How to Fix Cookie Security Flags in WordPress

If InspectWP reports cookies without the Secure, HttpOnly, or SameSite flags, your site may be vulnerable to session hijacking, XSS-based cookie theft, or CSRF attacks. Here's how to fix each flag.

Fix WordPress Session Cookies

WordPress core cookies (wordpress_logged_in_*, wordpress_sec_*) can be hardened by adding the following to your wp-config.php:

// Force Secure cookies (HTTPS only)
define('COOKIE_DOMAIN', 'example.com');
define('COOKIEPATH', '/');

// Enable Secure flag for auth cookies
@ini_set('session.cookie_secure', '1');
@ini_set('session.cookie_httponly', '1');
@ini_set('session.cookie_samesite', 'Lax');

Force Secure and HttpOnly via PHP

For PHP 7.3+ you can set all cookie defaults in php.ini or .htaccess:

# In .htaccess
php_value session.cookie_secure 1
php_value session.cookie_httponly 1
php_value session.cookie_samesite "Lax"

Fix Cookies via HTTP Headers (Apache)

You can also modify all cookies at the server level using the Header directive:

# In .htaccess
<IfModule mod_headers.c>
    Header always edit Set-Cookie ^(.*)$ "$1; Secure; HttpOnly; SameSite=Lax"
</IfModule>

Note: This approach adds the flags to every cookie set by the server, including plugin cookies. Test thoroughly to ensure no functionality breaks.

Fix Cookies via HTTP Headers (Nginx)

For Nginx, use proxy_cookie_flags (Nginx 1.19.3+) or modify the Set-Cookie header:

# In nginx.conf or site config
proxy_cookie_flags ~ secure httponly samesite=lax;

# Alternative for older Nginx versions:
# proxy_cookie_path / "/; Secure; HttpOnly; SameSite=Lax";

Fix Plugin Cookies

Some plugins set their own cookies without security flags. Common offenders include:

• Cookie consent plugins — Check the plugin settings for cookie security options.


• Analytics plugins — These often set tracking cookies without flags.


• Caching plugins — Cache identifier cookies may lack flags.

If a plugin doesn't offer security flag options, the server-level approach (Apache/Nginx headers) is the most reliable fix.

Verifying the Fix

1. Apply the changes and clear your browser cookies.


2. Visit your site and check the cookies in your browser's developer tools (Application → Cookies).


3. Each cookie should show checkmarks for Secure and HttpOnly, and display Lax or Strict for SameSite.


4. Run InspectWP again to confirm all cookie warnings are resolved.

Important Considerations

• The Secure flag requires HTTPS. Make sure your site fully runs on HTTPS before enabling it.


• SameSite=Strict may break login flows from external links (e.g., email password reset links). Use Lax as a safe default.


• Third-party embeds that rely on cross-site cookies (e.g., payment gateways) may need SameSite=None; Secure to function.