In this article:
- What’s Subresource Integrity (SRI)?
- Install the Subresource Integrity (SRI) Manager
- Exclude Resources
- WordPress Security
What’s Subresource Integrity?
Subresource integrity (SRI) protects your website from external JavaScript libraries – e.g. Jquery.com – hosted on content delivery networks (CDNs) such as Cloudflare if they’re modified for malicious purposes. SRI adds a sha384 integrity checksum or stronger alongside the src (source) URL for comparison to accomplish this.
Many web developers can edit a few lines within their .htaccess file to accomplish this. Unfortunately, this doesn’t work for WordPress websites because of the way its core scripts are coded. There’s currently a Trac ticket regarding its possible implementation.
The easiest way as of now to implement SRI in WordPress is using the Subresource Integrity (SRI) Manager plugin.
Note: SRI is only helpful for websites with a valid free or paid SSL certificate and forcing HTTPS usage via .htaccess file or a plugin such as Really Simple SSL.
Warning: The Subresource Integrity (SRI) Manager plugin reportedly hasn’t been tested with the latest 3 major releases of WordPress. We’ve successfully tested its functionality and confirmed with the plugin developer(s) that it’s regularly checked for compatibility. As always, exercise caution when installing potentially abandoned plugins and create a full cPanel backup before continuing.
Install Subresource Integrity (SRI) Manager
Subresource Integrity (SRI) Manager is a plug-and-play plugin. You can install the plugin manually or via WP-CLI (plugin name wp-sri). Below we’ll use the WordPress dashboard.
- Log into WordPress.
- Install the Subresource Integrity (SRI) Manager plugin.
- Click Activate.
- Scan your website at Observatory.Mozilla.org. If successful, you’ll see the following within the test results:
Subresource Integrity (SIR) is implemented and all scripts are loaded securely
Exclude Resources
If your website has plugins or themes using the WordPress API, you can exclude those resources if needed.
- On the left, hover over Tools and click Subresource Integrity Manager.
- Exclude any resources necessary. If your website doesn’t have any plugins or themes using the WordPress API, or if the plugin doesn’t detect any, the page will state “No hashes known”.
If this doesn’t fix an issue caused by SRI Manager, you’ll need to contact the broken plugin or theme’s developer(s) for further assistance. You can find developers’ contact info from their respective WordPress.org/plugins page by clicking the name under the plugin name.
You can disable the plugin manually, via the dashboard, or within WP-CLI.
WordPress Security
Security requires a proactive defense-in-depth approach. And the more popular a software is, the more likely it is to be tested for vulnerabilities. For these reasons, you should implement security enhancements at every level – your InMotion Hosting Account Management Panel (AMP) account, cPanel, WebHost Manager (WHM) for VPS/Dedicated users with Root access, and website.
Please consider the following security implementations for better overall security:
- Use Strong AMP and cPanel passwords
- Create cPanel backups regularly
- Improve email authentication to fight spam and your domain from being marked as spam
- 10 Ways to Secure WordPress
- Consider Sucuri for monitored web application firewall (WAF) services
- Upgrade to managed VPS Hosting for additional security options such as cPHulk Brute Force Protection
If you have any questions, feel free to contact our 24/7 Live Support.
