person in black and white t-shirt using computer

Common WordPress vulnerabilities and how to fix them

Your WordPress website should be checked for potentially malicious code and as soon as it is identified immediate corrective action can be taken to prevent anyone from accessing your panel (if you want to edit a WordPress homepage) . Here we will find 9 common issues:


Cheap WordPress Hosting

The most common is that a cheap WordPress hosting is configured incorrectly and is not properly separated from each other, this can cause sites exploited in one installation to spread to unrelated websites on the server, or also if there are multiple client websites using the same hosting account and in case a website has an issue it can be expanded to the others.

Thus, it is also found that with cheap hosting, dubious or fraudulent clients arrive, causing the real server to be blacklisted or spammed.

In order to solve this, it is better to use a hosting that focuses more on security and if you will have several clients, take care of dividing them by creating users for each one.


Weak WordPress Logins and Passwords

A weak password is a risk for your website, there are hacking commands whose sole purpose is to try combinations and passwords that can be common and simple.

The best way to avoid this is not to use “admin” as a username and to have passwords that are not so simple and that are not shared with so many people that they have access. Previously WordPress created default users or “admin”, in case your user is still this it is better to create a new account and transfer ownership of all posts to the new account.

Outdated core WordPress, themes or plugins

When WordPress makes a new update, there can be situations where accounts are compromised, an exploit can be created to attack websites that have not been updated to the latest version, this can happen with PHP software, MySQL software, software of the server and any other software that has not been updated and that is part of your server.

Ideally, to avoid this is to keep an eye on subscriptions and updates to new versions and that all pieces of server software are up to date.

PHP Exploits

Also, like the previous point, there may be a PHP library that has not been updated and it is very likely that you will not realize that the library is not updated.

To avoid this, it is ideal to have advanced WordPress hosting, such as a VPS or managed WordPress hosting, where you can customize and remove any PHP libraries you don’t need.

Installing software from dodgy sources

There are times when you want to download premium products and for shortsighted reasons, in the largest cases for monetary reasons, you use a dodgy site. Sometimes the price of this suspicious software is hidden and nefarious, also, this can cause others users to be infected or sending SPAM, phishing or other nefarious practices, because hackers will have the control and access to your own server and this is usually modified with what is known as a backdoor. You can avoid such sources and only download from official trusted sources and use trusted softwares.

Sites not using secure certificates

Passwords and sensitive information such as personal data can be tracked using special software for this if the sites do not have an SSL/TLS certificate since they do not encrypt the information that is sent between the browser and the server. With a secure certificate the information is encrypted before being used or sent to a server.

File inclusion exploits

Through a PHP code, if you have a problem with it, it allows “elevation of privileges” or “bypass security”, giving a hacker access to upload files to the website or steal private information. For this it is recommended to have the software updated and also to have a WordPress security plugin installed.

SQL injections

These are a different form of exploitation, this typically occurs when an attacker bypasses normal protections to access the WordPress database, then by accessing the private data can create users to get the whole control of the site and make changes, the best option is to keep the software updated to avoid this attack.

XSS or Cross-site Scripting

This is one of the most common exploits, websites with Javascript code are loaded without the user’s consent, to then access private data, for example data in forms.

Finding WordPress vulnerabilities through scanning

If you want to have free WordPress themes, you can go directly to the official WordPress theme directory for more security, and in case you choose a theme outside the official directory you should bear more responsibility in terms of evaluating the theme.

You can use these services to check the WordPress vulnerabilities:

  • Geekflare
  • Sucuri
  • Hacker Target
  • Detectify
  • Security Ninja
  • Pentest-Tools
  • WP Neuron
  • Quttera

Finding WordPress vulnerabilities after Installation

It is best to use a product from the WordPress security plugins list to verify that plugins are up to date on major versions of WordPress.

Let’s check some methods to check the authenticity of the themes:

Theme Authenticity Checker

It is a free plugin that allows you to scan the theme files, in case it finds a malicious code it will show the patch, the line number and the code. This plugin has not been updated in the last 3 years, and it’s up to you if you want to use it or wait until there is a new version.

WP Authenticity Checker

This plugin looks for issues with themes and also scans them with WordPress core or external plugins to find any vulnerabilities, currently this plugin is out of date, just like the previous one, it’s up to you if you want to use it for your website.

Exploit Scanner

This plugin helps verify the database of your WordPress installation in addition to the theme files. However, like the others it has not been updated; These plugins are to find the vulnerabilities, and the measures to eradicate them depend on you.

Additional Fixes to Protect from WordPress Vulnerabilities

Use Hackalert monitoring

This is a service offered by Siteground that ensures the security of your WordPress websites by sending an alert when it finds malicious code and monitoring updates will be sent to you.

Set a custom login URL for WordPress

The two default URLs that WordPress creates for login are: wp-login.php and wp-admin.php

A big drawback is that anyone can log into your WordPress dashboard once they find the password and username, by customizing the URL there is less risk and more security on your website.

Installing Stealth Login plugin and you can customize the Stealth part of the Custom Login plugin to hide the login.

Limit the number of login attempts

You can limit login attempts, blocking the possibility of brute force attacks on your website. With iThemes Security (a full security plugin) or the Login LockDown plugin you can limit login attempts.

Disable directory browsing

Some WordPress directories contain sensitive data like wp-content or wp-includes, ideally don’t use directories as hackers can access the information and take down your website as anyone can browse these directories.