Top 10 WordPress Security Vulnerabilities - and How to Protect Your Site

WordPress sites can be highly secure, as long as you take steps to prevent, address, or otherwise mitigate security vulnerabilities. Here's the skinny on how to keep your WordPress site updated, patched, and protected against cyber threats.

It's practically gospel that WordPress sites are less secure than sites built on other platforms, but that's actually a myth. We are managed WordPress hosting experts, so we know! WordPress is far and away the most popular website host, which means that the chances are high that any given site that gets hacked will have been built on WordPress.

Of course, it's still vital for website managers to keep their WordPress sites updated, patched, and protected against cyber threats. Here are 10 of the main WordPress security vulnerabilities that hackers could target to break into your website, and suggestions for ways to strengthen them and close the wormholes.

Migrate to uPress within 24 hours


  1. Vulnerable plugins 

Plugins add so much functionality to WordPress sites, but if you're not careful, they could turn into a vulnerable backdoor. There are tens of thousands of plugins and themes made by third-party developers and companies worldwide, but not all of them are equally secure or trustworthy.

It's crucial to choose plugins which are actively managed, with owners who regularly release updates and provide support. Just like core WordPress updates, plugin and theme updates help fix known WordPress security vulnerabilities, close loopholes that hackers could exploit, and make sure that your site is as secure as possible. An old plugin that no longer receives active support can therefore be an open door for hackers.

It can often be tempting to use a premium plugin or WordPress theme that's not offered through the WordPress plugin repository, but it's often a mistake. Sometimes, these premium plugins and themes aren't updated regularly, and sometimes not at all. Even when they are updated, the process is usually complicated and has to be done manually, so unless you keep on top of the updates, there's a high risk that your plugin will go un-updated.

As managed WordPress hosting experts, we highly recommend using only plugins and themes from the official WordPress plugin repository that were developed by well-known companies and are kept updated for your managed WordPress hosting or self-hosted site. This will go a long way to preventing any security issues, since these plugins and themes are thoroughly checked to make sure they don't contain any malicious code and are in line with security regulations.

  1. Default passwords

Passwords are meant to protect the entrance to websites and web hosting platforms under your control, so they are often the first line of attack for hackers. One of the most common approaches is a Brute Force attack, when hackers just try out hundreds of passwords, hoping that they'll get lucky and hit on the one you used for your account. That's why it's so important to create a long and complicated password for your website. The harder it is to guess your password, the less likely it is that this kind of attack would succeed.

You'd be amazed at the number of web managers and developers who forget to change the default password on their website — and when we say website, we mean not just the WordPress site itself, but also the WordPress dashboard, FTP accounts, databases, WordPress managed hosting, the email you use to recover your site, and anything else tied to it. If you're using managed WordPress hosting, make sure that you generate a different unique password for every account. Reusing a password you've used before, or are using elsewhere, raises the risk that someone will guess it, or hack it from a different site.

Even more sites have passwords like "password", "12345678", or easy-to-guess options like birth dates, ID numbers, and phone numbers, which are always among the first that bots or hackers will try.

Many website owners don't like to use long and complicated passwords simply because they're hard to remember. A good solution is to use a complete sentence that makes sense only to you (and even misspell a word on purpose) so it's much easier to remember. These kinds of passwords are much stronger than a single-phrase password.

Another solution would be to use a password manager that generates and stores unique secure passwords. That way you only have to remember one secure password; the one for your password manager.

It's not just the password, either: you also need to pick a secure username for your managed WordPress hosting or self-hosted website. If you use "admin" as your username, you are basically doing half the job for hackers targeting your website.

  1. Weak user permissions

The more people can access your WordPress dashboard, the greater the risk that someone will introduce an unsafe plugin, use a weak password, or accidentally activate infected software. It's easy to lose track of permissions if you're managing a large team of web designers, editors, SEO managers, writers, and more, but crucial to restrict access to mission-critical areas.

WordPress has a number of different user roles, each of which permits a different level of access and activity:

  • Subscriber – A registered user who can only access their own personal profile.
  • Contributor – A user with permission to edit and manage their own posts, but who can't publish any content.
  • Author – A user with permission to edit, manage, and publish their own posts.
  • Editor – A user with permission to edit, manage, and publish their own and other users' posts and pages, but without permission to access "sensitive" areas of the dashboard.
  • Administrator – A user with permission to view and change all WordPress dashboard areas and every feature and option.
  • Super Administrator – (Only available on Multisite installs) User with permission to access and manage all the websites on a Multisite network.
  1. Unlimited login attempts

Hackers can only attempt the brute force attacks mentioned above if they have an unlimited number of opportunities to keep trying to guess your password. By default, WordPress allows unlimited login attempts from any IP address, which just makes it easier for malicious actors.

Close this WordPress security vulnerability by setting WordPress to automatically block the attacker's IP after a certain number of failed attempts. One of the easiest ways to set this up for self-hosted or managed WordPress hosting is using a plugin called Limit Login Attempts Reloaded. It's available for download from the official WordPress plugin repository.

uPress customers: The plugin WeSafe is installed by default on all the websites on our servers and performs this action.

  1. Single-factor authentication

"Regular," single-factor authentication just requires anyone logging in to enter their username and password, and then they can gain entry. It means that hackers effectively only have to pass through one "gate" to enter the website and is one of the more serious WordPress security vulnerabilities.

You can make it much harder for them by activating two-factor authentication (TFA). With two-factor authentication, everyone has to enter a unique one-time code sent via email or SMS to their pre-registered account or phone number, or one that's generated on another registered device, as well as getting the right password.

One of the easier ways to do this for your managed WordPress hosting site is by using the Google Authenticator plugin that's available for download from the official WordPress repository. It offers two-factor authentication via a mobile app (note that you need to install the Authenticator app on your phone for this to work). After installing everything, you log in to your WordPress site with your username and password. You'll be requested to enter a 6 digit code from the mobile app. The code changes every 30 seconds and can be generated only on the app that is paired with your user account.

  1. Sending unencrypted data

Whenever something is changed on the WordPress hosted site you manage, the data travels from one server to another, giving malicious actors an opportunity to intercept the information packets and steal the data. But if you encrypt it, using a TLS encryption certificate, they wouldn't be able to read the data even if they could capture it.

The TLS certificate is based on unique encryption keys installed on the website's server. Only your computer will be able to use those keys to decrypt the information. You can acquire a TLS certificate for free with most hosting providers, using Let's Encrypt.

Upress customers: You can install a TLS certificate from the security tab in our management panel.

  1. Ignoring backdoor vulnerabilities

Backdoors are a kind of malware that hackers send out, often disguised as authentic WordPress system files, in the hopes that someone will install it on their site. Once installed, it creates a kind of wormhole that lets hackers enter the server by the backdoor (hence the name) and creep across to other sites hosted on the same server.

As well as enabling two-factor authentication, checking site permissions, and preventing unlimited login attempts, you can help protect your site from backdoor WordPress security vulnerabilities by regularly scanning it with tools like SiteCheck that detect common backdoors.

  1. Malicious redirects

A malicious redirect attack is when the hacker changes some of the code in your website files, either by entering through a back door, using a rogue plugin or theme, or breaking into your server.

Disabling unlimited login attempts, ensuring your passwords are strong, and checking your permission levels can all help prevent malicious redirects. It's also a good idea to scan your site from time to time with a scanning plugin, and follow up on any alerts that you receive.

  1. Permitting XML-RPC protocols

Since WordPress version 3.5, every WordPress site has XML-RPC protocol enabled by default. Although this helps connect your WordPress managed site with other applications and websites, it can also compromise your security. XML-RPC protocols allow hackers to the system.multicall function to attempt logging in with thousands of different protocols for only a small number of requests.

Disabling can be done by using the Disable XML-RPC-API plugin; by restricting access to the xmlrpc.php path at the server firewall level, or by using the .htaccess or nginx.conf file at the server level.

  1. Welcoming bad bots

Many hackers use bots as "spies" to check on your website's defenses and performance before they decide to attack. As well as scoping out your site for WordPress security vulnerabilities, bad bots can drag down performance and steal bandwidth and content.

But you don't need to let them through the door. There's a list of "bad bots" on botreports.com, and you can block them from entering your site at all. Most security plugins and managed storage services already block the bots on this list, but you can be doubly safe by blocking them at the firewall; at server level with the.htaccess or nginx.conf file; or by installing the StopBadBots plugin.

UPress clients: There is an on / off button to block bad bots under the Security tab.

Stop WordPress security vulnerabilities from turning into security incidents

WordPress sites can be highly secure, as long as you take steps to prevent, address, or otherwise mitigate security vulnerabilities before hackers can take advantage of them. These 10 tips won't prevent any security incident, but they are a very good start to making your WordPress managed sites as secure as possible.

As managed WordPress hosting experts, we speak your language. We can geek out with you about security vulnerabilities, but we can also discuss HTTP2 protocol, IPv6 support, or DNS tools. You can trust us with the entire gamut of WordPress questions, so the only one left is... why aren't we hosting your WordPress site yet? Click below and join us.

Explore plans

hello world!

Read more about these topics!

Related Posts

How Do I Update a WordPress Plugin Without Losing Customization?

86% of WordPress sites hacked are due to an outdated WordPress install, plugin, or theme. But users resist updating as updates can cut off plugins, extensions, and templates. So how do you maintain your precious customization while adhering to update standards? Find out here.
Read More

How do I Backup My WordPress Site Without Plugins

Because sites crash for many reasons including security breaches, serious system failures, or human error, WordPress backups are an essential part of site maintenance. A backup enables you to restore your compromised website to full functionality. Should you use a backup plugin? Find out here.
Read More

How to Fix a Slow First Page Load on a WordPress Site

When WordPress is slow to load the first page, it can spell death to web traffic. But WordPress sites can be notoriously heavy and slow to load, thanks to all the plugins, themes, unnecessary CSS, etc. Nobody wants to wait, so how do you fix a sluggish first page load? Here are 7 fixes that you can implement today.
Read More
envelopemap-marker