Adding CSP to WordPress: The Guide That Admits It's Complicated
WordPress and Content Security Policy have a complicated relationship. WordPress was built in an era before CSP existed, and it shows. The admin panel injects inline scripts constantly. Plugins do whatever they want. Themes include jQuery from who-knows-where. But here’s the thing: your WordPress site is a target. It powers 43% of the web, which means attackers have spent years finding ways to exploit it. Adding CSP is one of the most impactful things you can do to protect it. ...