• 16
  • October

The 5 Most common WordPress Security issues and solutions

We all know that being popular comes with some unwanted attention, and this is exactly the case with the most popular content management system (CMS) in the world; WordPress. Not only is it the favourite CMS for bloggers and entrepreneurs, it’s also very popular among hackers. In this article, we have addressed the most common security issues in WordPress, their causes and some security measures which would keep your site safe. More often than not, Hackers always find ways to target WordPress websites and even the really big websites have been victimised! This just goes to show that how essential it is to be one-step-ahead of the hackers, to take necessary measures which would reduce the chances of your website becoming the victim of cyber-attacks. So, let’s begin.  


Quick facts:

Here is a quick report which will help you get the basic idea of where the problem lies! According to a research conducted by, a total of 3972 security flaws exists in the WordPress.
  • Infected plugins add up to 52% of the total vulnerabilities discovered.
  • 37% of the total vulnerabilities are from core WordPress.
  • And infected WordPress themes adds up to 11% of the total vulnerabilities.

What makes your site Vulnerable?

Before we begin describing WordPress vulnerabilities, let’s discuss some common security mistakes which let the hackers target your WordPress site in the first place.  


1-   Weak Login Credentials

This might seem obvious but believe me, this is THE MOST common issue! People don’t bother to use a strong username and password, and when their site is attacked/hacked by hackers, they wonder how and why it happened! By using weak login credentials, you are basically inviting cybercriminals to hack your website.  


2-   Unreliable hosting

If you are using poor hosting for your WordPress site, you need to stop right now! Trust me when I say this, Shared Hosting are your worst enemy! Yes, you save some bucks using them but it’s simply not worth it. Here’s the deal with shared hosting, several websites are stored on a single server, and if even one of them gets compromised, there’s a pretty good chance that you could suffer too! Tell me this, would you rather compromise the security of your site just to save money?  


3-   Using non-trusted resources

This is really a rookie mistake, but believe it or not, this is quite common. We know making a new site can be sometimes overwhelming but never ever use non-trusted resources! 3rd party plugins, themes can contain viruses, or at least be vulnerable to attack if they are not regularly maintained. Once you install it on your WordPress site, you are literally at the mercy of the hackers.  


Most Common Attacks:

Now that you know some bad security practices, let’s talk about the most common attacks used by the hackers to hijack your WordPress sites.  


1-   Brute Force attacks:

Brute force attacks are the most favourite attacks of hackers, and they are used not just to hack into WordPress sites, but also to gain access to IoT devices. If you are unaware of what Brute force attack exactly means, here’s how it works. The hacker tries out thousands of combinations of username and passwords until he/she gets the right one! Basically, it’s a trial and error method and the hacker doesn't stop till he/she gets what he/she came for i.e your Admin account’s credentials! BTW hackers can use BOTS to do this dirty work for them, and if you think that this method cannot crack your login credentials, you need to think again! Just so you know, a BOT can try around 1000 different combinations of username and passwords within a minute, so if your login credentials are weak, you need to change it immediately! USE LIMIT LOGIN ATTEMPT! If you want to keep your site safe from brute-force attacks, you should use WP limit login attempt Plugin. The reason: Because the plugin limits the login attempts per IP!  


2-   XSS (Cross-site scripting) attacks

XSS or cross-site scripting as you may call it- is an attack in which the hacker injects a payload into a legit site and once a site is infected, the hacker can then use it to steal your data. The XSS attacks are done by using JAVscripts, and the hackers can inject arbitrary web scripts on the targeted sites. Also, using XSS attacks, the hackers can manage to steal your browser's cookies! Letting them see your browsing history and habits. Now just imagine how devastating that can be! A solution: If you don’t want to be a victim of cross-site scripting attacks, you should keep a close eye on the comments section of your site and remove any suspicious comments which you find to be irrelevant. You can either monitor the comment section manually, or you can use a plugin called “Akismet” to assist you with this task, Here’s how Akismet works:


3-   DDoS attacks

What the hacker does in a DDoS attack is that he uses a chain of Trojan infected IoT devices- usually thousands of them, to send unwanted traffic or multiple requests to overwhelm your server eventually forcing it to crash your site! If you are using poor hosting, there’s a pretty good chance that your site cannot sustain a DDoS attack and as you might know, downtime means you are losing money! The Hackers can either target your whole website to do this, or they can even target a specific feature of your website to make it unavailable for your visitors! What should you do? Here are some good practices that you can do to ensure your site is safe from DDoS attacks.
  • Keep an eye on the traffic of your website, and immediately block IPs that you find suspicious.
  • Keep your WordPress and plugins updated!
  • Use firewalls to protect your site.

Also, plugins like Wordfence and WP AntiDDOS might help you in dealing with DDoS attacks.  


04- SQL injection

The hackers in this type of attack use vulnerable plugins, send requests to the database of those plugins and eventually get their hands on personally identifiable information (PII). Furthermore, the hacker can use this attack to generate new user accounts of your WordPress sites letting them do whatever they want. The crooks can either update the database of your site or they can modify it according to their needs. This vulnerability can be tackled by placing security checks on the commands sent to the database. This is not an easy task to do, and perhaps seeking professional help is the way to go.  


05- PHP file upload vulnerability

Along with the theme and plugins, your WordPress site runs on a PHP script as well, so the hacker can attack that script to gain access to your site. wp-config.php file” is THE most important file in WordPress installation and hackers attack this file by uploading a malicious code into this file and then hijack your site. Again this is a very technical issue and seeking professional help is highly recommended if you ever face this issue! However, keeping all the WordPress plugins up-to-date might help.  


In conclusion here are some good security measures to keep your site safe

Here’s the thing with WordPress, Yes it’s currently one of the best CMS but because it is an open source CMS it is quite vulnerable, and we have listed some good security practices to let you deal with the vulnerabilities.  


1-   Use STRONG passwords

Using strong login credentials can reduce the chances of your site getting hacked, by at least 30%. A strong password containing Alphabets, numbers, symbols is the best way to at least reduce the chances of getting victimised by brute force attacks. Make your passwords as random and as long as possible. An example of a strong password: AadArRQPx-=23,?”_$#  


2-   Two-Factor Authentication

Using Two-factor authentication is also a good way to deal with hackers and this might help you keep your site secure even if hackers can get their hands on the login credentials of your site. Although the hackers can bypass this if they managed to steal the cookies of your browser.  


03- WordPress Security Plugins


Installing premium WordPress security plugins can be your safeguard against the cyber-criminals! Wordfence, Sucuri security, Bulletproof security are currently the best plugins to ensure the safety of your website.  


04- Constantly Update!

You can mitigate the risk of getting victimised by the hackers just by keeping your themes, plugins and the WordPress version up to date.  


05- Monitor Traffic and Spam

Monitoring the traffic of your site, the spam score, and the comments section can be very helpful to ensure the safety of your site.  


06- Professional security protection

The best way to tackle the security issues of your WordPress site is to seek professional protection against the hackers. Let the professional take care of the security issues, and you can enjoy maximum security protection for just a few bucks.  


Keep Safe

If you have any of these problems and want to talk to us about fixing your site so you can get up and running again then contact us