Types of WordPress Attacks and How to Stop Them


WordPress Attacks

WordPress is susceptible to various types of cyber attacks, and a big facet of WordPress security is understanding what exactly you are up against. 

If you suspect your site is under attack, the best defence is a WordPress firewall

From brute force assaults to SQL injections, these threats can compromise the security and functionality of your website. Many are designed to inject malware into your site. 

Hence, you should familiarize yourself with these common attacks. This will help you safeguard your WordPress site and ensure a seamless online experience for your visitors.

TL;DR: Protecting your WordPress site begins with understanding what these attacks are and how they impact your site. Subsequently, safeguard your site from these attacks using MalCare’s robust firewall. Together with its strong anti-malware features and bot protection, MalCare is the best WordPress security plugin.

In this article, we will explore the common types of attacks that WordPress sites face, the potential risks associated with each, and the steps you can take to protect your website against these threats.

1. XSS attacks

In a WordPress cross-site scripting (XSS) attack, a bad actor finds a weakness in a website to sneak in harmful JavaScript. These scripts lie in wait until an unsuspecting user interacts with the website, often filling out a form or clicking a link. Once triggered, these scripts can steal user information, reroute them to dangerous websites, or even change the look and feel of the original website. Essentially, XSS attacks allow the bad actor to use a user’s browser against them, in ways that could lead to serious damage.

In March 2024, an XSS vulnerability in the Popup Builder plugin put over 100,000 sites at risk daily. To exploit this vulnerability, an attacker would could inject a vulnerable site with malware. Subsequently, the attacker could steal confidential information and take over the compromised WordPress site. MalCare’s firewall was the only defence against this attack, while the plugin was still vulnerable.

Symptoms of this hack: A successful XSS attack could mean anything on your site. It could show up on websites in the form of malicious behavior like unauthorized actions, or suspicious user accounts. The goal of any attack is to take control of a site for malicious purposes, so those are the symptoms to look for. 

How to protect your site from XSS attacks

  • Stay on top of reported vulnerabilities and regularly update all plugins, themes, and the WordPress core to patch them as soon as possible.
  • Install a reputable WordPress firewall plugin like MalCare to protect against such attacks.
  • Implement Content Security Policy (CSP) headers to specify which forms of content are trusted on your site.
  • Educate users about the dangers of social engineering tactics.

2. SQL injection attacks

SQL injection is a serious attack that can compromise the integrity and confidentiality of a website’s database. It occurs when hackers enter malicious SQL code into insecure input fields on a website. When the contents of the input fields are submitted, this code runs and manipulates the database, potentially leading to unauthorized access, data theft, or even deletion of critical information.

In April 2024, Icegram Express was discovered to have an SQL injection vulnerability, allowing hackers to perform injection attacks. Together, they put over 90,000 sites at risk. Around the same time, a similar vulnerability was discovered in the WP Activity Log plugin that put over 200,000 sites at risk. Sites with MalCare’s advanced firewall avoided being exploited.

Symptoms of this hack: SQL injection attacks show symptoms such as:

  • unexpected changes in site database content or structure;
  • unauthorized access to sensitive data or areas of the website;
  • unusual or suspicious database queries in server logs, etc.

How to protect your site from SQL injection attacks

3. Spam link injection attacks

As the name implies, spam link injection attacks let hackers inject spammy links into a site’s content or code. These links often lead to unrelated, grey market, or illegal websites. The hacker is attempting to piggyback off of your site’s SEO and ranking and ends up causing harm to your site’s SEO and user experience.


In October 2023, the Balada Injector campaign exploited flaws in the tagDiv Composer plugin and hacked over 17,000 WordPress sites. Visitors to these hacked websites would be redirected to fake tech support pages, phony lottery winnings, and other scams.

Symptoms of this hack: Spam link injection attacks show up as sudden, unauthorized appearances of irrelevant or suspicious links within content or code, drop in search engine rankings, increased traffic to unrelated websites through injected links, etc.

How to protect your site from spam link injection attacks

  • Do not use any nulled plugins or themes on your WordPress site.
  • Check for backdoors in the plugins and themes installed on your WordPress site.
  • Regularly change all passwords, like access passwords, database passwords, etc.
  • Ensure your WordPress core, themes, and plugins are up-to-date.
  • Install security plugins like MalCare that are designed to detect and prevent spam link injection attacks.

4. Remote code execution attacks

Remote code execution (RCE) attacks occur when a malicious actor gains unauthorized access to a website’s server and executes code remotely. This allows the attacker to control various aspects of the website, potentially leading to data theft, defacement, or even complete server compromise.

In October 2023, MalCare’s advanced WordPress firewall stopped over 11,000 attempts to hack websites by exploiting the WP Elementor vulnerability. Prior to that, MalCare stopped over 2000 attacks on WordPress sites that aimed to exploit the Forminator vulnerability. All these attacks had the same modus operandi: upload a malicious file onto a website using these form plugins, which enables a hacker to gain remote access to the site and perform unauthorized actions.

Symptoms of this hack: RCE attacks can be detected if you notice unusual or unauthorized changes to the website, its content, files, etc., significant degradation of website performance, or evidence of unauthorized activities in server logs.

How to protect your site from remote code execution attacks

  • Implement strong password policies and two-factor authentication methods to prevent unauthorized access.
  • Set appropriate file permissions and limit access to critical files and directories only to authorized users.
  • Regularly review logs for any unusual file uploads or executions.
  • Keep your plugins, themes, and WordPress core updated at all times.
  • Use the robust firewall capabilities of MalCare to detect and block suspicious access requests before they reach your site.

5. Phishing attacks

Phishing attacks target users through deceptive emails, messages, or websites, tricking them into revealing sensitive information like login credentials or financial details. Attackers can also use compromised WordPress sites to host phishing pages. Therefore, phishing attacks can affect WordPress sites in different ways.


In January 2022, a vulnerability in the WP HTML Mail plugin put over 20,000 sites at risk. This high-severity flaw led to code injection on affected websites and the distribution of convincing phishing emails, posing as the hacked websites. 

Symptoms of this hack: If your users are receiving suspicious emails or messages that pretend to be from your website and ask for sensitive information, your site may be under a phishing attack. The emails may lead to a fake sign-up page, perhaps designed to collect financial information or login credentials. 

How to protect your site from phishing attacks

  • Educate your site’s users to recognize phishing attempts. Ensure that they understand the consequences of clicking on suspicious links or providing sensitive information.
  • Get an SSL certificate for your site and configure it to encrypt data transmitted between your website and its users.
  • Regularly monitor and scan your site for suspicious activity or unusual behavior.
  • Encourage users to report any probable phishing emails or messages.

6. Brute-force attacks

Brute-force attacks aim to gain unauthorized access to a WordPress website by repeatedly trying different combinations of usernames and passwords until the correct credentials are discovered. This attack leverages weak or easily guessable login credentials instead of specific vulnerabilities. Hackers could also use automated bots to guess these credentials through the WordPress xmlrpc.php file, making it easier for them to launch a brute-force attack.

In 2015, Dunkin’ Donuts suffered a brute force attack in which hackers made away with huge sums of gift card money from 19,715 users in just five days. Following a lawsuit, Dunkin’ Donuts had to pay $650,000 to its customers. The most effective defence against these sorts of attacks is a sophisticated firewall with bot protection.

Symptoms of this hack: A noticeable increase in failed login attempts, often from multiple IP addresses, is the first sign of brute force attacks. It can lead to slower website performance due to the excessive load on the login page as well as multiple user accounts getting locked out due to such attempts.

How to protect your site from brute force attacks

  • Encourage users to create complex and unique passwords that are not easily guessable.
  • Implement a login limiting feature to restrict and temporarily lock out users who exceed the limit.
  • Enforce 2FA for an additional security layer when logging in.
  • Disable XML RPC on your WordPress site.
  • Use a firewall like MalCare’s WordPress-specific one to detect and block attempts from malicious IP addresses.
  • Opt for a firewall with built-in bot protection, which will keep out bad ones like brute force bots and scrapers for good measure, while allowing good ones like Googlebot through to the site. 
  • Disable user registration and login if your site does not require it.

7. CSRF attacks

Cross-site request forgery (CSRF) attacks trick authenticated users into unknowingly executing actions on a web application without their consent. These attacks occur when a user is logged in and visits a malicious website, which then sends unauthorized requests to the target website on the user’s behalf.

In February 2023, a CSRF vulnerability was discovered in the Forms by CaptainForm plugin that allowed CSRF attacks, putting over 10,000 WordPress sites at risk.

Symptoms of this hack: CSRF attacks show symptoms like:

  • Unexpected changes to user accounts, settings, or data without the user’s consent.
  • Unusual or suspicious activities recorded in server logs, indicating unauthorized actions.

How to protect your site from CSRF attacks

  • Check the referer header to ensure that requests originate from the same domain, providing an additional layer of protection against CSRF attacks.
  • Utilize security headers like Content Security Policy (CSP) to mitigate the risk of certain types of CSRF attacks.
  • Conduct security audits and penetration testing to identify and address potential CSRF vulnerabilities.

8. Session hijacking attacks

Session hijacking occurs when an attacker gains unauthorized access to a user’s active session by intercepting or stealing the session ID or token. This allows the attacker to impersonate the user and potentially perform actions on their behalf.

In May 2023, an XSS vulnerability in the Beautiful Cookie Consent Banner plugin exposed more than 1.5 million WordPress sites to malicious code that performed session hijacking attacks among others.

Symptoms of this hack: If your users are reporting unauthorized access or activity in their accounts, or if you see suspicious records in logs, your site might be facing session hijacking attacks.

How to protect your site from session hijacking attacks

  • Ensure your website uses HTTPS to encrypt communication between the user’s browser and the server, making it harder for attackers to intercept session data.
  • Implement session timeout settings to automatically log users out after a period of inactivity.
  • Enforce 2FA as an additional layer of authentication.
  • Keep an eye on unusual login patterns or activities that could indicate a session has been hijacked.

9. Cookie stealing attacks

Cookie stealing (or session sniffing) attacks occur when an attacker intercepts unencrypted cookies transmitted between a user’s browser and a website’s server. By obtaining these cookies, the attacker gains unauthorized access to the user’s session, potentially leading to impersonation and unauthorized actions.

In March 2023, hackers obtained potentially sensitive information by exploiting a vulnerability in the official website of luxury sports car maker Ferrari. The website was using an old version of W3 Total Cache, which has an active install count of over 1 million. Hackers stole cookies using this flaw and gained access to the wp-config.php file, which stores WordPress credentials. Installing a strong WordPress firewall would have prevented losses accrued from these attacks.

Symptoms of this hack: If your users report unauthorized access to their accounts, or if you see unauthorized logins in logs, your site might be undergoing cookie-stealing attacks.

How to protect your site from cookie stealing attacks

  • Ensure your website employs HTTPS to encrypt communication between the user’s browser and the server, making it significantly harder for attackers to intercept cookies.
  • Use a WordPress-specific firewall, like MalCare, to detect and block suspicious requests.
  • Keep an eye on your site logs for unusual login patterns or activities that could indicate cookie stealing.

10. SSRF attacks

Server-side request forgery (SSRF) attacks occur when an attacker tricks a web application into making malicious requests on their behalf. These attacks often target internal or external resources, services, or data that should not be accessible. While not a direct vulnerability of WordPress itself, SSRF vulnerabilities can exist in poorly coded or improperly configured WordPress plugins or themes.

In November 2022, an SSRF vulnerability was discovered in the Paytm Payment Gateway plugin. This exposed over 9000 WordPress sites to potential unauthorized access and information disclosure.

Symptoms of this hack: If you see unauthorized server requests or modifications to resources or services in your site logs, your site might be facing SSRF attacks.

How to protect your site from SSRF attacks

  • Utilize security headers like Content Security Policy (CSP) to mitigate the risk of SSRF attacks by specifying which resources can be accessed.
  • Keep your plugins, themes, and the WordPress core updated.
  • Employ a WordPress-specific firewall like MalCare to monitor and filter incoming traffic, detecting and blocking suspicious requests.

11. DDoS attacks

Distributed denial-of-service (DDoS) attacks flood a website or server with an overwhelming volume of traffic, making it unavailable to legitimate users. WordPress sites rarely experience DDoS attacks themselves but can be hacked into becoming a part of a botnet, which then perpetrates attacks on other web applications.

In 2014, more than 162,000 compromised WordPress sites were used for a DDoS attack using their XML-RPC configurations. More recently, several websites in Ukraine were targeted by a DDoS attack using compromised WordPress sites in 2022.

Symptoms of this hack: Your site might be under a DDoS attack if you see:

  • Unusually slow website performance
  • Complete unavailability of the website
  • Increased server resource consumption, such as high CPU or bandwidth usage

How to protect your site from DDoS attacks

  • Utilize DDoS protection services or use a hosting provider that offers DDoS mitigation to help absorb and filter out malicious traffic.
  • Implement load balancing to distribute traffic across multiple servers to mitigate the impact of a DDoS attack.
  • Use a CDN to cache and serve content from multiple distributed servers, reducing the strain on your origin server during a DDoS attack.
  • Use a WordPress-specific firewall like MalCare and implement rate-limiting rules to block or limit traffic from suspicious or malicious sources.
  • Disable XML-RPC on your WordPress site to prevent its misuse in such attacks.
  • Keep an eye on your website’s traffic patterns and set up alerts for unusual spikes in traffic that may indicate a DDoS attack.

12. XXE attacks

XML external entity (XXE) attacks target applications that parse XML input. Attackers exploit this by injecting malicious XML content, potentially leading to sensitive information disclosure, denial of service, or server-side request forgery. While XXE attacks are not specific to WordPress, poorly coded plugins or themes can create vulnerabilities.

In June 2015, an XXE vulnerability was discovered in the popular WordPress plugin WooCommerce. With an active install count of more than 5 million, this exposed a large number of sites to XXE attacks.

Symptoms of this hack: Signs that a WordPress site has suffered an XXE attack could be that the site suddenly runs very slowly, there’s an unusual amount of data being sent out from the site, confidential data such as login details being leaked, changes in the website’s content, or error messages related to XML showing up. However, these signs could also point to different types of attacks, not just XXE.

How to protect your site from XXE attacks

  • Keep your plugins, themes, and the WordPress core updated.
  • Employ a firewall like MalCare to monitor and filter incoming traffic, to detect and block suspicious requests.

Steps to ensure overall protection of your WordPress site

Maintaining the security of your WordPress site is crucial to safeguarding it from various types of WordPress attacks. Here are some effective measures to fortify your site’s defenses:

  • Implement a robust firewall like MalCare to provide automatic protection against numerous types of attack requests. Firewalls act as a barrier between your site and potential threats, filtering out malicious traffic before it reaches your server.
  • Employ a security plugin like MalCare that includes a malware scanner. Regular scans can help detect any malicious code or files that may have infiltrated your site.
  • Outdated plugins and themes are common weak points that cyber attackers exploit. Regularly updating them ensures you benefit from the latest security patches and bug fixes.
  • Avoid using nulled or pirated extensions for your site. They often contain backdoor malware, making your site vulnerable to attacks.
  • Strengthen login security with robust password policies. Encourage unique, complex passwords and educate users about the risks of password sharing and reuse. Implement two-factor authentication (2FA) to add an extra layer of security.
  • Keep a close eye on user accounts and activities. Regularly review activity logs and establish policies for managing dormant accounts.
  • Use a Content Delivery Network (CDN). A CDN distributes the load of repeated attacks across multiple servers, reducing the impact of DDoS attacks. It also offers cached copies of your site, enhancing performance.

Impact of attacks on WordPress sites

If you have a WordPress site, you must keep yourself aware of the potential consequences of attacks on your site. This is crucial for you to understand the importance of security measures.

  • Insertion of malware: Attacks can lead to the insertion of malicious code or files, compromising the integrity of your site.
  • Compromised data: Sensitive user information can be at risk, leading to potential privacy breaches and legal consequences.
  • Cost of removal: Cleaning up after an attack can be costly, involving expenses for security services, legal fees, and potential loss of revenue.
  • SEO and branding issues: Certain attacks, such as the pharma hack or SEO spam, can tarnish your site’s reputation and impact search engine rankings.
  • Trust issues with visitors and customers: A compromised site erodes trust with visitors and customers, potentially leading to a loss of credibility and revenue.

Why is WordPress a popular target for hackers?

WordPress is a website-building platform that enables anyone to build websites without knowing how to code. Moreover, WordPress is free of cost.

As a result, the platform is powering over 1.3 billion active sites today.

The downside of all this is that WordPress websites are targeted more than websites built on any other platform.

That being said, WordPress is considerably more robust than other platforms. The fact is that WordPress has long solved issues that other platforms are currently facing. Most vulnerabilities are introduced to WordPress sites via plugins and themes and rarely are found in the core any longer. 

Therefore, although WordPress is a frequent target, you can leverage all its advantages by thinking about security carefully. Installing MalCare, a security plugin with a firewall, scanner, and built-in malware removal is a great step in that direction.

Final thoughts

In conclusion, safeguarding your WordPress site from potential threats is paramount in ensuring its uninterrupted functionality and maintaining the trust of your visitors. By understanding the various types of attacks that WordPress sites may face, from XSS and SQL injections to DDoS and phishing attempts, you’re better equipped to implement protective measures.

This is where a security plugin like MalCare can make the difference. MalCare is a WordPress-specific security plugin, which makes it a potent adversary against known vulnerabilities and attacks, as well as zero-day exploits. Moreover, its robust firewall, strong malware scanning and removal features, and hardened bot protection capabilities make it a force to be reckoned with in the WordPress ecosystem.


Does WordPress get hacked?

Yes. One of the caveats that comes along with being the most popular content management system in the world is that WordPress regularly gets hacked. While the reasons behind these hacks may vary, the steps to keep your WordPress site secure are the same.

How many times has WordPress been hacked?

It is difficult to provide an exact count of how many WordPress sites have been hacked. However, various estimates peg that at least 10,000 to 12,000 sites get hacked every day. With WordPress powering nearly 40% of all websites around the world, it is easy to consider that 1 out of 25 WordPress sites gets hacked.

How do hackers attack WordPress?

Hackers attack WordPress sites using a variety of tools and tricks. Some hackers search for and find weak access controls, like easy-to-guess username-password combinations. Others identify flaws or vulnerabilities in plugins and themes, or in WordPress core itself, and exploit them to gain access to websites. Some also use social engineering to extract credentials from unwitting individuals.

Why is my WordPress site under attack?

Your WordPress site may be under attack for various reasons. Weak passwords, outdated WordPress core, themes, and plugins, insecure connections, incorrect file permissions, and insecure web hosting are some of the culprits. You should immediately address these issues one by one, or take the help of security plugins like MalCare to secure your site from attacks of all kinds.

It feels like my website is being attacked 24/7. Is this normal?

Yes. As soon as your website goes live, it can be found by regular users and malicious actors alike. Hence, it is crucial to secure your website at the earliest using a comprehensive security plugin like MalCare, that comes with a built-in firewall, malware detection and removal features, as well as bot protection.

Do plugins actually work against WordPress attacks?

Yes. WordPress security plugins definitely work against attacks. However, their efficacy determines how secure your website is. If you are concerned about your site’s security, use a comprehensive WordPress-specific security plugin like MalCare. MalCare has a robust built-in firewall, malware detection and removal capabilities, as well as bot protection. Together, all these features help keep your website secure from all kinds of attacks.



You may also like

dns hijacking
DNS Hijacking: All You Need to Know About It

Have you ever typed a familiar URL into your browser only to land on a strange, unfamiliar website? Imagine your visitors facing the same dilemma when accessing your website. They…

How to Protect Your Website from Hackers
How to Protect Your Website from Hackers

Every day, small businesses become victims of cyber attacks. Hackers break into websites, steal customer data, and damage reputations. Your website, which is vital for your business, is at risk…

What are Website Backdoors and How to Clean Them?
What are Website Backdoors and How to Clean Them?

Are you frustrated with your website getting hacked again and again, even after you’ve cleaned it each time? You’ve spent hours fixing your site, only to find that the problem…

How can we help you?

If you’re worried that your website has been hacked, MalCare can help you quickly fix the issue and secure your site to prevent future hacks.

My site is hacked – Help me clean it

Clean your site with MalCare’s AntiVirus solution within minutes. It will remove all malware from your complete site. Guaranteed.

Secure my WordPress Site from hackers

MalCare’s 7-Layer Security Offers Complete Protection for Your Website. 300,000+ Websites Trust MalCare for Total Defence from Attacks.