I am working on a corporate project and they are running security audit by consultants and they found the following issues regarding WordPress. I managed to get a lot of issues resolved using headers in .htaccess but some seem to be part of wordpress core and not sure how to proceed with them.
Try using secure method to prevent session hijacking Attack. Session Id should change/get refreshed evert time user get login and log out.
login credentials should be encrypted at code level.
whene-ever a url manipulation is done at user end it should automatically re-direct to application developed error page.
upgrade to latest version of jquery (3.3.1) (WP uses 1.12.4 and it is secure but is it possible to upgrade without breaking admin and other features relying on jQuery?)
-Anti-forgery tokens (also known as request verification tokens) must be utilised.
Is there any way do fix these issues without making changes to core files and is there any document for hardening such things with wordpress for high security environments?
Read more here:: How to resolve these findings from security audit