Any web application could potentially be hacked, but WordPress is a primary target due to its popularity. The core of WordPress code is generally secure, but vulnerabilities usually stem from third-party themes or plugins. Themes and plugins add code to the WordPress core to provide additional functionality, but precisely this code could introduce vulnerabilities.
Third-party code isn’t the only risk to a WordPress site. If the server or application is misconfigured (e.g., permissive access to critical files or directories), it could lead to a data breach, or an attacker could upload malicious code on the WordPress server to compromise the targeted website or the server itself.
Because WordPress is such a popular software, it’s common for attackers to use script scanning functions to find and (sometimes) automatically exploit vulnerabilities. Anyone who monitors a WordPress site will report numerous scans from bots and other malicious threats on a daily basis. Here is a list of common threats that could compromise a WordPress site that you should consider when securing your site.
Unauthorized Authentication
Brute-force attacks on the WordPress blog’s administrator account are very common. If you use a monitoring application that blocks and logs these brute-force authentication bots, you can see that the username “admin” and “administrator” are constantly attacked. You can take precautions and protect from brute-force authentication by using an alternative administrator username. This does not entirely protect from brute-force attacks but it will block scripts coded to scan for the two most common administrator usernames.
Outdated Core Software
The core code in WordPress is secure until a vulnerability is found. The vulnerability could be introduced in new code added to the WordPress core codebase, or it could be from an unknown vulnerability that existed for a while and was recently discovered.
WordPress developers release new versions all year round. To combat vulnerabilities from outdated core software, update your WordPress software when a new release is available. WordPress also has an automatic update feature to update the core software whenever a new version is deployed.
Outdated PHP Versions
The PHP programming language has gone through multiple changes since its release, and older versions are no longer supported. The official PHP website lists the latest version as 8.2 with security updates supported until 2025, but 8.0 will not receive security updates after December 2023. If you run older versions of PHP, you risk leaving vulnerabilities in the WordPress site with no option to patch them.
Hosting an outdated PHP version is common because whenever a new software is introduced to the site, the new configuration should be tested before it’s installed.This complication leads to a delay, which opens a window of opportunity for attackers. When a PHP version is officially deprecated and no longer supported, the WordPress site should be tested and upgraded to the latest supported version as quickly as possible.
Undefined User Roles
When you first set up the WordPress software, you create an administrator account during installation. This account has full control over the application. WordPress has several other roles such as Editor, Writer, and Subscriber. Each role has its own core permissions added to a user account when it’s created.
User permissions should be heavily monitored, and anyone in charge of adding users should use proper directions to assign the right roles to every new account. A role is also given to new users by default. This role should have the most limited permissions and additional permissions added later.
WordPress Outdated Themes and Plugins
Just like the core WordPress codebase must be updated, themes and plugins should also be updated when vulnerabilities are discovered. This requirement puts pressure on developers to patch their software, so the WordPress site owner should only install themes and plugins with an active developer who has not quit supporting the plugin code.
As you search for a plugin or theme, always choose software that has an active developer and frequent updates, especially security updates. It is also crucial that you use reputable sources to download these themes and plugins.
SQL Injection
When code passes SQL queries to the backend database, it must be validated to avoid SQL injection. SQL injection attacks take advantage of poorly coded plugins and themes and send malicious statements to the database. These statements allow the attacker to execute queries, delete data, and potentially elevate privileges. The most serious security issue is that attackers can hide malware within the database for reinfection and to maintain a persistent threat.
Malware
Attackers will write scripts to identify opportunities to upload malicious applications. Successful malware installation can allow an attacker to deface the site, download ransomware to the server, or inject code into WordPress files.
Malware can be uploaded due to various reasons. Permissive access on directories, vulnerabilities in a plugin and theme code, or incorrect site configurations are a few examples of security issues that could lead to malware being installed on a WordPress site. Keeping your site updated and covered with activity monitoring can help stop and detect malware uploads.
SEO Spam
Some attacks inject keywords, links, and redirects. The goal is to take advantage of site pages ranked highly in search engines and leverage them to boost ranking for an attacker’s site. The “pharma hacks” hide hidden keywords and links for pharmaceutical products in victim pages.
Conditional redirects will also affect search engine ranking, so site owners might see their pages rank for strange phrases or lose ranking suddenly.
Distributed Denial-of-Service (DDoS)
A DDoS does not stem from poor code, but it happens when attackers flood the site with too much traffic, exhausting resources. If a DDoS is not detected quickly, the attack could render the site unusable. A DDoS uses several devices in different geolocations to send a flood of traffic to the server, which can happen seemingly without any warning. The site should be monitored for such an attack so administrators can act quickly.
A DDoS is distinct from a denial-of-service (DoS). A DoS is also a potential vulnerability in poorly engineered code. Any malicious activity that blocks users from using site functionality is a DoS. Monitoring site activity, errors, and server resources will help detect and quickly stop a DoS.
Brute-Force Attack
The administrator account is always a target for brute-force attacks. Attackers use common passwords, load them into scripts, and automatically attempt authentication across thousands of WordPress sites. You can stop brute-force attacks by using two-factor authentication (2FA) and assigning cryptographically secure passwords to all accounts, most importantly the administrator.