16 WordPress Security Issues (Vulnerabilities) & Tips To Fix Them
WordPress makes it easy for anyone to have a website quickly, but there is a lot of noise online that talks about how many security issues it has.
Does WordPress have security issues? Yes
Are they insurmountable? No
Should it stop you from building your website with WordPress? Most certainly not
A conservative estimate puts the number of websites at about 2 billion, and WordPress powers almost 45% of them. It is because WordPress is so prolific that it is subject to so many hacks. As a direct consequence, WordPress has evolved into a very secure system. In fact, many of the security issues WordPress has resolved over the years still exist on other CMS.
In this article, we will explain what WordPress security issues you should look out for, and more importantly, how you can protect your website from them.
TL;DR: Protect your website from WordPress security concerns with MalCare. MalCare is an all-in-one security plugin, which combines a malware scanner, auto-cleaner, and a firewall in one place. Apart from that, you can safely update your website and prevent hackers from exploiting security vulnerabilities. If you are looking for an expert solution for WordPress security issues, you have found it with MalCare.
Does WordPress have security issues?
Yes, there are security issues with WordPress, but these are not difficult to deal with any longer. You don’t need to have development experience or be used to tinkering with WordPress code to be able to counteract threats. Follow the simple fixes laid out in this article, and you will have a strong, secure WordPress website.
16 Common WordPress security issues that can affect your website
WordPress does have a lot of security issues, but the good thing is that they can all be easily resolved. No one wants to spend time managing the security of their website, instead of growing it or increasing their revenue.
Apart from WordPress security vulnerabilities and compromised passwords, malware and attacks are also security issues. Although malware and WordPress attacks are sometimes used interchangeably, they are different. Malware is the malicious code that hackers inject into your website; whereas attacks are the mechanisms they use to inject malware. In the list below, we’ve covered all 4 types of WordPress security issues.
Here is the list of common wordpress security issues you need to know:
- Out of date plugins and theme
- Weak passwords
- Malware on your WordPress website
- SEO spam malware
- Phishing scams
- Malicious redirects
- Reused passwords
- Nulled software
- Backdoors on your WordPress site
- wp-vcd.php malware
- Brute force attacks
- SQL injection
- Cross-site scripting attacks
- Website is on HTTP not HTTPS
- Spam emails being sent from WordPress
- Dormant user accounts
1. Out of date plugins and themes
WordPress plugins and themes are all built with code and, as we explained earlier, developers occasionally make mistakes in code. The mistakes can cause lapses in security, which are called vulnerabilities.
Security researchers look for WordPress security vulnerabilities in popular software, in order to make the Internet a safer place. When they discover vulnerabilities, they disclose them to the developers to fix. Responsible developers then release a security patch in the form of an update, which resolves the vulnerability. Once sufficient time has passed, security researchers will then announce their findings.
Ideally, by this time, the plugins and themes should have been updated. However, that is very often not the case. And hackers know and rely upon this tendency to attack websites, and exploit the vulnerability.
Updates can sometimes break the site, unless you do them carefully. Use BlogVault to manage updates, so that the site is backed up before the updates, and you can make sure everything works perfectly on staging before moving to the live site.
Fix: Manage updates promptly on your website.
2. Weak passwords
Hackers use programs called bots to attack login pages, trying out many combinations of usernames and passwords to break into a website. Often bots can try as many as hundreds of combinations per minute, using dictionary words and commonly used passwords to break through. Once they succeed, the hacker has open-door access to your website.
On the flip side, strong passwords are difficult to remember, so admin choose easy-to-remember ones, like pets’ names, birthdays, or even permutations of the word ‘password’.
However, this makes the site security vulnerable to attacks. This information is legitimately available online via social media and other sites, and illegitimately via the data breaches or the dark web. The best thing to do is have a strong, unique password to keep your account, and therefore website, safe.
Note: You need to set strong passwords across your site accounts, which include your user account and hosting account. Admin don’t often change the SFTP and database credentials, but if you have done, make sure you set strong passwords for these too.
Additionally, you can limit login attempts on WordPress. If a user has too many incorrect logins, they are temporarily locked out, or they need to fill in a CAPTCHA to prove they aren’t a bot. This measure keeps bots out, and makes allowances for human error.
Fix: Enforce strong passwords and limit login attempts to block bots.
3. Malware on your WordPress website
Malware is a catch-all term used to describe any code that allows unauthorised activity on your website. In subsequent points, we will look at specific cases too, like backdoors and phishing scams.
When we talk about addressing WordPress security issues, the goal is to keep out malware. However, as we have said before, no system is 100% bulletproof. You can do everything right, and a clever hacker will find a new way to penetrate the defences. It is rare, but it happens. So how do you deal with malware, if it is already on your website?
First of all, you need to confirm that the malware is indeed on your website. Malware can hide in files, folders, and in the database. We have seen malware files masquerade as WordPress core files, as image files, and even show up as plugins. The only way to be sure if your website is infected or not is to deep-scan it on a daily basis. For that, you need to install MalCare.
MalCare uses a sophisticated algorithm to detect malware on your website. Other scanners use partially effective techniques like file comparison and signature matching to flag malware. MalCare uses 100+ signals to check the behaviour of code, and then flags it as malware if the intent is malicious. This has two huge advantages: one, there are no false positives, which custom code being flagged as malware; and two, even the newest variants of malware are detected correctly.
MalCare is 95%+ accurate when scanning for malware, and is completely free. If the scan results show that your website is hacked, only then do you need to upgrade to clean it. With MalCare, the auto-clean feature will surgically remove malware from your WordPress website, leaving your website pristine once again.
Fix: Scan and clean your website with MalCare.
4. SEO spam malware
SEO spam is a particularly egregious malware that is used by hackers to divert your website traffic away from your website to their shady and spammy websites. They do this by hijacking your search results on Google, inserting code into your existing pages, or by redirecting traffic to their own websites. Sometimes they do all of these things. In any event, it is always bad news.
There are a few common variants of the SEO spam malware, like the Japanese keyword hack and the pharma hack. Both of these variants have gained notoriety in their own right because their symptoms are specifically Japanese characters or pharmaceutical keywords in the search results.
All types of SEO spam malware are incredibly difficult to remove manually because they can create hundreds of thousands of new spam pages, which are impossible to remove easily. Plus, they insert malware into critical WordPress core files and folders, like the .htaccess file, which can break the site if it is not cleaned properly.
Invariably sites with these strains of malware get flagged on Google Search Console, land on the Google blacklist, and lead the web host to suspend your hosting account. Therefore, the key to dealing with this hack is to leave it to the experts, which in this case is a WordPress security plugin called MalCare.
MalCare will not only get rid of the malware, but make sure your site is protected with an advanced firewall.
Fix: Remove SEO spam malware with MalCare.
5. Phishing scams
Phishing malware is a two-part scam that tricks users into giving up their confidential details by masquerading as trusted brands.
The first part is to send an official-looking email to an unsuspecting user, usually with a dire warning that something terrible will happen if they don’t update their passwords or something immediately. For instance, when a phishing email spoofs a web host customer, they might say that the site is in danger of being taken down.
The second half of the scam takes place on a website. The phishing email usually has a link that takes the user to a seemingly official website, and has them enter their credentials. The website is obviously fake, and this is how many people compromise their accounts.
On WordPress websites, phishing comes in two flavours, depending on which part of the scam is happening. In the first case, WordPress admin get phishing emails about how a database update is required for their website, and they are tricked into putting in their login details.
On the other hand, hackers can use your website for fake pages. Often website admin have come across banking logos or e-commerce website logos on their website, even though they have no reason to be there. These are used to trick people.
Google is very quick to crack down on phishing scams, and especially on websites that host these pages. Your website will get blacklisted and slapped with the phishing website detected notice, and that is terrible for visitor trust and branding. Even though you are innocent, your website has become a host for a scam. It is imperative that you get rid of this malware as soon as possible, and take steps towards damage control.
Fix: Remove the phishing malware from your website with MalCare, and advise your users not to click any links from within emails.
6. Malicious redirects
One of the worst WordPress hacks is the malicious redirect hack. It is incredibly frustrating to visit your website, only to be whisked away to another spammy or scammy website, selling questionable products and services. Often, WordPress admin can’t even log into their websites because of the hacked redirect malware.
There are many variants of this malware, and it infects the files and database of the website completely. We have seen instances of the hacked redirect malware in every post of a site with over 500 posts. It was a nightmare, and the admin was understandably frustrated.
The only way to get rid of the malicious redirects malware is to use a security plugin. In fact, you will probably need help to install the plugin at all, because you can’t log into your website. That’s where MalCare’s support team can help out. They will guide you through the installation process, and if necessary clean the site for you.
Fix: Get rid of the hacked redirect malware with MalCare.
7. Reused passwords
Reused passwords can be strong passwords, like we spoke about in the previous section, but they are not necessarily unique.
For instance, your social media account and website account have the same string of letters, characters, and numbers for a password. You’ve gotten used to typing it in, and you figure it can’t be guessed so it is a good password.
Well, you’re half right. It is a good password, but only for one account. The rule of thumb is to never reuse passwords across accounts. And the reason is the potential threat of data breaches.
GoDaddy had a breach in September 2021, which they discovered only in November 2021. By then, 1.2 million users’ database and SFTP credentials had been compromised. If any of those users had used those passwords elsewhere, like a bank account, that information was now squarely in the hands of the hacker. It becomes that much easier to break into other accounts.
We trust different services and websites to secure our data, but no system is completely bulletproof. Things can and will break on occasion. The goal is to contain the damage as much as possible. Creating unique and strong passwords for every account helps you do that.
Fix: Set unique passwords and use a password manager to remember them.
8. Nulled software
Nulled plugins and themes are premium versions with cracked licenses available for free online. Quite apart from the moral dimension of stealing from developers, nulled software is a huge WordPress security risk.
Most nulled themes and plugins come riddled with malware. Hackers rely on people to want a good deal on a premium product, and wait for them to install it. The website gets a dose of malware hand-delivered to it, and the site is now hacked. This is the only reason why anyone bothers to crack premium software in the first place. Robin Hood isn’t involved in the WordPress ecosystem.
Even if the nulled themes and plugins didn’t have malware on them—which is very rare—you cannot update them. Because they are not official versions, they obviously don’t receive support from the developers. So if a vulnerability is discovered and the developers release a security patch, the nulled software is also out-of-date with a vulnerability, in addition to having malware installed on it.
Fix: Avoid nulled plugins and themes like the plague.
9. Backdoors on your WordPress site
Backdoors, like the name implies, are alternative and illicit ways to access the code of your website. Along with malware, hackers inject backdoor code into your website, so if the malware is discovered and removed, then can regain access using the backdoor.
Backdoors are one of the primary reasons we don’t recommend ever cleaning malware manually from your website. You may be able to find malware scripts and remove them, but backdoors can be very cleverly concealed and become almost invisible.
The only way to remove backdoors from your website is to use a WordPress security plugin, like MalCare. MalCare gets rid of backdoors as well as malware quickly and easily with the auto-clean feature.
Fix: Use a security plugin to remove backdoors.
10. wp-vcd.php malware
The wp-vcd.php malware causes spam popups on your WordPress website that direct users to other websites. It has the same purpose as the SEO spam hack and malicious redirects, but works differently. It has a few variants like wp-tmp.php and wp-feed.php.
The wp-vcd.php malware infects websites with code that executes each time the site loads. It is one of the most frustrating hacks that infect WordPress sites, because as soon as you remove it, it seems to come right back; in some cases, instantly. If ever there was malware that could be likened to a recurrent virus that just can’t be kicked, wp-vcd.php is the one.
The wp-vcd.php malware infects websites chiefly through nulled plugins and themes. Wordfence goes as far as to call it: “the malware you installed on your own site”; which we think is a bit harsh, but it does underscore the danger of nulled software.
Fix: Get rid of the wp-vcd.php malware from your website instantly with MalCare.
11. Brute force attacks
Hackers use bots to bombard your login page with username and password combinations, in order to gain access. This method is known as a brute force attack, and can be successful if the passwords are either weak, or are the same as ones found in a data breach.
Brute force attacks are not just terrible for security, but also consume your site’s server resources. Every time the login page loads, it requires some resources. Ordinarily, the disk usage is negligible, so it doesn’t affect the performance noticeably. But brute force bots hammer the login page at the rate of several hundred—if not thousand—times per minute. If your site is on shared hosting, there will be noticeable consequences.
The way to counteract brute force attacks is to have bot protection for your website, as well as limit incorrect login attempts. MalCare comes with bot protection built into the security plugin.
You can also enable CAPTCHA on your login page. You may see advice to hide your login page by changing the default URL, but don’t do this. It is incredibly difficult to retrieve if that URL is lost, and you will be locked out of your website along with the hackers.
Fix: Limit login attempts and get bot protection for your website.
12. SQL injection
All WordPress websites have databases that store important information about the website. Things like users, their hashed passwords, posts, pages, comments are stored in tables and are edited and retrieved regularly by the website files. The database is rarely accessible directly, and is controlled by the website files for security.
SQL injections are particularly dangerous attacks, because hackers can interact directly with the database. They use forms on your website to insert SQL queries, which allow them to manipulate or read from the database. SQL is the programming language used to make changes to the database, like adding, deleting, modifying, or retrieving data. This is why SQL injection attacks are so dangerous.
The solution is to keep your plugins and themes updated, because WordPress security vulnerabilities like unsanitised input lead to successful SQL injection attacks. Additionally, a good firewall will keep away bad actors from your website.
Fix: Keep everything updated, and install a firewall.
13. Cross-site scripting attacks
Cross-site scripting, or XSS, attacks on websites are similar to the SQL injections, in that the hacker inserts code into the website. The difference is that the code targets the next visitor on your website, instead of your website database.
In an XSS attack, the malware is added to your website. A visitor comes along, and their browser thinks that the malware is part of your website, and thus the visitor is attacked. Generally, cross-site scripting attacks are used to steal data from unsuspecting visitors.
The way to protect your site visitors is to make sure that XSS vulnerabilities don’t exist on your website. The simplest way to do this is to make sure that your website is fully updated. You can take the security to the next level by installing a WordPress firewall plugin as well.
Fix: Install a WordPress firewall, and keep everything on the website updated.
14. Website is on HTTP not HTTPS
You may have noticed that many websites now have a green lock near the URL bar. This is a trust badge for the visitor to say that the website is using SSL. SSL is a security protocol that encrypts traffic back and forth from a website.
A good analogy for this is to think of a telephone call. The data passing between two people on the line is intended to stay between them as a private conversation. However, if a third person was able to tap into that line, they would understand the data and therefore it is no longer private. However, if two original people were to use a code which only they are able to decipher, regardless of how much the third person overhears, the information’s true meaning is hidden from them.
This is how SSL works for websites. It encrypts the data being sent to and from the website, so that sensitive information cannot be read by a third party and used illegitimately.
The Internet as a whole has been moving towards data security and privacy in the recent decade, and SSL has emerged as one of the fundamental ways to achieve that purpose. Even Google strongly advocates for SSL-enabled websites, going as far as to penalise non-SSL websites on their search results.
Fix: Install an SSL certificate on your website.
15. Spam emails being sent from WordPress
Emails are a cornerstone of digital marketing, and it is a way to engage and interact with website visitors. People are also becoming increasingly judicious about the emails they want to receive, so there is an underlying trust that exists.
Given the delicate nature of trust, it is awful to think that a hacker can insert malware into your website and email spam to your visitors. And yet, that is exactly what some malware does. It hijacks the WordPress core function wp_mail() to send out spam emails.
Malware ordinarily causes Google blacklists and web host suspensions, but in the case of spam emails your web host will also blacklist your email service and you will see a bunch of other errors. In fact, if the spammer adds email addresses to your website as well, then you are in danger of having your email blacklisted altogether.
Fix: Clean the spam email malware from your website, and use an email marketing tool instead.
16. Dormant user accounts
Users on a website change constantly. If you run a blog with multiple authors and editors, for instance, chances are that new writers are added to the website often, while older writers leave.
The crux over here are the old user accounts that aren’t removed promptly become a WordPress security issue over time. Because the accounts exist but passwords aren’t updated regularly, they are vulnerable to attack. Dormant user accounts suffer from the same dangers of compromised passwords, so removing any accounts not in active use is necessary housekeeping.
Additionally, it is important to know who is doing what on your website. Unusual or unexpected user actions are an early signal of hacked accounts.
Fix: Remove inactive user accounts and use an activity log.
Best practices to prevent WordPress security concerns
WordPress security issues are constantly evolving, and it is hard to stay on top of them in addition to all the other work that goes into running a website. Therefore, here are a few good security practices that can help you protect your website from malware and hackers, without extra effort on your part.
- Install a security plugin: The best defence your WordPress has against hackers is a good security plugin like MalCare. A WordPress security plugin should have a malware scanner and cleaner. Ideally, it should also come with a firewall, brute force protection, bot protection and an activity log. MalCare has all this, and security experts readily available for any help. It is a hands-off solution, only alerting you when action is necessary, and doesn’t hog up server resources in the bargain. Install MalCare now, and breathe a sigh of relief.
- Use a firewall: A web application firewall protects your website from all kinds of bad actors. Hackers want to exploit vulnerabilities on your website, in addition to other WordPress security issues. A firewall prevents that, by only letting in legitimate visitors. It is a must-have for your website, and it is even better if it comes bundled with your security plugin.
- Keep everything updated: Ensure that WordPress core, plugins and themes are always updated. Updates often contain security patches for vulnerabilities, and therefore it is critical to update as soon as possible. However, we know that applying updates is not always straightforward. To minimise risk, safely update your website using BlogVault. Your site is backed up just before the update, and you can see how the update performs on staging first before updating your live website.
- Have two-factor authentication: Passwords can get cracked, especially if they aren’t particularly strong or have been reused. Two-factor authentication generates a real-time login token in addition to passwords that is much harder to crack. You can enable two-factor authentication using a plugin, like WP 2FA or another one off of this list.
- Enforce strong password policies: We cannot stress the importance of strong and unique passwords enough. We recommend using a password manager. In order to protect your website from security issues, like brute force attacks, your security plugin should limit login attempts as well.
- Regular backups: Sometimes backups are the last resort with a hack, and your website should always have a backup that is stored away from your website server. Learn more about how to backup your WordPress site.
- Use SSL: Install an SSL certificate on your website to encrypt communication back and forth from it. SSL has become a de facto standard, and Google actively promotes its use for a safer browsing experience.
- Conduct a security audit every few months: Review users and their actions on the website, with an activity log. Unusual activity can be an early warning signal of malware. It is also advisable to implement the least privileges policy for admin and user accounts. Finally, purge any unused plugins or themes on your website. Deactivated themes and plugins are overlooked for updates, and WordPess security vulnerabilities go unchecked causing websites to be hacked.
- Choose reputable plugins and themes: This is slightly subjective as a security measure, but it is worth using the best plugins and themes on your website. Check if the developer regularly updates their product, for instance. In addition to online reviews and support experiences of other users, this is an important metric. Additionally, premium software is generally a better bet overall. But most crucially, never use nulled software. It often carries malware in the code, having been cracked for that very reason. It is just not a worthwhile risk.
You can also harden your WordPress website, and educate yourself on how WordPress security works.
Top causes of hacks on WordPress sites
There are two weak links in the security of your WordPress site: vulnerabilities and passwords. 90%+ of malware is injected via vulnerabilities, 5%+ because of compromised or weak passwords, and <1% are because of other causes, like poor web host services.
While WordPress itself is secure, websites are built with more than just core WordPress. We use plugins and themes to extend functionality of our websites, add features, have a nice design, and interact with website visitors. All this is achieved with plugins and themes.
Plugins and themes, like WordPress, are built with code. When developers write code, they can make mistakes that result in loopholes. Loopholes in code can be exploited by hackers to perform actions that were not intended by the developer.
For instance, if your website allows users to upload images, say for a profile picture, the upload should only be an image file. However, if the developer has not put in those constraints, a hacker can upload a PHP file full of malware instead. Once it is uploaded to the website, the hacker can then execute the file and the malware will spread to the rest of the site. These loopholes are vulnerabilities. There are other types, of course, but these are the major ones that afflict WordPress sites.
If a hacker has your account credentials, they don’t need to hack into your website. That’s why strong passwords are so important.
There are two principal ways that passwords become the weakest link in the WordPress security chain. One is by using easy-to-remember passwords, which are consequently easy for hackers and their bots to guess. And the second way is when users reuse passwords across websites and services.
Data breaches are all too common. For example, a user has the same password for two different accounts: an ecommerce website and their Twitter account. If the ecommerce website has a data breach, where user data is stolen, their Twitter account is now compromised. The hacker can log into the account and cause all manner of havoc.
Both vulnerabilities and compromised passwords are WordPress security risks you can deal with easily, with the right tools and the right advice. Fortunately, both of those things are here.
WordPress security issues can be daunting to an inexperienced admin, but that doesn’t mean there is no solution to them. Security issues can be resolved easily, by listening to expert advice. We, at MalCare, firmly believe that WordPress security should be a hands-off affair, leaving you free to do other things with peace of mind.
We hope that the article helped allay any fears. If there is something we have not addressed, please do let us know. We would love to hear from you.
Does WordPress have security issues?
WordPress is a secure system, but like any other system, it is not perfect. Plugins and themes add functionality and complexity to a website, but also bring in security risks. However, there are ways to mitigate those successfully, so WordPress websites are protected from hackers.
Is WordPress easily hacked?
WordPress is not easily hacked, however, some of its plugins and themes may not be as secure. Installing a security plugin with an integrated firewall, like MalCare will make a WordPress website much more secure.
Is WordPress secure for commerce?
WordPress is secure for commerce, if the website has a security plugin with a firewall installed. The security plugin will perform daily scans to alert users of malware. MalCare is a great security plugin that not only scans the website, but provides a 1-click auto-clean option as well. MalCare also comes with a firewall to keep away bad traffic from the commerce website, in addition to protecting the website from bots that scrape data.
What are your must-have WordPress security requirements?
The must-have WordPress security requirements are:
- Malware scanner
- Malware cleaner
- WordPress firewall
- Brute force protection
- Bot protection
- Activity log
- Two-factor authentication
These features go a long way toward protecting websites from WordPress security issues.
Are outdated WordPress plugins a security risk for a site?
Yes, outdated WordPress plugins are a security risk for a website. Plugin updates usually contain security patches that address errors in the plugin code. These errors are known as vulnerabilities and can be exploited by hackers to gain unauthorised access to a website. Therefore it is critically important to update WordPress plugins as soon as possible. Same goes for WordPress themes.
Karishma was an engineer in a former life, and so she specialises in making tech more accessible through communication. When she isn't writing, Karishma spends her time tinkering in the innards of WordPress websites