10 WordPress security issues to be aware of

10 WordPress security issues to be aware of
Mar 22

Bradley Kronson

Digital Platforms

Web Development

WordPress has received much popularity and attention in the last few years. This content management system powers 40% of all websites on earth, according to Techradar.

As the most popular CMS on the Internet, it's also a popular target for hackers. A 2020 Wordfence report said that 2 800 attacks per second targeted WordPress. While it might seem like a good idea to follow the pack, website owners have to be vigilant about what security vulnerabilities a popular platform brings with it.

To shed some light on the above, we have summarised the top 10 security issues that commonly affect WordPress websites:

1. Brute-force Logins

The attacker uses a bot to run through billions of potential username and password combinations and log in to your account.

2. Outdated Core Software

WordPress developers roll out updates approximately every three months. But they aren't automatically updated, which can leave WordPress sites vulnerable.

3. Undefined User Roles

WordPress allows you to create six different user roles which come with native permissions that allow or restrict specific actions. The default role of administrator has the most control, which poses a problem if users don't change the default settings because a hacker who gains access to the site can make changes as an administrator.

4. Outdated Themes and Plugins

Although themes and plugins make WordPress customisable, they can pose a security risk if they are out-of-date.

5. Malware

Including any malicious software, hackers can put malware files in legitimate website files or plant code in existing files. This way, they can compromise websites and their visitors or attempt unauthorised logins via "backdoor" files. Malware is most often undetectable without using specialised software and it usually enters WordPress sites through outdated themes and plugins or via poorly managed infrastructure.

6. Structured Query Language (SQL) Injections

SQL, the preferred language on WordPress for database management, is quite secure, but cyber hackers can use it to their advantage. Without the proper setup an SQL injection can allow a hacker to view and modify a site's database directly, make new accounts and add unauthorised links and content.

7. Search Engine Optimisation (SEO) Spam

These work similarly to SQL injections but take advantage of your top-performing pages and fill them with spammy keywords and pop-up ads.

8. Cross-Site Scripting

Similar to database injections, Cross-Site Scripting (XSS) entails attackers trying to plant code that runs in your files, but XSS primarily targets web page functionality. They ultimately harm visitors by posting a disguised link to a faulty website or showing a fake contact form to steal user info. Hackers exploit outdated plugins and themes to access files that control the website's front end.

9. Denial-of-Service Attacks

DoS attacks block site administrators and visitors from accessing a website by overloading the server with traffic, crashing it and taking down all the websites hosted on it. When the attack is launched from several machines simultaneously, it is known as a distributed denial-of-service (DDoS) attack. Because of WordPress’ prolific nature they are often used in these types of attacks.

10. Phishing

Phishing is when cybercriminals send out large amounts of spam links hoping that someone will click on them and compromise their information. Hackers who gain access to your site and who have admin privileges can post spammy links for users to click. Again, WordPress sites become vulnerable because of outdated software, themes, plugins, lack of security checks on submission and comment forms.

You can counteract many of these security issues by being vigilant. Choose a strong password and ensure that you have the latest updates and plugins. Monitor permissions and take additional security measures if you're the sole administrator. You can use a CAPTCHA as a security measure on forms and a WordPress security plugin to run malware scans. WordPress sites that use hosting servers that don't have sufficient security in place are most vulnerable to attack, so it is essential that you have a reliable hosting provider.

To avoid wasting time, money and energy, which cyberattacks cause, it might be worth looking for a more robust content management system (CMS) like Umbraco for the sake of your business, customers and visitors. Choosing the right content management system (CMS) for your website is crucial for its success. You need to be able to upscale your site easily, it needs to support the media and content you want to showcase, and it needs to collect the user data that matters for your digital strategies. And maintaining it needs to be as smooth and painless as possible. It’s not a choice to make lightly.

The CMS we choose to use to build our digital platforms is Umbraco. With it, we’ve delivered one success story after another, giving us a long list of satisfied clients to brag about, including DStv, Connected Conservation, Avis Fleet and Sithabile Technology Services.

To learn more about why League Digital uses Umbraco as our goto tool for web development check out our CMS comparison report.

What's the best CMS platform?

We've compiled the research about which CMS stands out above the rest, so you don't have to.