Log-only initially, then block once confidence in rule accuracy is achieved.

Hardening code recommendations (developer-side)

If you develop themes or plugins, adopt these practices to prevent stored XSS:

1. Sanitize on save: Validate and clean input before database storage. Use functions like sanitize_email, sanitize_text_field, wp_kses_post, and esc_url_raw.
2. Escape on output: Escape values with esc_html, esc_attr, esc_url, or esc_js depending on context.
3. Restrict allowed URL schemes: Use wp_allowed_protocols() or a stricter whitelist to prevent javascript: URIs.

Example of a safer shortcode handler:

function safe_eeb_mailto_shortcode( $atts ) {
    $atts = shortcode_atts( array(
        'email' => '',
        'label' => ''
    ), $atts, 'eeb_mailto' );

    // Sanitize on save or on output
    $email = sanitize_email( $atts['email'] );
    $label = sanitize_text_field( $atts['label'] );

    // If email contains illegal characters or schemes, return nothing
    if ( empty( $email ) ) {
        return '';
    }

    // Build safe mailto link and escape attributes
    $href = 'mailto:' . rawurlencode( $email );
    $title = esc_attr( $label ? $label : $email );

    return '' . esc_html( $label ? $label : $email ) . '';
}
add_shortcode( 'eeb_mailto', 'safe_eeb_mailto_shortcode' );

Important: never inject raw HTML or attributes from untrusted input without proper escaping and validation.

How to detect a live compromise (signs to look for)

• Unexpected admin logins or sessions from unusual IPs.
• New administrator users or elevated privileges created without authorization.
• Posts, pages, or media you did not create.
• Hidden scripts in post_content, widgets, or theme files (look for base64, eval, document.write, and JS redirects).
• Suspicious outbound HTTP connections from the server.
• Unusual POSTs to /wp-admin/post.php containing eeb_mailto content.

Forensic search examples:

SELECT ID, post_title, post_date, post_author
FROM wp_posts
WHERE post_content REGEXP ']*>';

SELECT ID, post_content
FROM wp_posts
WHERE post_content LIKE '%javascript:%';

Clean-up & containment steps if you find malicious content

1. Quarantine content: Unpublish suspicious posts or set them to draft immediately.
2. Remove or sanitize infected posts: Remove malicious shortcode instances or restore from known-good backups.
3. Reset credentials: Force password resets for privileged users.
4. Invalidate sessions and application passwords: Revoke application passwords and invalidate sessions.
5. Scan for web shells/backdoors: Check theme/plugin files and upload directories for unexpected PHP files or obfuscated code.
6. Check scheduled tasks (crons): Malicious cron events can maintain persistence.
7. Review logs and pivot: Triage attack origin and assess lateral movement.
8. Notify stakeholders: Follow your incident disclosure policy and preserve logs for forensics.

Post-incident: prevention and long-term hardening

• Principle of least privilege: Limit which roles can create content with executable output. Consider restricting shortcodes and unfiltered HTML.
• Content moderation/workflow: Require editorial review of content from Contributors.
• Keep software updated: Apply security updates promptly; use staging for compatibility checks.
• Continuous scanning: Scheduled malware scans and integrity checks for core files.
• Harden admin access: Enforce Two-Factor Authentication for editors and admins; consider IP allowlisting for sensitive admin pages.
• Backups and recovery: Maintain clean, frequent backups with tested restore procedures.

Example detection rules for SIEM / Log monitoring

• Alert on POSTs that include the string [eeb_mailto from authenticated Contributor accounts:

  Rule: If authenticated user role == contributor AND POST body contains [eeb_mailto AND ( javascript: | onerror= | onclick= ) → high-priority alert.

• Alert when admin preview/edit pages contain
  查看我的訂單

  0

  小計

  稅金和運費在結帳時計算

  結帳