12 WordPress Security Issues (Vulnerabilities) & Tips To Fix Them
Is WordPress secure?
Short answer: The WordPress core is completely secure. WordPress is developed and maintained by some of the most dedicated and efficient engineers in the world.
Minor Issue: WordPress does not work in isolation. There are plugins and themes, usernames, and passwords. They can make the CMS vulnerable to a hack.
We’ve been in the business of WordPress security for close to a decade and we know all about hacked WordPress sites. In fact, MalCare protects 250,000+ sites from hackers and malicious attacks on a daily basis.
NOTE: Themes, plugins, and user credentials don’t make WordPress vulnerable per se. Using outdated themes and plugins and weak credentials do.
In this article, we’ll tell you about:
- The most common vulnerabilities and hacks you can experience
- And the steps you need to take to protect your site against them.
To protect your site against WordPress security issues you need to install our WordPress Security Plugin. It’ll secure your site with a firewall and run a daily scan. It’ll also help implement many website hardening measures without breaking your site.
12 Most Common WordPress Security Issues And Vulnerabilities
WordPress security issues can be classified into:
- Common WordPress vulnerabilities
- Common WordPress hacks
Vulnerabilities on your website are exploited to hack the site. Patching vulnerabilities reduced the threat of a hack. There are 5 major vulnerabilities your site could be facing –
5 Most Common WordPress Security Vulnerabilities
1. Outdated Themes & Plugins
We’ve been involved in WordPress security for nearly a decade. Having dealt with hundreds of thousands of hacked websites, we know for a fact that outdated themes and plugins are the leading cause behind hacked websites.
Like any other software, WordPress themes and plugins develop vulnerabilities. To patch it, developers quickly release an update. When site owners delay or fail to implement updates, they leave their sites vulnerable to a hack.
Take for instance, the world’s most popular form plugin – Contact Form 7. It developed a vulnerability that enabled hackers to gain complete access to your website. Although the developers released a patch almost immediately, many site owners suffered a hack because they delayed or altogether ignored the update. Luckily we were able to clean their site and restore it back to normal.
Read more about Contact Form 7. Some more known plugins vulnerabilities are:
2. Nulled WordPress Plugins & Themes
Nulled themes and plugins are very tempting to use. You are after all getting premium features without paying a dime. Unknown to you, however, such plugins and themes come at a cost.
As much as you’d like to believe, nulled themes and plugins are not distributed to help you. Rather the motives are exploitative.
Pirated themes and plugins are riddled with backdoors. When you install it on your site, you are unknowingly planting a door that will be used by hackers to gain access to your site.
Even if you clean your site, as long as the pirated theme or plugin exists, your site remains vulnerable. It will be hacked over and over again.
Moreover, pirated themes and plugins don’t receive updates from developers. This also leaves your website vulnerable.
Pirated themes and plugins are responsible for wp-feed.php infection which affects hundreds of thousands of WordPress websites.
3. Poor WordPress Login Security
Your login page is a popular target because it gives hackers direct access to your WordPress site.
To crack your login credential, hacker design bots who can try out hundreds of usernames and passwords within the span of a few minutes. This is called a brute force attack.
Needless to say, weak credentials like admin, user, password123, p@ssw0rd, are easy to crack.
Even if brute force attacks are unsuccessful, hundreds of login attempts made on your site will take a toll on your server. Loading the WordPress login page pre-loads the entire website as soon as the wp-config.php file is executed.
That’ll slow down your site for sure. Due to a system overload, your site may crash and throw a 503 error.
4. Poor Hosting Environment
Poor hosting services can also make your website vulnerable. Think of your hosting provider as the legs of a chair. It bears the weight of people sitting down. Now imagine a leg becoming infected with termites. This causes the chair to collapse under pressure.
Likewise, your hosting is a pillar that holds your website upright. If the hosting is damaged, your website will not survive.
Poor hosting conditions are particularly common with obscure hosting companies. If you are picking anything other than the top hosting services, chances are your website will become vulnerable to a hack or a crash.
That said, even popular hosting providers who offer shared hosting services can make your website vulnerable. Shared hosting services are riddled with security issues. The nature of the shared environment is such that when one website experiences a hack, other sites on the same server will suffer consequences.
5. Poor WordPress User Role Practices
WordPress offers you 6 different user roles to choose from. The authorities granted to each user role are:
The administrator is the most powerful in the bunch and has unrestricted access to the entire website. Such power cannot be handed out to just about anybody. Yet we come across many websites that have made all their users an admin.
If one user decides to take advantage of the power granted to him or her, they can run havoc on your site. It also gives them the power to create ghost admins and backdoors to regain access to your site if you ever delete their accounts.
Alternatively, they can silently exploit your site and data to make a quick buck. We’ve seen instances where the hacker changed the bank account linked to the payment gateway on a WooCommerce site and sucked all the cash right out of the victim’s store.
Moreover, if any of the users are using weak credentials, it increases the chances of getting hacked or even losing complete control over your site.
Those are the 5 most common WordPress vulnerabilities.
Thanks to these vulnerabilities, WordPress websites become victims of several different types of hack attacks. We are discussing some of the most common ones in the next section.
7 Most Common WordPress Hacks
1. SQL Injection
Most WordPress hacks are carried out by exploiting a vulnerability present on your site. In the case of the SQL injection attack, hackers exploit vulnerabilities in the input fields of form plugins. They use it to inject malicious PHP scripts in your site’s database to steal information or gain control of the entire site.
2. Pharma Hack
Like the SQL injection, pharma hacks are also carried out by exploiting a vulnerable theme or plugin or perhaps weak credentials.
After gaining access to your site, hackers will install virus like favicon.ico malware, target your ranking pages and infect them with spammy keywords and pop-up ads. The intention is to use your site’s SEO credibilities to rank the pharmaceutical drugs they are selling. The pop ads are places to redirect visitors to their stores where they can sell the product.
This type of hack attack is also called SEO Spams.
3. Japanese Keyword Hack
Japanese keyword hack is very much like the pharma hack. Vulnerable plugins and themes are exploited to gain access to your site. Then your pages are injected with spammy Japanese words and affiliate links. Once your site starts ranking for Japanese keywords, it starts drawing visitors who click on those malicious affiliate links to buy products sold by the hackers.
4. Cross-Site Scripting Attack
Cross-site scripting is a tricky hack attack carried out with the help of a vulnerable plugin or theme.
Say a vulnerable comment plugin allows hackers to leave a malicious link in the comment section. Anyone who clicks on the link will end up giving access to their browser cookies. Hackers exploit the browser cookie of the site’s user to extract user credentials and gain access to your site.
This type of hack is also called cookie stealing & hijacking session attack.
To carry out a phishing attack, hackers use a vulnerability (like an outdated plugin or theme or weak credentials) to gain access to your site.
Hackers then use your site’s resources to send spam emails to your customers. Their purpose is to trick people into clicking a link that’ll take them to a hoax site like an e-banking website.
Hackers will then dupe visitors into sharing sensitive information like credit card numbers.
6. Privilege Escalation
In a brute force attack, hackers guess user credentials to gain access to your site. But what if they hijacked a user with low privileges like a Contributor or a Subscriber?
They couldn’t possibly do anything with that type of account. They need admin access. That’s when they resort to escalating privileges.
Hackers use vulnerabilities in plugins to override the set of permission granted to their user account and eventually gain full control of the site. Read more about privilege escalation.
7. WP-VCD.php Hack
In a WP-VCD.php attack, hackers gain access to your site thanks to pirated or outdated themes and plugins. They use your site to store illegal files and folders like cracked software, pirated films, and TV shows. As a result, they hog a lot of your resources making your website super slow. In some cases, your hosting provider even suspends your site for using way too many resources.
With that, we come to the end of the most common WordPress hacks. Your website is likely to experience one of them unless you take the following security measures.
How to Fix the Most Common WordPress Security Issues?
We spoke of common vulnerabilities that WordPress websites experience and also the types of hacks that the vulnerabilities can cause.
Let’s show you how to patch those vulnerabilities. This will greatly reduce the chances of a hack.
1. Install a WordPress Security Plugin
There are plenty of security plugins to choose from but not every plugin is efficient. Many are good at making a whole lot of noise but fail to deliver.
MalCare is no B.S. security plugin that offers security measures that ACTUALLY protects the site from hackers and malicious bots.
It is designed to close all your security holes.
- The plugin helps you keep your site updated.
- It’ll scan your site daily and quickly alert you about malware infections.
- It’ll help you take site hardening measures recommended by WordPress.
- And it’ll place a firewall to weed out bad traffic from country or device. Before hackers and bots can make any move on your site they are blocked from accessing the site.
Give MalCare Security A Spin Right Away!
2. Keep Your Website Updated
We can’t stress enough about the importance of security updates. You must have noticed that most hacks attacks that we spoke of in the earlier section were caused due to outdated themes and plugins. It happens when there is a delay in updating the site. It leaves the site susceptible to a hack.
3. Stop Using Pirated Plugins & Themes
Pirated themes and plugins are made available online to distribute backdoors. It is used to gain unauthorized access to your website.
Many pirated software distribution sites are made to share resources and help out people. They allow users to upload pirated themes and plugins. These uploads are not vetted and hackers use this opportunity to upload plugins and themes riddled with malware.
Bottom line is, you can’t trust pirated themes and plugins.
Suppose you get one from a trusted friend, even then pirated themes and plugins won’t receive updates. You don’t want to risk running outdated software on your site.
Learn more about:
4. Implement Login Security Measures
Hackers carry out brute force attacks on your login page all the time. There are a few measures you can take to protect that page. Those are:
Enforce strong credentials – Keep a track of all the usernames and passwords used on your site. Make it mandatory to use unique usernames and strong passwords.
Implement CAPTCHA protection – A CAPTCHA will help limit the number of failed login attempts. If you are using a security plugin like MalCare, it will have CAPTCHA protection enabled on your site automatically.
Implement Two Factor Authentication – After implementing two-factor authentication, you will need to insert a code sent on your registered phone number before you can access your wp-admin dashboard.
Services like Facebook and Gmail use two-factor authentication to ensure that the correct user is accessing the account. Here’s a guide that’ll help you implement two-factor authentication.
For more protection measures, check out our post on WordPress login page security.
5. Implement Proper User Roles
Giving admin access to every single user is a bad idea. Such power should be held with only 2-3 trusted users.
Review all the users of your site and ask yourself what sort of permissions they need to carry out their day to day job.
Here’s a rundown of the powers granted to WordPress users:
- Administrator – Has access to all features and has complete control over the entire website
- Editor – Can manage and publish all posts
- Author – Can publish and manage only their posts
- Contributor – Can write and draft their posts but can’t publish them
- Subscriber – Can only manage their profile
Choose user roles wisely.
This covers all the common vulnerabilities we spoke of. If you take the above measures, it will greatly reduce the chance of a hack. But for complete security, you NEED to harden your site’s security.
6. Implement Website Hardening
WordPress recommends the following site hardening measures:
- Change file permissions
- Rename database table prefix
- Install an SSL certificate
- Take regular backups
- Disabling file editors
If you are using MalCare Security Services, you can disable the file editors with the click of a button.
The plugin will help you implement some more site hardening measures like blocking the installation of themes and plugins, blocking PHP execution in an untrusted folder, changing security keys, and resetting all passwords.
You can also upgrade to a higher plan for backups service.
To meet all your security needs, use MalCare Security Plugin
Impact of a Hacked Website
If your website is hacked, you might experience terrible repercussions. Some of the most common impacts of Hacked WordPress website are:
- Hackers redirect your visitors to their malicious sites. This causes a jump in the bounce rate and declines in the time people spend on your site.
- Popup ads on your pages or the illegal files stored on-site servers will make your site slow.
- No one likes a slow website. Visitors will hit the back button quickly. Search engines will realize that people are leaving your site way too fast and they will interpret this as a sign of a bad website, one that does not meet visitor’s expectations. Search engines will stop ranking your site.
- All that time, effort, and money you invested to up your SEO game would go to waste.
- When Google and your hosting provider find out that your site is hacked, they will provide deceptive site warnings to users, they might blacklist and suspend your site respectively.
- Cleaning a hacked site is expensive.
Wondering if your site is vulnerable or even hacked? Here’s an article that’ll help you get an answer – Is my website hacked?
And if your site is indeed hacked, then you need a powerful plugin to clean the malware from every nook and corner of your site.
MalCare is just the plugin you need.
Use MalCare Security to Scan & Clean Your Site!
Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.