Title: Prevent XSS Vulnerability Author: Sami Ahmed Siddiqui Published: Agost 23, 2017 Last modified: Juliol 22, 2025 --- Search plugins ![](https://ps.w.org/prevent-xss-vulnerability/assets/banner-772x250.png?rev=1795795) ![](https://ps.w.org/prevent-xss-vulnerability/assets/icon.svg?rev=1785920) # Prevent XSS Vulnerability By [Sami Ahmed Siddiqui](https://profiles.wordpress.org/sasiddiqui/) [Download](https://downloads.wordpress.org/plugin/prevent-xss-vulnerability.2.1.0.zip) * [Details](https://bal.wordpress.org/plugins/prevent-xss-vulnerability/#description) * [Reviews](https://bal.wordpress.org/plugins/prevent-xss-vulnerability/#reviews) * [Installation](https://bal.wordpress.org/plugins/prevent-xss-vulnerability/#installation) * [Development](https://bal.wordpress.org/plugins/prevent-xss-vulnerability/#developers) [Support](https://wordpress.org/support/plugin/prevent-xss-vulnerability/) ## Description This plugin helps safeguard your website against two common types of Cross-Site Scripting (XSS) vulnerabilities: * **Reflected XSS:** This happens when harmful scripts are hidden in a website’s URL. If a user clicks a link with such a script, it can run in their browser, potentially stealing their data or taking control of their system. * **Self-XSS:** This occurs when a user’s own input on your website is displayed back to them in an unsafe way, allowing malicious scripts to run in their browser. This plugin provides several layers of protection: **Blocking:** When active, the plugin checks URLs for specific characters. If it finds any of these characters in the URL, it redirects the user to prevent a potential XSS attack. You can customize which characters to block or allow. * Opening Round Bracket `(` * Closing Round Bracket `)` * Less than Sign `<` * Greater than Sign `>` * Opening Square Bracket `[` * Closing Square Bracket `]` * Opening Curly Bracket `{` * Pipe or Vertical Bar `|` * Closing Curly Bracket `}` **Encoding:** For an extra layer of security, the plugin encodes certain characters found in URL parameters. This stops harmful code from running, even if it’s present in the URL. You can also choose to exclude specific parameters from being encoded. * Exclamation Mark `!` * Double Quotation `"` * Single Quotation `'` * Opening Round Bracket `(` * Closing Round Bracket `)` * Asterisk Sign `*` * Less than Sign `<` * Greater than Sign `>` * Grave Accent “` * Cap Sign `^` * Opening Square Bracket `[` * Closing Square Bracket `]` * Opening Curly Bracket `{` * Pipe or Vertical Bar `|` * Closing Curly Bracket `}` **Escaping HTML in `$_GET`:** This plugin automatically makes HTML characters safe within the `$_GET` variable. This is vital if your website pulls data from URLs and displays it as part of your web page. It helps prevent malicious scripts from being injected through user-provided input. ### Important Notes: * After activating the plugin, **thoroughly test your website forms**, especially if you use WooCommerce. Make sure the plugin doesn’t interfere with your shopping cart and checkout processes. * We welcome bug reports for this plugin on GitHub: [https://github.com/samiahmedsiddiqui/prevent-xss-vulnerability/issues](https://github.com/samiahmedsiddiqui/prevent-xss-vulnerability/issues). Please remember that GitHub is for bug reports only, not general support. By using this plugin and following these recommendations, you can significantly improve your website’s defense against XSS attacks. ## Screenshots [⌊It removes the parameters from the URL which are used in XSS Attack and redirects the user (Recommended).⌉⌊It removes the parameters from the URL which are used in XSS Attack and redirects the user (Recommended).⌉[ It removes the parameters from the URL which are used in XSS Attack and redirects the user (Recommended). [⌊It encodes the parameters from the URL which are used in XSS Attack.⌉⌊It encodes the parameters from the URL which are used in XSS Attack.⌉[ It encodes the parameters from the URL which are used in XSS Attack. [⌊It escapes the HTML from the $_GET PHP variable which is mostly used to read the data from the URL (Recommended).⌉⌊It escapes the HTML from the $_GET PHP variable which is mostly used to read the data from the URL (Recommended).⌉[ It escapes the HTML from the `$_GET` PHP variable which is mostly used to read the data from the URL (Recommended). [⌊Add the message in developer console for the user to alert about the XSS attack.⌉⌊ Add the message in developer console for the user to alert about the XSS attack.⌉[ Add the message in developer console for the user to alert about the XSS attack. [⌊Show message in developer console to alert user about the Self-XSS attack. This message can be customized from the settings page.⌉⌊Show message in developer console to alert user about the Self-XSS attack. This message can be customized from the settings page.⌉[ Show message in developer console to alert user about the Self-XSS attack. This message can be customized from the settings page. ## Installation You can install this plugin either through your WordPress dashboard or manually via FTP. **From within WordPress** 1. Go to ‘Plugins > Add New’. 2. Search for `Prevent XSS Vulnerability`. 3. Click “Activate” for `Prevent XSS Vulnerability` on your Plugins page. 4. Then, follow the [after activation](https://bal.wordpress.org/plugins/prevent-xss-vulnerability/?output_format=md#after-activation) steps below. **Manually** 1. Upload the `prevent-xss-vulnerability` folder to the `/wp-content/plugins/` directory. 2. Activate Prevent XSS Vulnerability through the ‘Plugins’ menu in WordPress. 3. Then, follow the [after activation](https://bal.wordpress.org/plugins/prevent-xss-vulnerability/?output_format=md#after-activation) steps below. **After activation** 1. Go to the `Prevent XSS Vulnerability` page in your WordPress Admin Dashboard. 2. Adjust the settings to fit your website’s needs. 3. That’s it! You’re done. ## FAQ ### Q. Why should I install this plugin? A. Installing this plugin is the easiest way to protect your site from XSS Vulnerabilities. ### Q. Does this plugin escape HTML when printing search results? A. Yes, this plugin escapes HTML in the `$_GET` variable, which is often used to display data from the URL in HTML. However, if your site heavily relies on `$_GET` for other functions, you might need to do thorough testing to ensure everything works correctly. ### Q. Does this plugin conflict with any other plugins A. While we haven’t received reports of major conflicts, it’s always a good idea to thoroughly test your website after installing any new plugin. ## Reviews ![](https://secure.gravatar.com/avatar/a5598ead2e170886cf535f3e5a45380707bd4128fa0588f635857eb0994bdb01? s=60&d=retro&r=g) ### 󠀁[simple buy effective](https://wordpress.org/support/topic/simple-buy-effective/)󠁿 [roadlink](https://profiles.wordpress.org/roadlink/) Gener 1, 2024 I got positive on scan websites ![](https://secure.gravatar.com/avatar/94e75ac0834c4a82d796f0e9cddca1ea984daaf630e2983c630db861ea0a38a0? s=60&d=retro&r=g) ### 󠀁[Awesome plugin for security issues.](https://wordpress.org/support/topic/awesome-plugin-for-security-issues/)󠁿 [Sakthivel](https://profiles.wordpress.org/saravanankanagaraj/) Juny 22, 2021 1 reply Thanks for the awesome plugin. it helps to fix the XSS attacks. But we need to add more special charter to include manually like exclude list. this helps for every one-> feature Request. keep rocking!!!… Regards, Saravanan ![](https://secure.gravatar.com/avatar/2382907deabb7fda202bfe02310a0c1c25ce5f37c85127fcd7eeb36503f761e6? s=60&d=retro&r=g) ### 󠀁[Excellent](https://wordpress.org/support/topic/excellent-10267/)󠁿 [randystepanek](https://profiles.wordpress.org/randystepanek/) Gener 22, 2021 We were being harassed by our ISOs because the Acunetix scans kept coming back with HIGHs. Always XSS. We tried everything the report recommended as a remediation…nothing worked. This plugin should come bundled with WP. Or at the very least be added to the list of recommendations Acunetix suggests. Thank you for creating and sharing it. ![](https://secure.gravatar.com/avatar/435ee9bc61a759a40602fde858337f9f5302b4b67fd064de9a432161b119df8b? s=60&d=retro&r=g) ### 󠀁[Very useful plugin.](https://wordpress.org/support/topic/very-useful-plugin-895/)󠁿 [Mohamed Abd Elhalim](https://profiles.wordpress.org/mandooox/) Desembre 27, 2019 Very useful plugin, thank you! ![](https://secure.gravatar.com/avatar/e46430994df2a5b09c5e57928e1907edc812a2f71fa2f33a625f8619d07b064a? s=60&d=retro&r=g) ### 󠀁[Seems to work well!](https://wordpress.org/support/topic/seems-to-work-well-30/)󠁿 [](https://profiles.wordpress.org/adamwking/) Desembre 4, 2019 We were directed by a security researcher to an XSS vulnerability on our site, and this plugin seems to have solved the issue. Only plugin with this functionality I was able to find. Fairly straightforward and flexible. ![](https://secure.gravatar.com/avatar/28a9656f56bacae7edadb5c8d4bc7be521a644b68a96d53d7d40e3d04aa9c273? s=60&d=retro&r=g) ### 󠀁[Superb Plugin. Saved my site](https://wordpress.org/support/topic/superb-plugin-saved-my-site/)󠁿 [BiLaL](https://profiles.wordpress.org/bilaliqbal9525331/) Maig 10, 2019 Superb Plugin. Saved my site [ Read all 7 reviews ](https://wordpress.org/support/plugin/prevent-xss-vulnerability/reviews/) ## Contributors & Developers “Prevent XSS Vulnerability” is open source software. The following people have contributed to this plugin. Contributors * [ Sami Ahmed Siddiqui ](https://profiles.wordpress.org/sasiddiqui/) “Prevent XSS Vulnerability” has been translated into 1 locale. Thank you to [the translators](https://translate.wordpress.org/projects/wp-plugins/prevent-xss-vulnerability/contributors) for their contributions. [Translate “Prevent XSS Vulnerability” into your language.](https://translate.wordpress.org/projects/wp-plugins/prevent-xss-vulnerability) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/prevent-xss-vulnerability/), check out the [SVN repository](https://plugins.svn.wordpress.org/prevent-xss-vulnerability/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/prevent-xss-vulnerability/) by [RSS](https://plugins.trac.wordpress.org/log/prevent-xss-vulnerability/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 2.1.0 – July 03, 2025 * **Key Changes & Improvements:** - **Enhanced Console Visibility:** The prominent “Stop!” message now appears in a much larger (48px), bold, red font with a black text shadow to grab immediate attention. The main warning message also uses a larger, more readable font( 20px). - **Improved Console Grouping:** The entire Self-XSS warning is now grouped within a `console.group('Self-XSS Warning')` block. This keeps all related messages together in the developer console, making the warning stand out and preventing it from getting lost among other console output. #### Earlier versions * For a detailed changelog of earlier versions, please refer to the separate `changelog. txt` file. ## Meta * Version **2.1.0** * Last updated **11 mesos ago** * Active installations **6.000+** * WordPress version ** 3.5 or higher ** * Tested up to **6.8.5** * PHP version ** 5.6 or higher ** * Languages * [English (Canada)](https://en-ca.wordpress.org/plugins/prevent-xss-vulnerability/) i [English (US)](https://wordpress.org/plugins/prevent-xss-vulnerability/). * [Translate into your language](https://translate.wordpress.org/projects/wp-plugins/prevent-xss-vulnerability) * Tags * [attack](https://bal.wordpress.org/plugins/tags/attack/)[cross-site scripting](https://bal.wordpress.org/plugins/tags/cross-site-scripting/) [security](https://bal.wordpress.org/plugins/tags/security/)[vulnerability](https://bal.wordpress.org/plugins/tags/vulnerability/) [xss](https://bal.wordpress.org/plugins/tags/xss/) * [Advanced View](https://bal.wordpress.org/plugins/prevent-xss-vulnerability/advanced/) ## Ratings 5 out of 5 stars. * [ 7 5-star reviews ](https://wordpress.org/support/plugin/prevent-xss-vulnerability/reviews/?filter=5) * [ 0 4-star reviews ](https://wordpress.org/support/plugin/prevent-xss-vulnerability/reviews/?filter=4) * [ 0 3-star reviews ](https://wordpress.org/support/plugin/prevent-xss-vulnerability/reviews/?filter=3) * [ 0 2-star reviews ](https://wordpress.org/support/plugin/prevent-xss-vulnerability/reviews/?filter=2) * [ 0 1-star reviews ](https://wordpress.org/support/plugin/prevent-xss-vulnerability/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/prevent-xss-vulnerability/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/prevent-xss-vulnerability/reviews/) ## Contributors * [ Sami Ahmed Siddiqui ](https://profiles.wordpress.org/sasiddiqui/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/prevent-xss-vulnerability/)