WordPress Security Issues

WordPress is the world’s most popular content management system. As its developers like to point out, over 40% of all websites are built on WordPress. However, this popularity has its downside. Such a huge number of potential targets inevitably attracts malicious actors. For this very reason, cybersecurity researchers carefully investigate WordPress and regularly report various problems with this CMS.

As a result, it is not uncommon to hear that WordPress is full of security issues. However, all this attention has a positive side to it. Most of the threats and the methods to combat them are well-known, making it easier to keep your WordPress site safe. That is what we will be discussing in this article.

1. Vulnerabilities in plugins, themes, and the WordPress core (in that order of descending importance)

In all the lists of WordPress security issues available on the internet, things such as XSS (cross-site scripting), SQLi (SQL injection), and CSRF (cross-site request forgery) keep popping up. These attacks, along with various others, are made possible due to vulnerabilities in either the WordPress core software or its plugins and themes.

It’s important to note that, statistically, only a small fraction of the vulnerabilities are found in the WordPress core itself. For example, for the whole of 2024, a mere vulnerabilities were discovered in the WordPress core software — That’s 24% more than in 2022. Another 97 bugs (5.45%) were discovered in themes. Meanwhile, the lion’s share of vulnerabilities were found in plugins: 1659 — making up 93.25% of the total.

It’s worth mentioning that the number of vulnerabilities discovered in WordPress should not be a reason to avoid using this CMS. Vulnerabilities exist everywhere; they’re just found most frequently where they are actively sought, which is usually in the most popular software.

How to improve security:

Keep Your WordPress Site Secure: Update Smartly and Reduce Plugins

Here’s a breakdown of the key points for securing your WordPress site:

Prioritize WordPress Core Updates:

While core vulnerabilities are less frequent, they can be heavily exploited.
Always update WordPress core promptly whenever a new version is available.

Themes and Plugins Need Attention Too:

Themes and especially plugins are a major source of potential security issues.
Regularly update both themes and plugins to benefit from security patches and fixes.

Keep Plugins to a Minimum:

Only install plugins that your website absolutely needs to function.
Minimize the number of plugins to reduce the attack surface for vulnerabilities.

Clean Up Unused Plugins:

Don’t leave inactive plugins hanging around.
Promptly deactivate or completely remove plugins you no longer use.

By following these steps, you can significantly improve your WordPress website’s security posture and make it less susceptible to cyberattacks.

2. Weak passwords and lack of two-factor authentication

WordPress faces a second significant security concern, which involves the hacking of websites through either brute-forcing simple passwords or using compromised usernames and passwords from pre-existing databases. These databases are often obtained through leaks from third-party services.

In the event of a high-privilege account being compromised, your WordPress site can be taken over by attackers who may utilize it for their own agenda. This could include stealing data, surreptitiously inserting links to their promoted resources (SEO spam), installing malware (such as web skimmers), utilizing your site to host phishing pages, and more.

How to improve security:

To guarantee robust passwords for every user on your WordPress website, it is recommended to enforce a password policy consisting of a set of regulations that passwords must meet. You can utilize plugins to implement password policies on your WordPress site.
Once more, there are numerous plugins available to restrict the quantity of login attempts.
You can activate two-factor authentication by utilizing one-time codes from an application. Additionally, there are WordPress plugins available for this purpose.

3. Poor control over users and permissions

Even if you have strong password policies and multi-factor authentication in place, it won’t matter much if you give users more access than they actually need. Too many site owners haphazardly assign excessive roles and capabilities, expanding the potential attack surface.

If a user account with high-level “admin” or “editor” privileges gets compromised through a brute force attack, stolen credentials, or social engineering, the hacker essentially has the keys to the kingdom. They can:

Inject spam, malware, or malicious redirects into your content
Access and exfiltrate sensitive data
Install backdoors or other malware
Create phishing pages to compromise visitors
Deface the entire website
And so much more nefarious stuff
It’s a devastating scenario that can bring your entire WordPress operation crumbling down. And it’s an all-too-common issue stemming from poor user permissions management.

The solution is to practice the principle of least privilege. Only assign the most limited set of capabilities required for each user’s specific role or duties. Regularly review and audit permissions to avoid privilege creep.

Don’t just hand out “admin” access like candy unless absolutely necessary. Leverage WordPress’ robust role and capability system to create highly restrictive custom roles when needed.

By locking down user permissions tightly, you contain the potential blast radius if an account is ever compromised. It’s a simple security practice that can prevent total catastrophe. Don’t slack on this critical area!

How to improve security:

Exercise utmost caution while allotting user permissions. Adhere to the principle of minimal privilege– bestow upon users solely the access rights that are indispensable for their duties.
Make it a habit to frequently check your WordPress user list and delete any unnecessary accounts.
If users no longer require elevated permissions, downgrade them to lower privilege categories.
Naturally, the recommendation from step 2 is relevant in this case as well: employ robust passwords and activate two-factor authentication.

4. Malicious plugins

In addition to vulnerable plugins, there are also plugins that are outright malicious. Recently, a WordPress plugin was found to be posing as a page-caching plugin, but in reality, it was a fully functional backdoor. Its primary purpose was to generate unauthorized administrator accounts and take over compromised websites.

Earlier this year, a malicious WordPress plugin was discovered by researchers. The plugin was originally legitimate but had been abandoned by its developers over a decade ago. However, some individuals with good intentions picked it up and transformed it into a backdoor, which enabled them to take control of thousands of WordPress sites.

How to improve security:

Avoid installing unnecessary WordPress plugins. Only install the ones truly essential for your site’s operation.
Before installing a plugin, read its user reviews carefully — if a plugin does something suspicious, chances are someone’s already noticed it.
Deactivate or remove plugins you no longer use.
There are plugins that scan WordPress sites for malware. However, keep in mind they can’t be completely trusted: many of the latest instances of WordPress malware can deceive them.
If your WordPress site is behaving strangely and you suspect it’s infected, consider contacting specialists for a security audit.

Although there are plugins available to scan WordPress sites for malware, it is important to note that they cannot be relied upon entirely. This is because several recent cases of WordPress malware have been able to evade detection by these plugins.

If you suspect that your WordPress site is infected and is behaving abnormally, it is advisable to seek the assistance of security experts for a thorough security audit.

5. Unrestricted XML-RPC Protocol

WordPress has a particular susceptibility related to the XML-RPC protocol, which facilitates communication between WordPress and external programs. Although WordPress integrated support for the REST API in 2015, which is now the preferred method for application interaction, XML-RPC remains activated by default.

XML-RPC poses a problem as it can be exploited by malicious individuals for two distinct types of attacks on your website. The first type involves brute-force attacks that target your WordPress user accounts by attempting to guess passwords. XML-RPC enables attackers to merge multiple login attempts into a single request, streamlining and accelerating the hacking process. The second type of attack involves the use of XML-RPC protocol to coordinate DDoS attacks on your WordPress site via pingbacks.

You can also check how to earn with side hustle as a student.