WordPress is the most popular CMS on the Internet, and, perhaps unsurprisingly, the most hacked. In 2018, 90% of all CMS-powered websites successfully hacked were WordPress sites, amounting to around 90,000 attacks against WordPress websites per minute.

If you use WordPress, this data might make you want to consider an alternative. It makes sense to question the security of any web-based service — getting hacked wastes time, energy, and money. It hurts your business and online reputation. It damages trust with your users. And, in the worst cases, it puts those affected in danger.

It’s impossible to quantify the number of threats that any website could face day-to-day. However, there are a handful of specific issues that need special attention from WordPress users.

In this article, we’ll go over the 5 WordPress security issues you need to know to protect your WordPress website. For each issue, I’ll explain what makes WordPress vulnerable to these problems in the first place, as well as how to prevent them so you can feel safe using WordPress as your CMS.

Download Now: Free Website Safety Checklist

Unauthorized Logins

Unauthorized logins are typically performed by “brute-force”. In a brute-force login, the attacker uses a bot to quickly guess billions of potential username-password combinations. If they’re lucky, they’ll eventually guess the right credentials and gain access to the protected information.

The process is a sight to behold (and it’s somewhat terrifying):

computer trying many passwords very quickly to attempt a brute-force login, a wordpress security issue


Why WordPress Sites Are Vulnerable

There are two major reasons why these attacks happen successfully on WordPress sites. First, the default backend login page for any given WordPress site is easy to find. Just take the site’s main URL, append “/wp-admin” or “/wp-login.php” to the end, and you’re there. If the login page URL remains unchanged, attackers will easily find this page and attempt a brute-force entry.

But in the case of unauthorized WordPress login incidents, the responsibility also falls on the WordPress user. By pairing the default “admin” username with a simple, common password, attackers have no problem accessing the backend to a vulnerable WordPress site.

What You Can Do

The easiest and most effective defense against brute-force hacking is strong passwords that hackers have a difficult time guessing, even with technology that looks like something out of The Matrix. Warnings against weak, predictable passwords are nothing new, but many still aren’t getting the message. Just read Nordpass’ list of the most common passwords of 2019 and weep.

Allow me to show you why adding just a bit of complexity to your credentials is surprisingly powerful. The table below shows the approximate time it takes a random brute-force algorithm to guess a password at a rate of around a billion per second, based on password length and use of lower case characters (LC), upper case characters (UC), special characters (SC), and digits.

table showing the amount of time to brute-force guess a password given password length and the types of characters it uses


As shown, using a password with a combination of character types and/or length will make it nearly impossible for a brute-force attempt to uncover.

Okay, you’re convinced that strong passwords actually do something. But does thinking of and remembering all these passwords sound like a lot of work? Well, good thing password managers exist. These handy applications will do all the generating, remembering, and safe-keeping for you.

In addition to strong passwords, there are additional measures you can take to curb unwanted entries:

  • Two-factor authentication requires users to verify their login on a separate device.
  • Consider getting rid of the WordPress account with the “admin” username (the first thing hackers will guess) and making a new admin account with a secret username.
  • Several reputable WordPress plugins can limit login attempts and add captchas to nip brute-force attacks in the bud. For more details, see our Ultimate WordPress Security Checklist.

Keep in mind that the brute-force method is applicable anywhere there’s a password required, so be sure to fortify your logins for any password-protected information. And don’t repeat them across login pages or leave them face-up on post-its!


Malware is a broad term that includes any malicious software (hence, “mal-ware”). Hackers can place malware files in among legitimate website files or implant code in existing files to steal from websites and their visitors, attempt an unauthorized login via “backdoor” files, or wreak general havoc.

Why WordPress Sites Are Vulnerable

Malware usually enters WordPress sites through unauthorized and outdated themes and plugins. Hackers take advantage of security problems in plugins and themes, imitate existing ones, or even create entirely new add-ons for the sole purpose of placing harmful code on your site.

What You Can Do

First, carefully vet every plugin and theme you install on your WordPress site. WordPress.com lists useful stats for all plugins in their directory, like the example below:

usage and update statistics for the WordPress security plugin Defender


Opt for either reputable free options or paid options that serve the function you want. These plugins are likely to be better maintained and more secure than unverified plugins (stay away from those).

The same rules go for themes: Don’t use just any WordPress theme that looks good. Only apply themes to your site that comply with WordPress standards for code. Use W3C’s validator to check if a theme is safe to use by pasting the URL of the theme’s live demo into the bar, and check out some of the WordPress themes we recommend.

Next, remember to update plugins, themes, and WordPress core (the files that run the bare-bones WordPress functions). An outdated WordPress feature with security vulnerabilities presents a golden opportunity for attackers. Reference our guide for updating your WordPress plugins and WordPress’ instructions for updating WordPress.

Alongside updates, we recommend removing all plugins you don’t use and only keeping those you need. Every plugin installed on your site increases the chance of malicious entry, so probably best to clear out that random cool widget plugin you installed 3 years ago but never used.

Finally, conduct regular security scans to find any potential malware hiding on your WordPress website. Plugins are actually your friend here: There are many strong security plugins out there that can scan for malware and fix damaged files. For example, Defender by WPMU DEV features malware scanning and other features to prevent most other issues in this list. You can also see more options from our list of recommended WP security scanners.

SQL Injections

In a SQL injection, a hacker gains the ability to directly view and modify a website’s database. SQL is the programming language used by WordPress sites for database management, hence the name.

Since a website is essentially just information pulled from a database and displayed nicely in your browser, the implications for this kind of attack are grim. Attackers can use SQL injections to make new accounts on a website’s backend, add unauthorized and dangerous content and links to a site’s display, and leak, edit, and delete data.

Why WordPress Sites Are Vulnerable

Attackers most often access WordPress SQL databases in the backend through visitor-facing submission forms, including contact forms, payment info fields, lead forms, you name it. Of course, hackers aren’t showing interest in your content offer. They’re submitting SQL code that, once stored in the database, actually runs and makes changes from the inside.

What You Can Do

Four words: Never trust user input. Any feature on your site allows visitors to submit information directly to your SQL database is an opportunity for an injection.

The solution? Filter out special characters in user submissions before the information enters your database. Without symbols, you reduce a string of malicious code into harmless gibberish. Consider using a WordPress form plugin and/or a WordPress security plugin to do this work for you. Consider adding a captcha to the submission process to prevent bots from making attempts.

Cross-Site Scripting

Cross-Site Scripting (XSS) happens when an attacker places malicious code into the backend of a target website. XSS attacks are similar to database injections in that attackers try to plant code that runs in your files. However, XSS primarily targets web page functionality.

With access to your frontend display, hackers might try to harm visitors by, for example, posting a disguised link to a faulty website or displaying a fake contact form to steal user information.

Why WordPress Sites Are Vulnerable

Again, WordPress plugins and themes are the culprits here. If an attacker finds an outdated or poorly-maintained plugin in your side, they can exploit it for access to files that dictate your website’s frontend. The same goes for insecure WordPress themes.

What You Can Do

Update, update, update! Always keep your WordPress Core, plugins, and theme running their latest versions, and be very careful when implementing any third-party software on your website.

Another helpful tool for preventing XSS is a web application firewall (WAF), which inspects traffic and prevents unapproved visitors from entering your system from outside networks. WAFs are easy to set up and maintain, so we recommend browsing reputable WAF plugins to protect your WordPress site from XSS, SQL injections, and other attacks.

Denial-of-Service Attacks

A Denial-of-Service (DoS) attack aims to block site administrators and visitors from accessing a website. This is done by sending so much traffic to a targeted server that it crashes, taking down all websites hosted on it. Eventually the server and its hosted websites are restored, but the reputation of the attacked websites might be difficult to rebuild.

Often, these attacks are conducted from multiple machines at a time (forming a botnet), which hides the source of the traffic and compounds the volume of spam. This is known as a distributed denial-of-service (DDoS) attack, and it’s a lot worse.

Why WordPress Sites Are Vulnerable

Like any website, those powered by WordPress need hosting. DoS and DDoS attacks target website-hosting servers, namely those with limited security in place.

What You Can Do

Don’t just rely on plugins for this one; the best defense against DoS/DDoS attacks is secure WordPress hosting. Find a reliable hosting provider that suits your business’ needs and maintains a reputation for taking security seriously.

We all know that the internet can be a scary place, but that doesn’t mean we shouldn’t understand the threats and risks out there. Staying informed about cybersecurity is one of the best ways to defend your online presence, protect the growth of your business, and earn the trust of your customers. Stay safe out there!

New Call-to-action

 New Call-to-action

Originally published May 26, 2020 7:00:00 AM, updated September 08 2020


WordPress Security