Top 10 WordPress Security Vulnerabilities and Ways To Fix Them

This quote is good enough to give you the idea of security issues that are taking place all over the world. In fact, website security is a subject which has been giving sleepless nights to the site owners for a long time. No one has been able to achieve 100% security for their business site.

According to a survey carried out by the Juniper Research, cybercrime will cost businesses over $2 trillion by 2019. This is an alarming statistics and it shows that day-by-day securing a website is becoming very difficult. At the same time, you need to find the ways to secure your site, as it contains your most important data as well as the sensitive information.

As you all know that, WordPress powers 31% of the internet and therefore, it’s very clear that the WordPress platform will be facing the highest number of web security issues. Most of the user trust this wonderful platform and that’s why they have built their business sites on that.

However, according to a research carried out by Sucuri, WordPress is the most infected website platform for the year 2018.

WordPress in 2018

Therefore, it becomes important for all of you to be aware of various WordPress security vulnerabilities and the ways to fix them. So, let’s get started and analyze each vulnerability one-by-one.

There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.

– John Chambers

Top 10 WordPress Security Vulnerabilities

  1. Insecure Web Hosting
  2. Using Weak Password
  3. Not Updating WordPress
  4. SQL Injection
  5. Forgetting To Secure WordPress Configuration File
  6. Not Updating Plugins or Themes
  7. Using Plain FTP
  8. Not Changing The WordPress Table Prefix
  9. Malware
  10. Incorrect File Permissions

1. Insecure Web Hosting

This is perhaps one of the biggest reasons why WordPress websites get easily infected. Like all the other websites, WordPress website is also hosted on the server. Sometimes what happens is that the hosting provider companies do not secure their platform. In that kind of scenario, there is every chance that your WordPress website may get attacked by an outsider.

Way To Fix This Issue

The best way is to fix this issue is by hosting your WordPress website on some of the top-notch hosting platforms. Here’s a list of best WordPress hosting provider that you can utilize for your business website.

Best WordPress Hosting Providers

  • Bluehost
  • HostGator
  • SiteGround
  • DreamHost
  • InMotion Hosting

2. Using Weak Password

Passwords are such a key part of your WordPress website security. You always need to make sure that you’re using a strong password for your WordPress account. According to a research conducted by WPTemplate, 8% of WordPress websites around the world gets hacked due to week password. A week password can provide easy access to the following things:

  • WP Admin Account
  • C-Panel Account
  • FTP Account
  • Your WordPress Database

That’s why it becomes extremely vital to have a strong password for your WordPress website.

Way To Fix This Issue
  • Form A Complex Password

    One of the ways you can fix this issue is by forming a complex password for your site. Always try to use the combination of Alphabet, Numbers, Special Characters, etc. for making a password. It will help you to make a strong password which can’t be guessed easily.

  • Utilize A Password Manager

    The other way of fixing this issue is by using the password managers. A password manager is an application which allows you to store all your passwords at one place and then manage it via a Master Password. The USP of any password manager is that they have an auto-fill functionality.

    Here is a list of some best password managers:

    • LastPass
    • 1Password
    • Dashlane
  • Two-Factor Authentication

    This is one of the best ways to protect your WordPress website from password stealing. In a two-factor authentication scenario, if some attacker is able to guess the password of your WordPress website, then he/she won’t be to login into your site. He/she will require a security code which is sent to your mobile. In this manner, you will be able to protect your website.

    There are major ways of setting up two-factor authentication in WordPress:

    1. SMS Verification
    2. Google Authenticator App

3. Not Updating WordPress

There are many users who feel comfortable with one of the WordPress version and therefore, they don’t update their WordPress version on a regular interval. The major reason behind it is, they fear that it would break their website. However, each new version of WordPress comes with fixes for security bugs and that’s why it becomes important for you to update your website.

Way To Fix This Issue

Always check for the latest version of WordPress and try to keep your website updated. This will minimize the chances of any security issues. For those who fear that updating WordPress will create a site breakdown can take the backup of their website. So, if the new version doesn’t work as per your requirements, then you can always revert back.

4. SQL Injection

SQL Injection is one of the oldest methods of gaining the access of the website. As you all know that, SQL is a language that is used to work with the WordPress database and that’s why in this type of attack, the hackers inject SQL commands into your site to retrieve the information. Hackers are getting smart day-by-day and they’re coming up a new SQL injection every day or the other. So, as a website owner, you should be aware of the ways to get rid of this issue.

Way To Fix This Issue
  • Scan For SQL Injection Vulnerability

    You should check for SQL Injection issue in your WordPress website on regular basis. However, this can be a very difficult task to perform manually and that’s why you should utilize some security scanning tools for that purpose. Here’s a list of best security scanning tool:

    • WordPress Security Scan
    • Sucuri SiteCheck
    • WPScan
  • Adding A Code To Your .htaccess file

    Another way of preventing SQL Injection is to add a particular code in your .htaccess file. .htaccess is a configuration file which is used on the web servers and therefore, by changing that part you will be able to restrict the access of the outsiders to your WordPress database.

    Add the following code in your .htaccess file:

    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{QUERY_STRING} ../ [NC,OR]
    RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
    RewriteCond %{QUERY_STRING} tag= [NC,OR]
    RewriteCond %{QUERY_STRING} ftp:  [NC,OR]
    RewriteCond %{QUERY_STRING} http:  [NC,OR]
    RewriteCond %{QUERY_STRING} https:  [NC,OR]
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|ê|"|;|?|*|=$).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*("|'|<|>||{||).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
    RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
    RewriteRule ^(.*)$ - [F,L]
    

5. Forgetting To Secure WordPress Configuration File

WordPress Configuration file (wp-config.php) comprises of WordPress database login credentials. Therefore, if any outsiders get the access to this file, then he/she can steal your information and cause damage to your website. Therefore, it becomes necessary that you do everything possible to protect this file.

Way To Fix This Issue

One of the simplest ways to protect the wp-config.php file is by modifying the .htaccess and restricting the access. For that purpose, simply add the following snippet to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

6. Not Updating Plugins or Themes

Just like the core WordPress, it’s important to use the latest version of the plugins or themes in WordPress website. Using an outdated version of any plugin or theme can make your site vulnerable to security threats. According to a survey conducted by WPWhiteSecurity, 54% of global WordPress vulnerabilities are due to plugins.

Way To Fix This Issue

Always check for the update in the any of your plugin and themes. Make sure that you’re using the latest version available on the WordPress. By following this methodology, you will minimize the chances of security threats in your WordPress website.

7. Using Plain FTP

For those who don’t know, FTP accounts are used to upload a file on your website server using an FTP client. Most of the hosting provider support FTP connection using different types of protocols: Simple FTP, SFTP, or SSH.

Most of the WordPress website owners make the mistake of using plain FTP. Now, what happens in a plain FTP is that your password is sent to the server in unencrypted form. So, anyone who can hack the server can get an easy access to your WordPress website.

Way To Fix This Issue

Instead of using FTP, you can opt for SFTP or SSH option. You don’t need to change the FTP client for that purpose. Just change the protocol to ‘SFTP-SSH’ while connecting to your website. By using this protocol, you will able to send the password to the server in an encrypted form which minimizes the risk of security issues.

8. Not Changing The WordPress Table Prefix

As you all know that, by default, all the WordPress tables created in your database start with a prefix named wp_. Most of the WordPress developers don’t care about changing this prefix, as they feel that it’s not going to affect the site’s performance.

In constant to that, this prefix makes your WordPress website vulnerable to the security issues. The reason behind that is, an attacker can easily guess the name of your WordPress database tables. Therefore, you should try to resurrect this issue as soon as possible.

Way To Fix This Issue

Instead of using the default prefix for the WordPress database tables, you should define your own prefix that is complicated in nature so that anyone can’t guess it. You can change the prefix of your WordPress database tables at the time of installation. So, always remember that point. After that, you won’t get the chance to change the prefix.

Here’s how you can change the WordPress database prefix to improve the security:

9. Malware

Malware is an abbreviation for malicious software. In other words, you can say that it’s code which is used to gain the access to a website in an unauthorized manner. A hacked website clearly indicates that a malware has been injected. Now, if you want to recognize malware on the site, then try to look at recently changed files.

There can be many types of malware infections on the web, but for WordPress, four major malware infections are as listed below:

  • Backdoors
  • Drive-by downloads
  • Pharma hacks
  • Malicious redirects
Way To Fix This Issue

Any malware issues can be easily identified by searching the recently modified file and then removing that file from your WordPress website. The other way of dealing with this issue is to install a fresh version of WordPress or by restoring the WordPress website from your recent backup. Both these methods will help you to minimize the security vulnerabilities.

10. Incorrect File Permissions

File permissions are the set of rules which is used by the web server. It helps your server to control access to your file on your WordPress website. Now, sometimes what happens is that the user sets incorrect file permissions which allows the attackers to access the file and modify it according to their requirements which can cause major damage to your WordPress website.

Way To Fix This Issue

The best way to fix this issue is by setting the right file permission for your WordPress website. The file permission on any WordPress website should be as listed below:

  • 755 or 750 for all directories
  • 644 or 640 for files
  • 600 for wp-config.php

By setting these permissions, you will be able to restrict the access to your WordPress website which will help you to secure it from the attackers.

Final Thoughts

Security has been a prime concern for the website owners over the years. Even after so much research being conducted in this area, no one has been to stack the claim for being 100% secure. This shows the level of complexity that one has to deal with while working with this issue.

Taking this into consideration, we have tried to provide you with top 10 WordPress security vulnerabilities and the ways to fix them which will surely help you in the near future.

What are your thoughts on this subject? Do mention them in our comment section. Thank you!

Like it? Share it.

One Comment

  1. Sorry, but for a major part this is bad advice.

    The .htaccess (#4) offers no protection against HTTP POST commands, just some GET requests (taken drom a Joomla .htaccess). Number 5 only works on old, insecure versions of Apache (saotn.org/wordpress-htaccess-security-best-practices-apache-24/) and tip 8 is not an issue (and never was) .

Leave a Comment Yourself

Your email address will not be published. Required fields are marked *