Most Common WordPress Security Issues
If you own a WordPress-powered website or are considering using WordPress as your CMS, you may be concerned about potential WordPress security issues. In this post, we’ll outline a few of the most common WordPress security vulnerabilities, along with steps you can take to secure and protect your WordPress site.
Is WordPress Really Secure?
The answer to the question “is WordPress secure?” is it depends. WordPress itself is very secure as long as WordPress security best practices are followed.
Since WordPress powers 25% off all websites, security vulnerabilities are inevitable because not all users are careful, thorough, or security conscious with their websites. If a hacker can find a way into one of the 700 million WordPress websites on the web, they can scan for other websites that are also running insecure setups of old or insecure versions of WordPress and hack those too.
WordPress runs on open source code and has a team specifically devoted to finding, identifying and fixing WordPress security issues that arise in the core code. As security vulnerabilities are disclosed, fixes are immediately pushed out to patch any new security issues discovered in WordPress. That’s why keeping WordPress updated to the latest version is incredibly important to the overall security of your website.
It’s important to note that WordPress security vulnerabilities extend beyond WordPress core into the themes or plugins you install on your site. According to a recent report by wpscan.org, of the 3,972 known WordPress security vulnerabilities:
- 52% are from WordPress plugins
- 37% are from core WordPress
- 11% are from WordPress themes
5 Common WordPress Security Issues
The most common WordPress security issues occur before or just after your site has been compromised. The goal of a hack is to gain unauthorized access to your WordPress site on an administrator-level, either from the frontend (your WordPress dashboard) or on the server side (by inserting scripts or files).
1. Brute Force Attacks
WordPress brute force attacks refer to the trial and error method of entering multiple username and password combinations over and over until a successful combination is discovered. The brute force attack method exploits the simplest way to get access to your website: your WordPress login screen.
WordPress, by default, doesn’t limit login attempts, so bots can attack your WordPress login page using the brute force method. Even if a brute force attack is unsuccessful, it can still wreak havoc on your server, as login attempts can overload your system. While you’re under a brute force attack, some hosts may suspend your account, especially if you’re on a shared hosting plan, due to system overloads.
2. File Inclusion Exploits
After brute-force attacks, vulnerabilities in your WordPress website’s PHP code are the next most common security issue that can be exploited by attackers. (PHP is the code that runs your WordPress website, along with your plugins and themes.)
File inclusion exploits occur when vulnerable code is used to load remote files that allow attackers to gain access to your website. File inclusion expl
oits are one of the most common ways an attacker can gain access to your WordPress website’s wp-config.php file, one of the most important files in your WordPress installation.
3. SQL Injections
Your WordPress website uses a MySQL database to operate. SQL injections occur when an attacker gains access to your WordPress database and to all of your website data.
With an SQL injection, an attacker may be able to create a new admin-level user account which can then be used to login and get full access to your WordPress website. SQL injections can also be used to insert new data into your database, including links to malicious or spam websites.
4. Cross-Site Scripting (XSS)
84% of all security vulnerabilities on the entire internet are called Cross-Site Scripting or XSS attacks. Cross-Site Scripting vulnerabilities are the most common vulnerability found in WordPress plugins.
Malware, short for malicious software, is code that is used to gain unauthorized access to a website to gather sensitive data. A hacked WordPress site usually means malware has been injected into your website’s files, so if you suspect malware on your site, take a look at recently changed files.
Although there are thousands of types of malware infections on the web, WordPress is not vulnerable to all of them. The four most common WordPress malware infections are:
- Drive-by downloads
- Pharma hacks
- Malicious redirects
Each of these types of malware can be easily identified and cleaned up either by manually removing the malicious file, installing a fresh version of WordPress or by restoring your WordPress site from a previous, non-infected backup.