CSRF Protection

[Darwin]

After submitting my website to a vulnerability scanning service, they came back and said that we have a “HTML form without CSRF protection.” After doing a little research a few websites mentioned using BPS, however I have not seen anything mentioned about CSRF on any support forms. The only mention of CSRF is in the plugin description. How do I know if CSRF protection is enabled? Do I have to sort of activate it by adding custom code? Any help on how to enable CSRF protection within the plugin would be very helpful. Thank you.

[AITpro Admin]

CSRF protection is included in the standard BPS .htaccess code/files and WordPress itself.  Is the HTML form outside of WordPress?  Is it part of another website? WordPress has these Form checking conditions available that should be used in all plugins and theme Forms:

if (isset($_POST['blah']) && current_user_can('manage_options')) {
check_admin_referer( 'blah' );

and then in the Form a nonce is used to check the Referer:  wp_nonce_field('blah');

[Darwin]

Thank you AITpro_Admin for the quick response. No the form we are using is Contact Form 7, a WordPress plugin.

Where would I put the code you just gave me at? Within the page the form is on itself?

[AITpro Admin]

I doubt very seriously that Contact Form 7 has a CSRF vulnerability (give that about a 1 in 10,000 chance).  What is much more likely is the vulnerability scanner is wrong (give that about a 98% chance).  Scanners have a high failure/false flag ratio.  What you should do is use 2 other scanners that have the capability to check for CSRF vulnerabilities or just assume the scanner is wrong because it is wrong.

[Darwin]

Thank you very much for your help. I can’t believe you guys responded so fast. Thank you again!

[Author]

Posts