WordPress is the most popular websites building platform. For 8 consecutive years, it’s been named the fastest growing content management system. There are around 75 million WordPress websites online and hundreds of thousands of websites are being added every day. This kind of popularity draws bad attention as much as it draws good ones. Hence, it’s not surprising to learn that over 90,000 hack attempts are being made on WordPress sites every minute of the day.

Websites that are not secure are more at risk of getting hacked. So it is important to learn about WordPress security and how to fix security issues to keep your site secure.

Common WordPress Security Vulnerabilities:

  1. Poor hosting choice
  2. WordPress login vulnerabilities
  3. Outdated Themes and Plugins
  4. Using ‘nulled’ WordPress add-ons
  5. Making everyone an admin
  6. PHP exploits
  7. Running non-SSL sites

1. Poor hosting choice

One of the key components of a well functioning live website is having a good web hosting service. Your choice of web host affects the security of the WordPress website.

Two of the most popular kinds of WordPress hosting services are shared hosting and managed hosting. While shared hosting services are popular because there are cheap, they are not as equipped to handle security threats as managed hosting providers are.

Let’s take a look at the kind of services the two popular hosting providers offer.

Shared hosting

Shared hosting providers offer basic security scan that can detect WordPress malware. The hosting also keeps a record of visitors to your site which may help you in identifying harmful visitors. Many shared hosting providers also take backups in case you want to restore an old backup, you have the option to do so. And as the name suggests, on shared hosting one can host more than one website on the same server which is why shared hosting is a lot cheaper.

Managed hosting

Managed hosting companies offer firewall security and generally implement malware scanning practices. Some managed hosting providers take security a notch higher, imposing restrictions on the access of WordPress files and folders. For instance, WP Engine prevents modification of any PHP file and Pantheon restricts anyone from writing on any folder except for the Upload folder (where you upload theme and plugin).

The Fix:

When choosing WordPress hosts, be sure you go through their features and offerings in details. It’s worthing noting that expensive hosting does not guarantee good service. Learn about the shortcomings of each and every service before making the plunge.

If you’ve already bought a hosting package that you are not happy with, simply migrate to a different hosting provider. There are several migration services (like BlogVault, Migrate Guru) that ensure seamless migrations for your site to the hosting company of your choice. If you need more assistance, learn how to migrate to a new host.

2. WordPress login vulnerabilities

The login page is the most targeted page of any WordPress website since it is a gateway to your website. Hackers often launch brute force attacks via guessing your credentials to gain access to your site. That is because once they have access to the WordPress admin dashboard, they have control over the entire website. Let’s take a look at the two major vulnerabilities of the WordPress login page:

i) Easy-to-guess username & passwords

With sophisticated password cracking methods, hackers today can crack a login credential within a few minutes. Straightforward and commonly used usernames and weak passwords make the job of a hacker way more effortless.

While WordPress does not raise an alarm if you are using a common, easy-to-guess username, it does go to some length to make sure that the passwords are strong. But it does not enforce strong password. Anyone can use a common password if they wish to. It’s up to the site owners to ensure that all usernames and passwords are unique and hard to guess.

The Fix:

Using a strong username and password can significantly reduce the threat of a hack.

When the username is easy to guess, all that remains for the hackers to figure out is the password. Your username is the first line of defense against security threats. Years ago, WordPress encouraged people to use “admin” as a username which made the job of a hacker easy. Although WordPress has stopped suggesting the username, you can still create an account with the username admin. Clearly, you need to avoid using common user names like admin, super admin, editor, or even Tom, Dick, Harry etc.

Some security personnel considers passwords with over 10 characters difficult to crack, so you should consider password reset to, at least, 10 characters. While others recommend 15 characters long passphrases. A combination of lowercase, uppercase and special characters would make a password unpredictable and hard to crack. Needless to say, common words like ‘login’, ‘admin’ should be avoided. For further assistance, check out how to choose a strong password that is easy to remember.

ii) Using default login page

Hackers rarely launch attacks manually. They program bots to access the login page and crack the login credentials of the target sites.

Accessing the login page of a WordPress site is not difficult. The default login page for any website  (www.yoursite.com/wp-admin) is common knowledge.

The Fix:

To prevent bots from accessing your login page, you can change the login page. For instance:

www.yoursite.com/wp-admin is default page. Change it to www.yoursite.com/welcometomysite

www.yoursite.com/wp-admin → www.yoursite.com/welcometomysite

3. Outdated themes and plugins

To patch these security loopholes, developers release updates from time to time. Skipping updates brings your WordPress site through a lot of security risks. As per reports, 80% of hacked WordPress websites were running outdated themes or plugins. Majority of the hacks happen because of a plugin vulnerability. When site owners don’t update their themes and plugins, the vulnerabilities remain and there is a higher likelihood of getting hacked.

The Fix:

Keeping themes or plugins up-to-date helps strengthen the website’s security.

How to Update a Plugin?

Step 1: Go to your WordPress dashboard. From the left panel, select Installed Plugins. It’ll take you to the plugins page.

Update plugins

Select Installed Plugins

Step 2: In the plugin page, you can see all the plugins installed on your site. While scrolling through the list you should be able to see the plugins that are ready for an update. Click on Update Now option that appears on the plugins that ready for an update.

outdated plugin are vulnerable

Select Update Now

For readers who have to maintain dozens of websites, making time to update websites regularly is difficult. WordPress security plugins like MalCare or ManageWP or MainWP offer facilities to update all your websites from the same dashboard. This significantly reduces the time you take to manage a large number of websites.

Updating a WordPress theme or plugin is easy, you can do it with just the click of a button. But one has to take caution because updates are known to break websites. For instance, a few years back a major WooCommerce update caused websites to break creating a lot of problem for e-commerce site owners. A situation like this can be avoided if you stage the site and check the updates on the staging environment before making them on the live site.

4. Using ‘nulled’ WordPress add-ons

WordPress add-ons (i.e. plugin and theme) are an essential component of a WordPress site. They help you design your site like a pro even when you don’t have any technical knowledge.

There are plenty of add-ons to choose from. Some are paid and some are free. Many of the free themes and plugins are built as side projects. Developers don’t have enough time to maintain or provide proper support to users. And since these are free, they can’t afford to hire resources to share the workload. Paid themes are more desirable because they timely support and regularly updated.

People can get a website up and started with as little as a few dollars. Hence a lot of users are reluctant to invest more, in buying themes and plugins. They either go for free alternatives (that come with their own set of problems as we discussed earlier) or use nulled themes and plugins.

Commercial WordPress plugins and themes that are modified in a way that anyone can use for free are referred to as ‘nulled’ themes or plugins. Often people are tempted to use nulled software because they are free of cost, but a lot of the times they contain malicious codes. After you install and activate a nulled plugin/theme that is corrupt, it creates a backdoor for hackers to enter your site.

The Fix:

Get plugin or theme either from the official WordPress repository or trusted sources like Themeforest, Themeisle, etc.

5. Making everyone an admin

When you build a WordPress site, an administrative account is created by default. When you start creating new user accounts, you‘ll need to assign roles to those users and they don’t need to be admin users.

WordPress offers six types of user roles with a built-in hierarchy. The rights of control decreases as you go down the hierarchy and hence, assigning these roles must be done carefully. Every role comes with a set of responsibilities. Let’s take a look at the roles:

  • Super Admin – Has access to all features and has complete control over the entire website
  • Administrator – Has all administrative rights
  • Editor – Can manage and publish all posts
  • Author – Can publish and manage only their own posts
  • Contributor – Can write and draft their own posts but can’t publish them
  • Subscriber – Can only manage their own profile
The Fix:

The site owner should be the Superadmin. Besides the site owner, administrative rights should be bestowed on someone who can be trusted and understands the responsibility.  The abuse of power is very likely to occur if every user is given administrative power.

6. PHP exploits

WordPress like any other software consists of files and folders. Every file and folder has a function to perform. Take for instance the upload folder, where you can upload themes and plugins. The Upload folder is writable. This may open doors for potential attackers. Hackers may find a way to upload a PHP code, execute it and then gain remote access to the site. After gaining access to the site, hackers could remotely utilize your site’s resources or steal information without your knowledge. In a salt-in-wound situation, you might learn about the hack only after search engines like  Google has blacklisted the site or when your web host suspends your website.

The Fix:

To prevent such a catastrophe, one should nip PHP exploits in the bud. Disabling PHP execution in certain folders (writable folders like Upload) will go a long way in securing your website.

How to disable PHP execution?

1: To disable PHP execution in the Uploads folder, simply create a .htaccess file in the Upload folder. You can find the folder in wp-content under public_html.

upload folder in the file manager

Select public_html, wp-content, uploads

2: Now open notepad (for Windows) or TextEdit (for Mac) to create a file.

3: Insert the following code and save this file as .htaccess (not .htaccess.txt):

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L] </IfModule>

# END WordPress

4: Upload the file in the Upload folder.

click button to upload file in file manager

Select Upload

5: Now you have a new .htaccess file in the Upload folder. Right-click and select Edit. Place the following piece of code in your brand new .htaccess file.

<FilesMatch “\.(php|php\.)$”>

Order Allow, Deny

Deny from all


In the image below, we placed the code in our .htaccess file.

code snippet in htaccess file

This is how the code appears in .htaccess

This ensures that any file having ‘PHP’ will be caught and prevented from executing.

Disabling PHP execution using the above steps are a bit risky. One must tread carefully in the File Manager. A single misstep can cause serious damage to your site. It is easier and less risky to disable PHP execution using a plugin. MalCare Security Service comes with a specific Site Hardening feature that allows users to Block PHP Execution. You will need your FTP details to enable this feature.

7. Running non-SSL sites

SSL certificates help secure your WordPress site by securing the communication between a visitor’s device and your own website server.

The communication between the visitor’s device and your web servers is generally unsafe. Without an SSL certificate, sharing sensitive information like bank credentials are risky. An SSL certificate encrypts the information, ensuring that the sensitive information is being shared to only the intended recipients.

The Fix:

You can get an SSL certificate from your hosting provider. Login to your web hosting account and check if there is an option for SSL certificate. If there is, then select that and proceed to install the certificate. If there isn’t then get in touch with the hosting provider. After installing, the SSL certificate appears in front of your website URL in the form of a padlock. In the final step, you’ll need to redirect the old URL to the new.

Suppose this is the URL of your website: http://example.com

After installing an SSL certificate, your URL will change to https://example.com You’ll need to redirect all your pages from HTTP to HTTPS. Manually doing it will be tedious. Tools like Really Simple SSL helps configure a website to run over https with the click of a button.


With this, we’ve come to the end of this post on common WordPress security vulnerabilities. If there is a usual WordPress vulnerability that you think should be on this list, tell us. We look forward to your feedback!

If you want to secure your website from common vulnerabilities,