Skip to main content

Remediation Steps

Follow the steps below to remediate this finding on WordPress.

  1. Add the following to wp-config.php to set SameSite=Lax on the WordPress session cookie:

    @ini_set('session.cookie_samesite', 'Lax');

  2. For the auth cookies, add to functions.php:

    add_filter('set_auth_cookie', function($auth_cookie) {
// Cookie is handled by wp_set_auth_cookie; enforce via header modification
header_remove('Set-Cookie');
}, 99);

  3. Alternatively, use a security plugin such as "Wordfence" or "iThemes Security" that manages cookie flags.

Back to top