What Are the Most Common WordPress Security Problems?

If you are looking for a content management system to build your future website, then WordPress could be your best bet. It is open-source, amazingly flexible, and easy to set up. Plus, it supports scores of themes and plugins that will boost your site’s functionality. It is also reliably protected against exploitation, but with a caveat.

With every third website on the Internet running WordPress, it is by far the most targeted CMS across the board. Pair that with known WordPress security problems, and the big picture gets scary.

The moment you launch your new site, it starts getting torpedoed by automated bots that probe it for vulnerabilities and configuration slip-ups.

Whereas WordPress Core – the backbone of the CMS – gets regular security patches and is a hard nut to crack, third-party components are not. Plugins and themes tend to be the weakest link in this ecosystem, and cybercriminals often use them as shortcuts to site takeovers.

If you own a WordPress site already, ask yourself a question: are you on the right track keeping it safe? The answer is not as trivial as using strong passwords and one-click malware scanners.

The following considerations reflect the main challenges relating to WordPress security. Hopefully, this info will broaden your security horizons and might encourage you to rethink your protection practices.

The “set it and forget it” security illusion

This is an overarching misconception that may point you in the wrong direction with your security efforts. There are numerous services, such as one-size-fits-all security plugins, that claim to deliver ultimate protection in a snap. Unsurprisingly, this marketing mantra lures webmasters, but it is a slippery slope.

The biggest risk is that these products give you a false sense of security while failing to eliminate the root cause for website compromise in most cases. They mainly follow a reactive protection logic by pinpointing mainstream malware strains and known vulnerabilities.

However, very few of them address backdoors that stay opened and keep exposing your site to future hacks and other WordPress security problems. This is like addressing symptoms without curing the disease.

Another pitfall is that WordPress malware scanners hinge on signature-based or heuristic analysis. This mechanism counters documented predatory code but does not identify 0-day and 1-day threats.

Some of these tools generate false positives to err on the side of caution. This seems like the lesser of two evils, and yet it is a nuisance that distracts you from your day-to-day work.

Another fallacy is that a combo of several security plugins can considerably step up the security of a WordPress site. There is a big gap between quantity and quality in this scenario.

This tactic is a potential source for conflicts, where each plugin tries to monitor web traffic in its own way and implement overlapping configuration tweaks, only to deteriorate the site’s performance down the line.

Instead of entirely relying on a one-click WP security service or a mixture of such services, you should focus on multi-pronged proactive defenses. Use a dependable endpoint web application firewall (WAF) that will keep tabs on anomalous incoming traffic and prevent targeted hacks that leverage 0-days.

Consider also adding a cloud-based WAF to your security equation. It will pull the plug on bot activity and thwart DDoS raids, thus helping you steer clear of common WordPress security problems.

WordPress sites are heavily targeted by malware

Threat actors’ motivation behind depositing malicious code onto your WordPress website runs the gamut from the theft of sensitive data (such as credit card details entered on e-commerce resources) to injecting dodgy scripts that display ads or quietly infect visitors’ devices. In many cases, malware opens a backdoor allowing felons to maintain long-term access to your site.

The recent outbreak of the notorious WP-VCD malware has demonstrated how skillfully cybercriminals can repurpose legitimate plugins to spread a harmful payload. To give this campaign a boost, its operators have started injecting the malware into popular WordPress plugins that display COVID-19 statistics.

Outdated, crudely developed, or booby-trapped plugins and themes are the primary entry points for malware. The top recommendation to steer clear of this attack vector comes down to updating these components as soon as you see the relevant notifications in your WordPress admin dashboard.

Also, do your homework before installing a new plugin or theme and check the vendor’s reputation along with the user feedback. Importantly, go over your plugins and uninstall the ones you are not actively using.

As far as WordPress themes go, prioritizing their look and feel while turning a blind eye on their security can be risky business. Stick with trusted repositories such as the WordPress Theme Directory, Themeforest, and TemplateMonster, which thoroughly vet the content they host.

The use of a security plugin with a malware scanning feature onboard makes sense, but again, do not think of it as a cure-all. Bear in mind that it is unlikely to safeguard your site against emerging threats that will easily fly under its radar. Enhance this “static” protection with a WAF that will identify and block the latest perils.

SQL injection is a long-standing problem across the WordPress ecosystem

Also known as SQLi, this attack vector zeroes in on your site’s database, an entity that holds the entirety of your valuable data. By executing sketchy SQL statements, hackers can view, modify, or erase your WordPress database. They may also spawn rogue user accounts with elevated privileges and “weaponize” them at a later point to affect your web project’s online presence or ruin its reputation.

In most cases, SQL injection is pulled off via forms designed for user input, such as login forms, contact forms, and payment details submission fields. The adversary uses a specially crafted database request that triggers unwanted activity in the backend.

The most effective SQLi prevention strategy is to specify what types of user submissions are allowed on your site. If these requests include special characters that a regular person would never enter in a web form, they should be filtered out before reaching your database.

Since these attacks are often carried out by bots, it is a good idea to add human verification to the input process. For instance, good old captchas will raise the bar for malefactors.

Cross-site scripting (XSS) leads to a rabbit hole of WordPress security problems

The primary purpose of a cross-site scripting attack is to riddle a legitimate website with scripts that cause a visitor’s web browser to run predefined malicious commands behind the scenes. Since these scripts originate from trusted sites, the browser treats them as benign and gives them the green light to access cookies along with other sensitive information.

Bad actors can also use this mechanism to misrepresent the appearance of a site by embedding fake forms or links that lead to credential phishing pages. Yet another exploitation vector is about launching drive-by malware downloads that require a minimum of user interaction to come through. 

Vulnerable plugins and themes are the usual culprits to blame for XSS incursions. Therefore, the mitigation is a matter of choosing these third-party components wisely and keeping them up to date. A reliable WAF adds an extra layer of protection by blocking dubious traffic from the outside.

One of the biggest hurdles to avoiding this form of abuse is that it can be executed by unauthenticated adversaries, which paves the way toward automating and reproducing the attacks and extends their evil reach.

Weak authentication is a recipe for disaster

No matter how vanilla this may sound, proper password hygiene is hugely important when it comes to WordPress security. Cybercrooks are bombarding websites with what is called brute-force attacks all the time.

This automated technique is used to try billions of username and password combinations until a match is found. If you use the default “admin” username and a weak password, a successful brute-force incursion can take mere hours.

One more thing that plays into adversaries’ hands is that they may be able to easily figure out what sign-in page your WordPress site uses. In most cases, it is the main URL plus “/wp-login.php” or “/wp-admin.php” string appended to it. Unless you change it manually in the settings or use a dedicated plugin to do it, malicious actors will know where to enter potential credentials.

It is a good idea to use password management software that will generate strong passwords, store them securely, and automate the login process for frictionless user experience.

An extra precaution is to enable two-factor authentication (2FA) on your site. This method makes brute-force attempts futile unless an attacker has physical access to your second authentication factor such as your smartphone. Also, install a plugin that limits unsuccessful login attempts.

WordPress sites are vulnerable to distributed denial-of-service (DDoS)

Of course, this is not a WordPress-only security problem. It has kept website owners on their toes since the 1990s when WordPress did not even exist.

However, given the global domination of this CMS and the fact that it is used by numerous well-known brands (including Sony and Microsoft), DDoS operators often mount their destructive attacks against WP sites.

The principle of this stratagem is to flood the resources of a server or a web application with a massive amount of rogue traffic. This activity knocks the target website offline or makes it incapable of processing requests from legitimate users properly.

Nowadays, cybercriminals are increasingly using DDoS for extortion, coercing businesses to pay for stopping a detrimental traffic deluge.

To minimize the damage or emerge completely unscathed, WordPress website owners should outsource DDoS mitigation to a reputable cloud-based WAF service such as Cloudflare or Sucuri. Also, select a hosting provider with a decent track record in terms of security and customer care.

Tackling WordPress security problems

The flip side of WordPress’s popularity is that malicious actors heavily target it. If you believe a WP security plugin suffices to keep your website safe, think again. Nurture a proactive, strategic approach that involves situational awareness and eliminates reckless dependency on constant malware removal.

To avoid the most common WordPress security problems, be sure to keep your WordPress installation, themes, and plugins up to date. Uninstall third-party components you do not use. And most importantly, think of WordPress security as a process, not a product.

About the author

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation.

David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking.

David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.