Defending Against Common WordPress Vulnerabilities

WordPress is one of the most popular content management systems, and currently powers an estimated 25% of all websites. Its popularity and ease of use come at a cost however, making it a prominent target for hackers and thieves. Here are some of the more common WordPress vulnerabilities, along with tips to protect against them.

Open Access to Sensitive Files

WordPress is easy to update partially because it can modify its own files. While this convenience is great from a content creator’s perspective, it also has security implications for locking down a site so an attacker cannot download sensitive data.

Typical sites will want to restrict access to the installation script. Even if it can’t be run twice, undiscovered vulnerabilities may grant hackers the ability to access or change database credentials. Likewise, the configuration file should be blocked as it contains the database password. If a WordPress site stores logs in the directory with the PHP files, these should be moved or restricted so an attacker cannot monitor the progress of their intrusion attempt. Likewise, any files that contain sensitive plugin details or configuration should be blocked as well.

Defending against this vulnerability is challenging because it often involves correctly configuring the hosting web server, which may be impossible in some cases. Further, WordPress itself cannot detect that it has been compromised, since an attacker need only modify the detection code to always give the all-clear even if the site has been hacked. The best mitigation is a remote scanning service. Wordfence scans sites from remote servers, reporting site changes and poorly-secured files. It can also repair some compromised files that it finds, even without a previous backup of the changed scripts.

Default User Account

WordPress installation sets up a default administrator account for content creators to start building their sites. This username is often simply set to “admin.” As such, many attackers try logging in with the default administrator user, then guess passwords based on popularity. Even if an attacker fails to guess a correct username and password combination, thousands of attempts in a short amount of time can bring any WordPress site to its knees.

Fortunately, intrusions of this type are easy to detect. Referred to as brute force attacks, they involve a hacker repeatedly attempting to log into a site until they’ve determined a valid password. WordPress does not provide this protection by default, but plugins like Wordfence can detect and block brute force attacks automatically. The premium version even shares block information across all participating sites, so a brute force attack on one site is blocked across the entire network.

SQL Injections and Remote Code Execution

WordPress stores all content and much of its configuration in a database. Information is retrieved using a language called SQL, which runs inside the various scripts that manage WordPress sites. It is possible for a knowledgeable attacker to run code that can change the ways in which a database is accessed. For instance, code that reads from a database can be modified to write to it instead, changing site content or altering user credentials.

WordPress is generally developed to defend against these types of attacks. However, much of a site consists of third-party plugins and themes, any one of which can easily allow for an SQL injection. It is not enough to count on WordPress core security alone.

SQL injection attacks usually occur via URL parameters to PHP scripts. One easy mitigation involves modifying the web server configuration to reject common injection patterns. In cases where the web server is not able to be modified, plugins like Wordfence offer firewalls that actively notice and block injections. Attempts of this attack are also shared in real-time across Wordfence’s blocking network, meaning an attacker may be entirely prevented from trying an SQL injection on one site if they’ve run one on another.

A similar attack involves remote code execution, where a hacker uses comment areas or search fields to run JavaScript code on other users’ computers. These attempts are also mitigated by WordPress’ core, but Wordfence’s web firewall examines what is entered in these spaces for any inputs that would harm others. In combination with its remote scans, this capability also blocks attempts to upload scripts and other malware to the hosting server.

Comment Spam Injection

Spammy comments aren’t just a minor nuisance. Too many can earn sites a bad reputation with search engines, as spammy comments often link to questionable sites. Not only does comment spam make it tough for search engines to correctly categorize and rank a site, but they might also flag content creators for distributing malware and other harmful files.

The most effective tools for responding to spam rely on networks of sites flagging content. While it is possible to raise the barrier for commenters with CAPTCHAS and other tricks, spammers have tactics of their own to overcome these. By sharing characteristics of spammers and the comments they leave, Wordfence can intercept and eliminate spam comments before they even reach the site. As such, the experience for legitimate commenters is preserved while spammers are kept out.


WordPress’ prominence as a site-hosting platform makes it a huge target for attackers, as there is a wealth of information on how to gain illicit access to sites. This works both ways however, as plugins and services can effectively mitigate against these same vulnerabilities, packaging the techniques in easily-installed plugins. Correctly configuring WordPress’ hosting web server can block many common attacks. For anyone unable to do so, using plugins like Wordfence offer solid protections against the most common WordPress vulnerabilities.