How to Add Subresource Integrity (SRI) in WordPress

In this article:

What’s Subresource Integrity?

Subresource integrity (SRI) protects your website from external JavaScript libraries – e.g. Jquery.com – hosted on content delivery networks (CDNs) such as Cloudflare if they’re modified for malicious purposes. SRI adds a sha384 integrity checksum or stronger alongside the src (source) URL for comparison to accomplish this.

Many web developers can edit a few lines within their .htaccess file to accomplish this. Unfortunately, this doesn’t work for WordPress websites because of the way its core scripts are coded. There’s currently a Trac ticket regarding its possible implementation.

The easiest way as of now to implement SRI in WordPress is using the Subresource Integrity (SRI) Manager plugin.

Note: SRI is only helpful for websites with a valid free or paid SSL certificate and forcing HTTPS usage via .htaccess file or a plugin such as Really Simple SSL.

Warning: The Subresource Integrity (SRI) Manager plugin reportedly hasn’t been tested with the latest 3 major releases of WordPress. We’ve successfully tested its functionality and confirmed with the plugin developer(s) that it’s regularly checked for compatibility. As always, exercise caution when installing potentially abandoned plugins and create a full cPanel backup before continuing.

Install Subresource Integrity (SRI) Manager

Subresource Integrity (SRI) Manager is a plug-and-play plugin. You can install the plugin manually or via WP-CLI (plugin name wp-sri). Below we’ll use the WordPress dashboard.

  1. Log into WordPress.
  2. Install the Subresource Integrity (SRI) Manager plugin.
  3. Click Activate.
  4. Scan your website at Observatory.Mozilla.org. If successful, you’ll see the following within the test results:
    Subresource Integrity (SIR) is implemented and all scripts are loaded securely

Exclude Resources

If your website has plugins or themes using the WordPress API, you can exclude those resources if needed.

  1. On the left, hover over Tools and click Subresource Integrity Manager.
  2. Exclude any resources necessary. If your website doesn’t have any plugins or themes using the WordPress API, or if the plugin doesn’t detect any, the page will state “No hashes known”.

If this doesn’t fix an issue caused by SRI Manager, you’ll need to contact the broken plugin or theme’s developer(s) for further assistance. You can find developers’ contact info from their respective WordPress.org/plugins page by clicking the name under the plugin name.

You can disable the plugin manually, via the dashboard, or within WP-CLI.

WordPress Security

Security requires a proactive defense-in-depth approach. And the more popular a software is, the more likely it is to be tested for vulnerabilities. For these reasons, you should implement security enhancements at every level – your InMotion Hosting Account Management Panel (AMP) account, cPanel, WebHost Manager (WHM) for VPS/Dedicated users with Root access, and website.

Please consider the following security implementations for better overall security:

If you have any questions, feel free to contact our 24/7 Live Support.

J
Jacqueem Content Writer I

Technical writer focused on cybersecurity and musicianship.

More Articles by Jacqueem

Comments

It looks like this article doesn't have any comments yet - you can be the first. If you have any comments or questions, start the conversation!

Was this article helpful? Let us know!