7 Most Common WordPress Security Vulnerabilities (And How to Fix Them)

Apr 2, 2020

7 Most Common WordPress Security Vulnerabilities (And How to Fix Them)

Apr 2, 2020

A WordPress website can have many security vulnerabilities that can be exploited by hackers to gain access to the site.

Once hackers gain access to your site, they will use it to execute a number of malicious activities like launching other websites, sending spam emails (read – phishing attacks), storing files, stealing website data, using black hat SEO techniques to rank their own products (read – pharma hack), etc.

For some websites, things can snowball further.

When Google learns that your site is hacked, they will blacklist your website. When your hosting provider learns about it, they’ll suspend your site.

But don’t worry, you can take security measures to keep your WordPress site safe from hackers.

Today, we’ll show you how you can find common WordPress vulnerabilities on your website and the steps that you can take to fix them.


To protect your WordPress website from common WordPress vulnerabilities you’ll need to keep your site updated, protect your login page, assign user roles carefully, move to HTTPS, etc. You can use our WordPress security plugin – MalCare to implement many of these measures on your site.


6 Common WordPress Security Vulnerabilities & Their Fixes

While there are many vulnerabilities that a WordPress website may have, time and again we have found a few that seem to appear in most websites. If you run a website security audit, you may just find one of the vulnerabilities we have mentioned below –

1. Outdated themes and plugins

Like any other software, WordPress themes and plugins develop vulnerabilities. When developers learn about these vulnerabilities, they quickly fix it and release a security patch in the form of an update.

When site owners don’t update their site and keep using outdated WordPress plugins and themes, their site becomes vulnerable to hacks. Hackers actively seek out vulnerable plugin and theme on WordPress sites and exploit them.

Learn more about the importance of WordPress Security updates.

How to Keep Your Website Updated?

Keeping your WordPress website updated can be challenging. Updates are always rolling in. The frequency of updates makes it difficult to implement them. It’s even more difficult if you have multiple websites to update.

We suggest you set aside one day every week to implement updates on all your websites. We also suggest that you use one of the best WordPress security plugins out there – MalCare.

You can add all your websites on MalCare’s central dashboard. Every time you open the dashboard it’ll show you all pending updates which you can implement from MalCare’s dashboard.


update plugins malcare


Before jumping to the next WordPress vulnerability, we want to caution you about updates.

WordPress updates are known to break websites. A few years back, a major WooCommerce update caused websites to break creating a lot of problems for e-commerce site owners.

To safely update your site without breaking it, we recommend testing the update on a staging environment. Here are top WordPress staging plugins that you can use. You can see whether the update causes any trouble to your site. If you’re satisfied that everything is functioning fine on the staging site, you can go ahead and update your live site.

Besides keeping your plugins, themes, and core updated, we strongly suggest that you keep your WordPress salts and security keys updated.

2. Pirated Plugins and Themes

Another very common vulnerability found on WordPress websites is the presence of pirated software.

Pirated WordPress theme and plugins give you access to the premium version of the software for free. Website owners looking to cut down costs are tempted to use pirated themes and plugins for WordPress instead of buying the premium versions.

But pirated software comes with security risks as they often contain malware and backdoors. When you install it on your site, the malware infects your website. Plus, the backdoor acts as an entry point for hackers to come in and take control.

Pirated themes and plugins can lead to a compromised site the minute you install it. Hence as tempting as they sound, avoid installing such software on your website at all costs.

How to Keep Your Website Safe from Pirated Software?

There are 2 things that you can do –

i. Remove all Pirated Themes and Plugins Installed on Your Site

Deactivate and delete all pirated plugins and themes installed on your website.

And if you see any plugin or theme that you don’t remember installing on your site, it possible that it’s part of a hack. We strongly suggest that you remove the software from your website. And we also suggest that you scan your website using a WordPress malware scanner. After scanning the website, the tool shows you the infected files it found on your site which you can go ahead and clean using malware removal option.

ii. Buy or Download Plugins From Trusted Sources Only

In the future, get all your plugins or themes only from the WordPress repository or trusted sources like Themeforest, Themeisle, etc.

3. The WordPress Login Page

The login page enables you to access your WordPress admin dashboard which is why hackers target it more than any other page.

Moreover, it’s easy to find the login page of a WordPress website because all WordPress sites come with a default login page like website.com/wp-admin.

Hackers rarely try to break into the login page by themselves. They program bots to open a login page and try out different combinations of username and password. If you are using an easy-to-remember login credential (like username – admin and password – p@ssw0rd), the bots can crack it within a few minutes. Hackers can then access your website and start executing malicious activities.

This type of hack attack is called brute force attacks. Luckily, you can avoid such attacks by using a strong and unique username and password.

How to Create Strong Credentials?

Your WordPress website requires you to enter a username and a password, both of which have to be strong. You need to make it as difficult as possible for the hacker to guess your credentials. Using a strong username and password can significantly reduce the chances of a hack.

i. Creating Strong Usernames

Many website owners focus only on creating a strong password and often ignore the username. But if the username is easy to guess, all that remains for the hackers to figure out is the password. So your username is the first line of defense against brute force attacks and should be taken seriously.

Years ago, WordPress encouraged people to use “admin” as a username which made the job of a hacker easy. Although WordPress has stopped suggesting that username, you can still create an account with an easy-to-guess username like “admin.”

All usernames on your website should be unique. This means doing 3 things –

1. Avoid using common usernames like admin, admin124, etc.

2. Avoid using usernames that appear on your website. Say, if you are publishing articles under the name, Sophia, then Sophia cannot be your username.

Hackers often seek out names from the website to try them out on the login page.

3. You have to implement these measures across the board for all users. Every user on your WordPress dashboard should change their username to something unique. Here’s a guide on How to Change WordPress Username?

ii. Creating Strong Password

We tend to use weak passwords because they are easy to remember. But during a brute force attack, hackers can easily guess the password and gain access to your website.

WordPress recommends using a strong password but does not enforce it. As shown in the image below, it prompts you that your password is weak but you can still go ahead and create a weak password on a WordPress website.

So it’s up to the website owners to ensure that every user is using a strong password.


reset password wordpress


There are a few ways in which you can create a strong password. Those are:

1. Auto-generate Strong Passwords From WordPress

Step 1: Log into your WordPress dashboard. From the menu of the left side of the screen, select User > All Users.


all users wordpress dashboard


Step 2: Select Edit to go to your WordPress user profile.


edit user profile wordpress


Step 3: On your user profile, click on Generate Password


generate new password wordpress


A new password with combinations of special characters and numbers will be generated.


strong new password


Remember to hit the Save button before you exit the page.

2. Create a Strong Password With Long Passphrase

You can create a strong password on your own. We recommend using passphrases as passwords. A passphrase is easy to remember but very difficult for a hacker to crack.

    • Long password: xG56ZhsfdfgsLNpd&&)rjl4jjNJ4#h (hard to remember)
    • Long passphrase: Your wolf was white as you know nothing John Snow (easy to remember)

4. Wrong WordPress Roles

When you build a WordPress site, an administrative account is created by default. And then you start creating new user accounts, you assign roles to those users. Each role comes with its own set of power and responsibilities.

A common mistake that many website owners make is that they assign admin roles to all users.

Admins have complete control over a website. Administration powers in the wrong hands can prove to be fatal for a website.

WordPress offers six types of user roles. It’s a hierarchy. Your power decreases as you go down the hierarchy.

    • Administrator – Has access to all features and has complete control over the entire website.
    • Editor – Can manage and publish all posts.
    • Author – Can publish and manage only their own posts.
    • Contributor – Can write and draft their own posts but can’t publish them.
    • Subscriber – Can only manage their own profile.

How to Set Correct User Roles?

The first step is to carefully decide which roles you want to assign to which users. We strongly suggest keeping only 2 to 3 admin users.

Now if you want to change user roles, here’s what you need to do.

Step 1: Log into your WordPress dashboard. From the menu of the left side of the screen, select User > All Users.


all users wordpress dashboard


Step 2: Select Edit to go to your user profile.


edit user profile wordpress


Step 3: From there select the new role for the user.


wordpress user roles


5. Ability to Execute Codes in Unknown Folders

Your WordPress site is made up of hundreds of files and folders (Recommended read: Understanding File Structure of WordPress). Some of these files and folders are commonly found on other WordPress websites. For instance, the Upload folder is present on every WordPress site. It is used to store all the plugins and themes installed on your site.

But besides these known folders, it is common to find unknown folders in certain websites.

In some cases, the folders are added by the website owner but in most cases, the folders are part of a hack. Hackers inject malicious codes into these folders. Since WordPress has no system in place to curb the execution of codes in unknown folders, hackers can easily use malicious codes to carry out malicious activities.

How to Prevent Execution of Codes in Unknown Folders?

There are two ways in which you can prevent the execution of codes on unknown folders:

1. You can do it manually (the hard way)

2. You can do it using a plugin (the easy way)

We’ll show you both ways.


i. Using a plugin

1. Sign up with MalCare and set up an account.

2. From the MalCare dashboard, click on your website. Then go to Security > Apply Hardening.


malcare site hardening


3. Then select Block PHP File Execution in Untrusted Folders


block php execution in untrusted folders


That’s it.


ii. Doing it Manually

Manually disabling PHP execution is a risky process and we don’t recommend it.

However, if you still want to try your hand at it, we suggest you first take a complete website backup.

To disable PHP execution in the unknown folder, you’ll need to create a .htaccess file and upload it into the folder.

1. Open a notepad (on Windows) or TextEdit (on Mac)

2. Insert the following code snippets and save the file as .htaccess (not .htaccess.txt just .htaccess):

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L] </IfModule>

# END WordPress


3. Then upload the file in the unknown folder by using the Upload option.


file manager upload option


Now that you have a new .htaccess file in the unknown folder, it’s time to prevent the execution of PHP codes.

4. Right-click on the .htaccess file and select Edit. Insert the following code and save the file:

<FilesMatch “\.(php|php\.)$”>

Order Allow, Deny

Deny from all




Block PHP File Execution in Untrusted Folders htaccess file


That’s it. PHP exploits on your website are now blocked.

6. Running Website on HTTP

HTTP stands for Hypertext Transport Protocol. It’s a technique that helps establish a connection between your website server (say, Hostgator server) and a visitor’s browser (say, Google Chrome).

How do you know if your website is running on HTTP?

Take a quick look at the URL of your website. How does the URL begin?

If your URL begins with a http:// then, your website is running on HTTP.

HTTP is insecure. When you use HTTP, the data sent over the internet between servers and browsers aren’t encrypted. It’s sent in plain text. If a hacker intercepts the data, they can simply read it.

Say, a visitor is submitting his credit card details on your site. Since your website is running on the insecure HTTP, anyone can intercept the connection and steal the data.

To protect your website from such hack attacks, you need to switch to HTTPS. The ‘S’ stands for Secure. HTTPS ensures that the data traveling between a visitor’s browser and your website server is encrypted. So even if hackers intercept the data and steal it, they can’t read it.

How to Move From HTTP to HTTPS?

To move WordPress from HTTP to HTTPS, you’ll need an SSL certificate.

You can get this certificate from your WordPress hosting providers or from trusted vendors. Moreover, there are free certificates as well as paid ones. We have a guide that’ll help you choose the best SSL certificate for your website and show you how to make the move.

You may find multiple vulnerabilities on your website. Please ensure that you checking your website for all the vulnerabilities we have listed above.

Besides taking the above measures to fix the website vulnerabilities, you can take a few more security measures. We strongly suggest following this guide – Secure Your WordPress Site With wp-config.php.

Final Thoughts

Hackers are always finding novel ways of hacking websites.

However, if you’ve implemented the measures we’ve detailed above, we’re confident you’ve reduced the chances of a hack.

Website security is not something one can take lightly. We find that one of the most effective ways to protect your website from any kind of threat is taking measures like IP blockingprotecting the login page, following this complete guide on WordPress security, and by installing a WordPress security plugin like MalCare.

The plugin places firewall and login protection measures to block hack attempts like SQL injection attacks, crosssite scripting (stored XSS) attacks, etc. It scans your website daily and enables you to measure WordPress website hardening measures. If your website is hacked, it’ll help you clean your website immediately. Secure your WordPress website with MalCare. Also, you can check our guide on WordPress security. For more tutorials follow our WordPress blog.

Try MalCare Security Plugin Now!

wordpress vulnerabilities
Share via
Copy link