)
  • security (6)
  • social media (6)
  • digital advertising (4)
  • hosting (4)
  • pricing (4)
  • reputation management (4)
  • Reset

post author

  • Rob Watson (102)
  • Matt Lee (1)
  • Reset

post type

  • post (73)
  • page (30)
  • Reset