WordPress Vulnerabilities You Need to Know About — And How to Fix Them

WordPress powers over 40% of all websites on the internet, making it an incredibly popular platform for bloggers, businesses, and online publishers. Unfortunately, this widespread adoption has also made WordPress a prime target for hackers looking to exploit vulnerabilities.

As a WordPress site owner, it‘s critical that you understand the most common security holes that attackers use to compromise websites. By identifying these weaknesses and taking proactive measures to patch them, you can prevent your site from becoming another hacked statistic.

In this in-depth guide, we‘ll break down the WordPress vulnerabilities you need to be aware of and provide actionable steps to fix them. Let‘s dive in and secure your site.

The wp-login.php Brute Force Attack

One of the most prevalent WordPress vulnerabilities is the wp-login.php file used for site authentication. By default, WordPress allows unlimited login attempts through this page, making it susceptible to brute force attacks.

In a brute force attack, a hacker uses an automated tool to repeatedly guess your username and password. Without any limit on failed login attempts, an attacker can continue trying different username/password combinations until they eventually guess correctly and gain access to your site.

To see how frequently these attacks occur, security firm Wordfence analyzed the hacking attempts across the WordPress sites using their software. In a study from 2017, Wordfence saw a large botnet of over 14,000 IP addresses attempting to brute force WordPress websites.

Here is a chart showing the number of unique IP addresses launching attacks over the 2-month study:

As you can see, at the study‘s peak, over 4,000 different IP addresses were attempting to hack WordPress sites in a single day. This massive scale demonstrates how important it is to protect your site against these pervasive attacks.

Luckily, the fix for this vulnerability is straightforward: install a security plugin that limits the allowed login attempts. We recommend using iThemes Security, previously called Better WP Security.

iThemes Security is a comprehensive WordPress security plugin that includes many helpful features, including brute force protection. Once activated, the plugin will lock out any IP address that exceeds the configured limit for failed login attempts.

Here‘s how to enable login security in iThemes Security:

1. Install and activate the plugin
2. Go to Security > Settings > Network Brute Force Protection
3. Check the box for "Enable network brute force protection"
4. Configure the Lockout Threshold, Lockout Time, and Lockout White List settings
5. Save the changes

With this feature enabled, brute force attackers will quickly get blocked, rendering this type of vulnerability ineffective. As an additional layer of login protection, be sure to use strong passwords with a random combination of uppercase letters, lowercase letters, numbers, and symbols.

The Default Admin Account Risk

When you first install WordPress, the software automatically creates an administrator account named "admin". Since this default username is widely known, it gives attackers half of the information they need to force their way into your site.

Security researchers at WPScan, a WordPress vulnerability scanner, took a sample of over 40,000 WordPress sites to analyze how many were using this insecure default admin username. The results were alarming:

Out of the 42,106 sites scanned, 8,303 (nearly 20%) still had the "admin" username in place. This means that 1 out of every 5 WordPress sites is making a hacker‘s job significantly easier by exposing half of the login credentials.

To reduce this risk, it‘s important to change your admin username to something that is not easily guessed. You can do this by creating a new administrator account with a different username, logging in as that new account, and deleting the original "admin" user.

Here are the steps to change your admin username in WordPress:

1. Go to Users > Add New
2. Fill in the Add New User form with a new username and Administrator role
3. Log out of your site and log back in with the new admin account
4. Go to Users > All Users
5. Hover over the original "admin" user and click Delete
6. Attribute all content to your new admin account and confirm deletion

By removing the default "admin" account, you eliminate one of the most common WordPress vulnerabilities that hackers look for when attempting to compromise a site.

Beware of URL Hacking

WordPress is built on PHP, a server-side scripting language that can be manipulated by savvy hackers if your site is not properly secured. A common method is to inject malicious PHP code into a WordPress site URL, a technique known as URL hacking.

Using URL hacking, an attacker can perform a variety of malicious actions, such as:

• Running PHP scripts to hack your site
• Bypassing WordPress authentication to access unauthorized data
• Performing SQL injection attacks to manipulate your database
• Redirecting users to malware-laden phishing sites

These URL exploits rely on WordPress vulnerabilities like outdated PHP versions, unprotected file uploads, and unsanitized user inputs. To reduce the risk of URL hacking on your site, follow these security best practices:

• Always run the latest stable version of PHP that your hosting environment supports
• Disable file editing within the WordPress Dashboard under Appearance Editor
• Use a web application firewall (WAF) to filter out malicious URL parameters
• Install a security plugin like Sucuri Security to monitor for suspicious requests
• Sanitize user input with functions like sanitize_text_field() and esc_url()

By reducing your site‘s attack surface area with these PHP security measures, you make it much harder for hackers to exploit URL vulnerabilities and run malicious code.

Keep WordPress Software and Plugins Updated

One of the most basic yet critical security practices is to keep your WordPress software and plugins up to date with the latest versions. Each update often includes patches for recently discovered vulnerabilities, making it an easy way to protect your site from emerging exploits.

Unfortunately, many site owners neglect this essential maintenance task. Security firm Sucuri analyzed the websites they cleaned up after a hack and found that 39% of the compromised sites were running an outdated WordPress version at the time of infection.

Considering that WordPress releases multiple updates per year with critical security fixes, it‘s alarming that over a third of hacked sites could have potentially avoided the attack simply by installing the latest version.

To keep your site safe, we recommend enabling automatic updates for both the WordPress core software and your plugins. You can configure auto-updates in your wp-config.php file by adding these lines:

define( ‘WP_AUTO_UPDATE_CORE‘, true );
add_filter( ‘auto_update_plugin‘, ‘__return_true‘ );
add_filter( ‘auto_update_theme‘, ‘__return_true‘ );

The first line will enable automatic updates for WordPress itself, ensuring you always have the latest security fixes. The next two lines will auto-update all your plugins and themes as new versions are released.

By automating these software updates, you eliminate the risk of missing an important security patch. If you‘re worried about compatibility issues, you can also choose to manually update your plugins and themes each month, or only allow auto-updates for plugins you trust.

Strengthen Your Database Security

Your WordPress database contains all the content, user information, and settings that power your website. As such, it‘s a prime target for hackers looking to steal sensitive data or deface your site.

One common WordPress vulnerability is the default table prefix used when naming database tables. By default, WordPress uses the prefix "wp_" for all tables in a new installation, such as "wp_posts" or "wp_users".

Since this naming convention is widely known, attackers can easily guess the table names and craft SQL injection (SQLi) attacks to access your database. An SQLi attack involves inserting malicious SQL code into website input fields in order to communicate directly with the database.

For example, if a hacker knows you have a wp_users table, they could potentially use an SQLi attack to dump all your user information with a single query like this:

SELECT * FROM wp_users;

To prevent SQLi attacks on your site, we recommend changing your database table prefixes to something less predictable. You can do this by editing your wp-config.php file and updating the $table_prefix variable:

$table_prefix = ‘xyz_‘;

Replace "xyz_" with a unique prefix of your choice. By making this change, you break the assumptions attackers use when trying to guess your database structure for SQLi attacks.

In addition to customizing your table prefixes, you should also be extremely cautious with any WordPress plugins that access your database. Only install plugins from reputable sources, and delete any unused plugins that may contain outdated code with security holes.

Harden Your PHP Configuration

As we mentioned earlier, WordPress relies heavily on PHP to power your site‘s core functionality. However, the default PHP configuration is often overly permissive, leaving your site vulnerable to certain types of attacks.

One critical setting to harden is allow_url_include, which controls whether PHP can load remote code via URL parameters. If enabled, this setting can allow hackers to trick your site into running malicious PHP scripts hosted on third-party servers.

To disable this dangerous setting, you‘ll need to edit your php.ini file and set allow_url_include to "0":

allow_url_include = 0

Another important PHP configuration is expose_php, which determines whether your site broadcasts its PHP version in HTTP headers. By default, this setting is turned on, giving attackers valuable reconnaissance about your server environment.

To turn off PHP version exposure, add this line to your php.ini file:

expose_php = Off

After making these changes, save the file and restart your web server for the new settings to take effect. By hardening your PHP configuration, you reduce the risk of several types of code execution vulnerabilities.

Use Secure WordPress Hosting

The underlying hosting environment that powers your WordPress site plays a major role in your overall security posture. Choosing a reputable hosting company with a focus on secure infrastructure can help protect you from common server-level vulnerabilities.

Some key features to look for in a secure WordPress host include:

• Automatic security updates for PHP, MySQL, and Apache/Nginx
• Server-side malware scanning and removal
• Web application firewalls to block common exploit attempts
• Two-factor authentication for hosting account logins
• 24/7 security monitoring and incident response

While secure WordPress hosting tends to be more expensive than a basic shared hosting plan, it‘s a worthwhile investment to keep your site safe. The costs of a hacked website — downtime, lost revenue, damaged reputation — often far exceed the price of quality hosting.

Some of the top secure WordPress hosting providers include WP Engine, Pantheon, WPMU DEV, and Cloudways. These companies all offer various levels of managed WordPress hosting with security features built-in.

Stay Vigilant to Keep Your Site Safe

With WordPress now powering over 40% of the web, it has become a constant target for hackers around the world. The widespread popularity has given rise to a thriving marketplace for WordPress exploits, with new vulnerabilities being discovered on a regular basis.

As a site owner, it‘s critical that you stay informed about the latest WordPress security threats and take proactive steps to protect your website. By implementing the security best practices covered in this guide, you can safeguard your site against the most common types of attacks.

Remember to always keep your WordPress software and plugins updated, use strong admin usernames and passwords, harden your PHP configuration, and invest in secure hosting. We also highly recommend installing a WordPress security plugin like Wordfence or iThemes Security for an added layer of protection.

No single security measure is 100% foolproof, but combining multiple techniques together can dramatically reduce your risk level. By staying vigilant and following WordPress security best practices, you can keep your site safe from hackers and focus on growing your online presence.