WordPress is the most popular CMS on the Internet. Coincidentally it’s also the most hacked. For example, in 2020, Wordfence reported more than 2,800 attacks per second targeting WordPress.

Cyber attacks waste time, energy, and money. And they can also threaten your authority and reputation, especially if your site visitors are affected by the attacks. 

While it’s impossible to quantify the number of day-to-day threats your site may face, it’s essential to recognize and understand WordPress-specific issues should you fall victim to one of them. In addition, many of these issues are also interrelated, so being prepared for one issue can protect you from another.

This article will go over 13 WordPress security and vulnerability issues, why they affect WordPress sites, and the steps you can take to ensure you aren’t affected and feel safe using WordPress as your CMS.

Download Now: Free Website Safety Checklist

1. Unauthorized Logins

Unauthorized logins are typically performed by “brute-force.” In a brute-force login, the attacker uses a bot to quickly run through billions of potential username-password combinations. If they’re lucky, they’ll eventually guess the right credentials and gain access to the protected information.

This process looks like the stereotypical cracking-a-code spy scene from movies where a hacker is rushing to gain access to a computer while on the verge of being caught. 

computer trying many passwords very quickly to attempt a brute-force login, a wordpress security issue

Image Source

Why are WordPress sites vulnerable?

There are two major reasons why these attacks happen successfully on WordPress sites. First, the default backend login page for any given WordPress site is relatively easy to find. Anyone can simply take the site’s main URL, append /wp-admin or /wp-login.php to the end, and they’ll gain access to the login page. If you don’t customize the default login page, attackers can easily gain access and attempt a brute-force entry. 

In the case of unauthorized WordPress login incidents, the responsibility also falls on the WordPress user. Attackers can easily gain access by pairing the default “admin” username with a simple, common password.

What You Can Do

The easiest and most effective defense against brute-force hacking is a strong password that will be difficult to discover, even with powerful technology that looks like something out of The Matrix. Warnings against weak, predictable passwords are nothing new, but many still aren’t getting the message. (Just read NordPass’s list of the most common passwords of 2019 and weep.)

Allow me to show you why adding just a bit of complexity to your credentials is surprisingly powerful.

The table below shows the approximate time it takes a random brute-force algorithm to guess a password at a rate of around a billion per second, based on password length and use of lower case characters (LC), upper case characters (UC), special characters (SC), and digits.

table showing the amount of time to brute-force guess a password given password length and the types of characters it uses

Image Source

As shown, using a password with a combination of character types and/or length will make it nearly impossible for a brute-force attempt to be successful. 

Okay, you’re convinced that strong passwords actually do something. But does thinking of and remembering all these passwords sound like a lot of work? That’s why password managers exist. These handy applications will generate, remember, and safely store your passwords for future use. 

In addition to strong passwords, there are additional measures you can take to curb unwanted entries: 

  • Two-factor authentication requires users to verify their login on a separate device.
  • Consider getting rid of the WordPress account with the “admin” username (the first thing hackers will guess) and making a new admin account with a secret username.
  • Several reputable WordPress plugins can limit login attempts and add captchas to nip brute-force attacks in the bud. For more details, see our Ultimate WordPress Security Checklist.

Remember that the brute-force method is applicable anywhere there’s a password required, so be sure to fortify your logins for any password-protected information. And don’t repeat them across login pages or leave them face-up on post-its!

Keep in mind that the brute-force method is applicable anywhere there’s a password required, so be sure to fortify your logins for any password-protected information. And don’t repeat them across login pages or leave them face-up on post-its!

2. Outdated Core Software

An advantage of using a website building platform rather than building a site from scratch is that developers will continuously enhance the functionality and security of the platform to provide  a seamless user experience.

WordPress developers roll out updates every three months or so. It’s strongly recommended that all WordPress users download these updates when they become available — but it’s not automatic. That means the onus falls on the user. When this core software isn’t updated, it leaves WordPress sites vulnerable.

Why are WordPress sites vulnerable?

Outdated core WP software leaves sites vulnerable because updates are usually designed to address critical security issues. Users who don’t download an update are then vulnerable to hackers. 

If your software is outdated, you’re also unable to update your themes and plugins (which we’ll cover below), and your site becomes more vulnerable to many of the security threats on this list. 

What You Can Do

Although it might be nice, WP doesn’t automatically install updates for you. You should aim to stay on top of update schedules, which WordPress lays out in the calendar linked above. The Updates tab in the WordPress dashboard typically displays a notification bubble (shown below) when an update is available. You can also click Check Again just to make sure.

how to manually check for WordPress updates in admin panel demo

Image Source

3. Undefined User Roles 

When you create a WordPress site, there are six different user roles to choose from, like Subscriber or Administrator. Each role comes with native permissions that allow or restrict users from taking specific actions on your site, like modifying plugins and posting content. The default user role is Administrator, and this role has the most control over any given WordPress site. 

Why are WordPress Sites vulnerable?

If you have multiple users and don't change the default settings, everyone is an admin, which could become an issue. This doesn’t necessarily mean that the people you’re creating a site with will cause you harm, but it does mean that a hacker who gains access to your site will be able to make changes as an administrator.

Poorly defined admin roles subject your site to increased risk if brute-force attacks are successful, as admin roles can give a hacker complete control over your site. In addition, cross-site scripting (covered below) also gives hackers access to front-end capabilities to obtain additional information from your site visitors.

What You Can Do

Regardless of the purpose of your WordPress site, monitor all permissions. If you’re the sole admin on your site, ensure that you have taken additional security measures to prevent hackers from entering your site, like two-factor authentication or longer passwords. If you assign roles to others, make sure you only give them the necessary permissions. Mistakes can happen, so you also want to make sure that a contributor can't accidentally delete a high-performing post, for example.

4. Outdated Themes and Plugins

One of the major appeals of  WordPress is its customizability. Developers create hundreds of unique themes and plugins that WordPress site owners can use to customize their sites. 

However, these extensions require site owners to take proper security precautions. As mentioned above, out-of-date core software can expose your site to security risks, and so can outdated themes and plugins. 

 In fact, according to data from WPScan, approximately 97% of vulnerabilities in their database are plugins and themes and only 4% are core software.

Why are WordPress Sites vulnerable?

Theme and plugin developers often release updates with functionality enhancements and additional security measures. However, not all developers do. 

When they don’t do this, sites using these resources become vulnerable to hackers who can use outdated tools as entry points. For example, say WordPress has released an update with a new security patch but a developer hasn’t updated their theme to be compatible with new requirements. In that case, a hacker could exploit the theme’s vulnerability and gain control of a site. 

In addition, if developers do release updates, site owners who fail to install them can make their sites more vulnerable. 

What You Can Do

You should continuously monitor for updates to ensure that your site isn’t vulnerable to hacks because of outdated themes and plugins. Updates serve to improve WordPress themes security and will protect your website. When updates are available for plugins and themes, you can install them manually or use a plugin to automatically install them as they go live.

5. Malware 

Malware is a broad term that includes any malicious software (hence, “mal-ware”). Hackers can place malware files in legitimate website files or plant code in existing files to steal from websites and their visitors. The malware could also attempt an unauthorized login via “backdoor” files or wreak general havoc.

Why are WordPress Sites vulnerable?

Like many of the issues on this list, being vulnerable to malware is directly related to other issues. For example, malware usually enters WordPress sites through unauthorized and outdated themes and plugins. Hackers take advantage of security problems in plugins and themes, imitate existing ones, or even create entirely new add-ons for the sole purpose of placing harmful code on your site. 

What You Can Do

By default, WordPress restricts the file types users can upload to the media library. If you try to upload a file that isn't included, you'll get an error message, and your file won't upload. Of course, there are ways to get around this as the administrator, but this is one step WordPress takes to stop malware. 

Beyond that, here's what you can do: First, carefully vet every plugin and theme you install on your WordPress site. WordPress.com lists valuable stats for all plugins in their directory, like the example below:

usage and update statistics for the WordPress security plugin Defender

Image Source

You should also conduct regular security scans to find any potential malware hiding on your WordPress website. Plugins are actually your friend here: there are many strong security plugins out there that can scan for malware and fix damaged files. For example, Defender by WPMU DEV has malware scanning and other features to prevent many of the other issues in this list. You can also explore more options from our list of recommended WP security scanners. Some platforms like the free CMS Hub may offer malware scanning and threat detection, This is a useful alternative if you did not want to rely on WP security scanners.

6. Structured Query Language (SQL) Injections

SQL is a programming language that is used to quickly access stored data on a specific site. It’s the preferred language on WordPress for database management and, while somewhat secure, malicious parties can use it to take advantage of your site. 

During an SQL injection, a hacker gains the ability to view and modify your site’s database directly. Attackers can use the SQL to make new accounts on your site, add unauthorized links and content, and leak, edit, and delete data. 

Why are WordPress Sites vulnerable?

WordPress sites are vulnerable to this kind of attack because most are designed to foster a sense of community. Attackers commonly use SQL injections through visitor-facing submission forms, like contact forms, payment info fields, and lead forms. When hackers enter information in these forms, they're not hoping to use your content offer — they’re submitting code that will run and make changes from within. 

What You Can Do

The best course of action is to be skeptical of user input. Any form submission on your site is an opportunity for visitors with malicious intent to submit information directly into your SQL database. 

Restrict the submission of special characters in visitor submissions. Without symbols, you reduce a string of malicious code into harmless gibberish. Consider using a WordPress form plugin and/or a WordPress security plugin to do this work for you. You can also use a captcha as a final step in the submission process to prevent bots from making injection attempts.

7. Search Engine Optimization (SEO) Spam

These spammy hacks are similar to SQL injections, but they target what any website owner values the most: SEO. These hacks take advantage of your top-ranking pages, fill them with spammy keywords and pop-up ads, and use your hard work to sell items or counterfeit merchandise. 

Why are WordPress sites vulnerable? 

WordPress sites are vulnerable to these attacks the same way as other security issues on this list: outdated plugins, themes, and core software. Successful brute attacks and undefined user roles can also make your site vulnerable. 

These hacks are also harder to detect, which makes them even more dangerous. The hackers will often gain access but wait to make any changes not to raise immediate suspicion. Since they’re SEO-based, these spammy keyword additions are only placed on your high-ranking pages, so you won’t identify them when conducting a site-wide review. The hackers simply insert a keyword here and there within relevant pages, like “cheap Chanel bags,” so your code remains relatively intact. 

That means SEO spam is most noticeable to SEO crawlers, as they’ll index your site for the spammy keywords and users searching for Chanel bags (or whatever the spammy keyword is).

What You Can Do

One of the first things you can do is follow the aforementioned security measures like updating on time and defining user roles. You can also use a WordPress security plugin that can run malware scans. We’ve created a list of high-quality security plugins and a security checklist that you can use to protect your site from SEO spam (and other issues on this list).  

If you’re keen on identifying these hacks on your own, pay close attention to your analytics data and note any sudden changes in SERP positions or increased site traffic for no apparent reason. You may also be notified by an internet browser that notices your site is featuring in search results for something that doesn’t seem related to your site. If you have coding knowledge, you can sift through your high-ranking pages that seem to be affected and attempt to identify the misplaced keywords. 

Regardless of the route you choose to take, it’s essential to target and address these hacks early on because SEO crawlers will strike against your site for spammy tactics, and all the hard work you’ve put in will go to waste.

8. Cross-Site Scripting 

Cross-Site Scripting (XSS) happens when an attacker places malicious code into the backend code of the chosen website. XSS attacks are similar to database injections in that attackers try to plant code that runs in your files, but XSS primarily targets web page functionality. Once they get access to your front-end display, hackers might try to harm visitors by, for example, posting a disguised link to a faulty website or displaying a fake contact form to steal user information.

Why are WordPress sites vulnerable?

Again, WordPress plugins and themes are the culprits here. If an attacker finds an outdated or poorly-maintained plugin on your side, they can exploit it for access to files that dictate your website’s front end. The same goes for WordPress themes.

What You Can Do

Update, update, update! Always keep your WordPress Core, plugins, and theme running their latest versions, and be very careful when implementing any third-party software on your website.

Another helpful tool for preventing XSS is a web application firewall (WAF), which inspects traffic and prevents unapproved visitors from entering your system from outside networks. WAFs are easy to set up and maintain, so we recommend browsing reputable WAF plugins to protect your WordPress site from XSS, SQL injections, and other attacks.

9. Denial-of-Service Attacks

A Denial-of-Service (DoS) attack aims to block site administrators and visitors from accessing a website. This is done by sending so much traffic to a targeted server that it crashes, taking down all websites hosted on it. Eventually, the server and its hosted websites are restored, but the reputation of the attacked websites might be difficult to rebuild.

These attacks are often conducted from multiple machines simultaneously (forming a botnet), which hides the original source of the traffic and compounds the volume of spam. This is known as a distributed denial-of-service (DDoS) attack, and it’s a lot worse.

Why are WordPress sites vulnerable?

Like any website, those powered by WordPress need hosting. DoS and DDoS attacks target  hosting servers, namely those with limited security in place.

What You Can Do

Don’t just rely on plugins for this one; the best defense against DoS/DDoS attacks is secure WordPress hosting.

You'll need to find a reliable hosting provider that suits your business’ needs and maintains a reputation for taking security seriously. For example, WP Engine’s managed hosting plans include DDos Mitigation tools as well as a high-powered security solution known as Global Edge Security built specifically to secure WordPress sites, this enterprise-grade cyber defense can help prevent DDoS attacks on your site.

10. Phishing 

Phishing gets its name from actual fishing, where people cast out line after line hoping to get a bite. When phishing, hackers send out massive amounts of spammy links hoping that at least one person will click on it and have their information compromised. You’ve probably heard about or been exposed to phishing attacks through seemingly legitimate emails in your inbox, or text messages from unknown numbers. 

Unfortunately, WordPress is not immune to these spammy practices. 

Why are WordPress sites vulnerable?

Like other security issues on this list, WordPress sites become vulnerable to phishing attempts through outdated plugins, themes, software, or lack of security checks for submission and comment forms. 

If a user with malicious intent gains access to your site with admin privileges, they can post spammy links for users to click that will compromise their information. Phishing capitalizes off of the trust that users have for you and your content, as it’s unlikely their baseline assumption is that you’re attempting to con them. Hackers can also leave comments on your site pages with links that may seemingly direct a user to additional resources that are spam.

Here’s an example of a spammy comment that entices readers to click a link.

example of a spammy phishing comment with a malicious link

Image Source

What You Can Do

Protection against phishing involves the usual steps: conduct regular updates, monitor site activity, and use secure passwords. You should also download additional security measures for your site, like ReCAPTCHA, to protect against spammy phishing bots.  ReCAPTCHA uses machine learning to understand browsing patterns to distinguish between humans and bots. 

11. Supply Chain Attacks 

Supply chain attacks also capitalize on one of WordPress’s most beloved features: themes and plugins. There are two ways for this attack to happen: a plugin owner installs malware on customer sites, or a hacker purchases a popular plugin and injects spammy code disguised as an update. 

As a result of both methods, hackers are granted access to the backend capabilities of their site. For example, they can access secure files and wreak havoc on site visitors’ secure information or implement additional hacks like SEO spam and phishing.

Why are WordPress sites vulnerable? 

WordPress sites are vulnerable to these types of attacks because they’re based on something that you’re supposed to do, and what we recommend doing to combat most of the issues on this list: regular updates. 

What You Can Do

Thankfully, supply chain attacks often have a short shelf life because WordPress developers actively identify these fake plugins and themes and quickly ban those affected. However, if one happens to fly under the radar, installing security plugins that run regular checks on your site will quickly identify any vulnerabilities. 

It’s also worth backing up your WordPress site data, so you can save it if it becomes compromised. As always, this can be done manually or by downloading additional plugins

12. Hotlinking

Hotlinking — where others use your work without permission or credit — is one of the worst things to experience as a content creator. Typically, another website will embed content, like images, from your website hosted on your server instead of downloading it themselves. They take advantage of the money you’re spending to keep your site up and running to load the images on their site, which can result in higher monthly bills from your hosting provider.

It’s not a direct spammy attack as the people who are hotlinking likely aren’t hackers, but it is a poor internet practice. If your content is licensed and restricted for your individual use, then hotlinking is not just bad etiquette — it’s illegal.

Why are WordPress sites vulnerable? 

As a site owner, you want to share your high-quality content with site visitors. Unfortunately, WordPress sites are vulnerable to hotlinking because people take advantage of this. 

They simply copy and paste a link to an image or digital file from another site onto their site without giving credit. Many WordPress site owners might not have the time to take preventative measures against hotlinking — or even think to do so. 

What You Can Do

There are a various ways to protect your content from hotlinkers, but an easy option is to add discernible watermarks. It’s a user-friendly solution that won’t necessarily stop all malicious parties, but it will require an additional step to remove your personal tag.

A watermark can simply be your name, website domain, or a copyright trademark logo for registered content. You can personally add this watermark to your content, or you can use the tried-and-true WordPress method: a plugin. Most of the tools on this list are marketed towards photographers but are suitable for anyone hoping to include a watermark on their image (example shown below.)

watermark tool to protect from image hotlinking demo

Image Source

13. Cross-site Request Forgery (CSRF)

Cross-site request forgery (CSRF) is a vulnerability that allows attackers to influence users to take actions they don’t want to take. 

For example, using CSRF, attackers can induce users to change their email addresses, transfer funds, change passwords, or take another action. Depending on the action the user takes, the attacker can gain control of the user account and wreak havoc. If the user is an admin, then the attacker can take complete control of the website. 

Why Are WordPress Sites Vulnerable?

WordPress sites using some of the most popular plugins are particularly vulnerable to CSRF attacks. More specifically, plugins that use the function check_url(), like WP Fastest Cache, are vulnerable to CSRF attacks. You can find a detailed explanation in this post on Plugin Vulnerabilities.

What You Can Do

You can prevent CSRF attacks by keeping a close eye on your site’s plugins. Although plugins are essential, don’t blindly trust every plugin you come across.

You can protect yourself from cross-site request forgery by installing a robust WordPress security plugin. There are many great plugins out there, and these can keep you safe from all types of attacks, including CSRF attacks. 

You can also prevent this attack by hardening your website via two-factor authentication and disabling file editor and PHP execution in untrusted folders. 

Protect What You’ve Created

We all know that the internet can be a scary place. It may seem overwhelming, but it’s important to understand the possible risk and threats that sometimes make the internet scary. It’s especially important if you’ve taken the time to create a personalized, content-rich site on WordPress. 

Staying informed about cybersecurity is one of the best ways to defend your online presence, protect your business’s growth, and earn the trust of your customers.

New Call-to-action

 New Call-to-action

Originally published Dec 15, 2021 7:00:00 AM, updated March 25 2022


WordPress Security