12 WordPress Security Issues & Vulnerabilities You Should Know About

WordPress是most popular CMS on the Internet, but, consequently, it is also the most hacked. For example, in 2018,90% of hacked CMS-powered websiteswere hosted by WordPress, amounting to around90,000 attacks per minute。

If you use WordPress, this data may make you want to consider an alternative. It makes sense to question, and care about, the security of the web-based service you’re using — getting hacked wastes time, energy, and money. It can also threaten your authority and reputation, especially if your site visitors are affected by the attacks.

It’s impossible to quantify the number of day-to-day threats your site may face. However, there are a handful of WordPress-specific issues that are worth recognizing and understanding, should you fall victim to one of them. Many of these issues are also interrelated, so being prepared for one issue can protect you from another.

In this article, we’ll go over 12 WordPress security and vulnerability issues, why they affect WordPress sites, and the steps you can take to ensure you aren’t affected and feel safe using WordPress as your CMS.

1. Unauthorized Logins

未经授权的登录通常由“蛮力”执行。在蛮力登录中，攻击者使用机器人快速运行数十亿个潜在的用户名 - password组合。如果幸运的话，他们最终将猜测正确的证书并获得受保护信息的访问。

This process looks like the stereotypical cracking-a-code spy scene from movies where a hacker is rushing to gain access to a computer while on the verge of being caught.

Image Source

Why are WordPress sites vulnerable?

There are two major reasons why these attacks happen successfully on WordPress sites. First, the default backend login page for any given WordPress site is relatively easy to find. Anyone can simply take the site’s main URL, append /wp-admin or /wp-login.php to the end, and they’ll gain access to the login page. If you don’tcustomize the default login page，攻击者可以轻松获得访问权限并尝试蛮力进入。

在未经授权的WordPress登录事件的情况下，责任也属于WordPress用户。通过将默认的“管理”用户名与简单的通用密码配对，攻击者可以轻松访问。

What You Can Do

The easiest and most effective defense against brute-force hacking is a强密码that will be difficult to discover, even with powerful technology that looks like something out of The Matrix. Warnings against weak, predictable passwords are nothing new, but many still aren’t getting the message. (Just read NordPass’s list of themost common passwords of 2019and weep.)

Allow me to show you why adding just a bit of complexity to your credentials is surprisingly powerful. The table below shows the approximate time it takes a random brute-force algorithm to guess a password at a rate of around a billion per second, based on password length and use of lower case characters (LC), upper case characters (UC), special characters (SC), and digits.

Image Source

As shown, using a password with a combination of character types and/or length will make it nearly impossible for a brute-force attempt to be successful.

Okay, you’re convinced that strong passwords actually do something. But does thinking of and remembering all these passwords sound like a lot of work? That’s whypassword managersexist. These handy applications will generate, remember, and safely store your passwords for future use.

除了强密码外，您还可以采取其他措施来遏制不需要的条目：

• Two-factor authenticationrequires users to verify their login on a separate device.
• Consider getting rid of the WordPress account with the “admin” username (the first thing hackers will guess) and making a new admin account with a secret username.
• Several reputable WordPress plugins can limit login attempts and add captchas to nip brute-force attacks in the bud. For more details, see ourUltimate WordPress Security Checklist。

请记住，蛮力方法适用于需要密码的任何地方，因此请务必加固您的登录名，以获取任何受密码保护的信息。并且不要在登录页面上重复它们，也不要在邮局上面对面！

请记住，蛮力方法适用于需要密码的任何地方，因此请务必加固您的登录名，以获取任何受密码保护的信息。并且不要在登录页面上重复它们，也不要在邮局上面对面！

2. Outdated Core Software

An advantage of using a website building platform rather than building a site from scratch is that developers will continuously enhance the functionality and security of the platform to provide a seamlessuser experience。

WordPress developers roll out updatesevery three months or so。It’s strongly recommended that all WordPress users download these updates when they become available — but it’s not automatic. That means the onus falls on the user. When this core software isn’t updated, it leaves WordPress sites vulnerable.

Why are WordPress sites vulnerable?

Outdated core WP software leaves sites vulnerable because updates are usually designed to address critical security issues. Users who don’t download an update are then vulnerable to hackers.

如果您的软件已过雷竞技苹果下载官方版时，您也无法更新您的themesandplugins(which we’ll coverbelow), and your site becomes more vulnerable to many of the security threats on this list.

What You Can Do

尽管可能很好，但WP不会自动为您安装更新。您应该旨在保持更新时间表的顶部，WordPress在上面链接的日历中列出了这一点。WordPress仪表板中的“更新”选项卡通常在有更新时显示通知气泡（如下所示）。您也可以再次单击检查以确保。

Image Source

3. Undefined User Roles

When you create a WordPress site, there are six differentuser rolesto choose from, like Subscriber or Administrator. Each role comes with native permissions that allow or restrict users from taking specific actions on your site, like modifying plugins and posting content. The default user role is Administrator, and this role has the most control over any given WordPress site.

Why are WordPress Sites vulnerable?

This is where user roles become an issue — if you have multiple users and don't change the default settings, everyone is an admin. This doesn’t necessarily mean that the people you’re creating a site with are going to cause you harm, but it does mean that a hacker who gains access to your site will be able to make changes as an administrator.

定义糟糕的管理角色主题网站creased risk if brute-force attacks are successful as admin roles can give a hacker full control over your site. Cross-site scripting (covered below) also gives hackers access to front-end capabilities to obtain additional information from your site visitors.

What You Can Do

Regardless of the purpose of your WordPress site, monitor all permissions. If you’re the sole admin on your site, ensure that you have taken additional security measures to prevent hackers from entering your site, like two-factor authentication or longer passwords. If you assign roles to others, make sure you only give them the necessary permissions. Mistakes can happen, so you also want to make sure that a contributor doesn’t even have the ability to accidentally delete a high-performing post.

4.过时的主题和插件

One of the major appeals of WordPress is its customizability. Developers create hundreds of unique themes and plugins that WordPress site owners can use to customize their sites.

However, these extensions require site owners to take proper security precautions. As mentioned above, out-of-date core software can expose your site to security risks, and so can outdated themes and plugins.

Why are WordPress Sites vulnerable?

Theme and plugin developers often release updates with functionality enhancements and additional security measures. However, not all developers do.

When they don’t do this, sites using these resources become vulnerable to hackers who can use outdated tools as entry points. For example, say WordPress has released an update with a new security patch but a developer hasn’t updated their theme to be compatible with new requirements. In that case, a hacker could exploit the theme’s vulnerability and gain control of a site.

In addition, if developers do release updates, site owners who fail to install them can make their sites more vulnerable.

What You Can Do

为了确保由于过时的主题和插件，您的网站不容易受到黑客攻击，您应该不断监视更新。当有更新时，您可以install them manually或使用插件在上线时自动安装它们。

5. Malware

恶意软件is a broad term that includes any malicious software (hence, “mal-ware”). Hackers can place malware files in legitimate website files or implant code in existing files to steal from websites and their visitors, attempt an unauthorized login via “backdoor” files, or wreak general havoc.

Why are WordPress Sites vulnerable?

Like many of the issues on this list, being vulnerable to malware is directly related to other issues. Malware usually enters WordPress sites through unauthorized and outdated themes and plugins. Hackers take advantage of security problems in plugins and themes, imitate existing ones, or even create entirely new add-ons for the sole purpose of placing harmful code on your site.

What You Can Do

首先，仔细审查您在WordPress网站上安装的每个插件和主题。WordPress.com列出了所有插件的有用统计信息their directory, like the example below:

Image Source

You should also conduct regular security scans to find any potential malware hiding on your WordPress website. Plugins are actually your friend here: there are many strong security plugins out there that can scan for malware and fix damaged files. For example,Defender by WPMU DEV具有恶意软件扫描和其他功能，以防止此列表中的大多数其他问题。您还可以探索我们的更多选择推荐的WP安全扫描仪列表。

6. Structured Query Language (SQL) Injections

SQLis a programming language that is used to quickly access stored data on a specific site. It’s the preferred language on WordPress for database management and, while rather secure, malicious parties can use it to take advantage of your site.

在SQL注入,黑客abilit收益y to directly view and modify your site’s database. Attackers can use the SQL to make new accounts on your site, add unauthorized links and content, and leak, edit, and delete data.

Why are WordPress Sites vulnerable?

WordPress sites are vulnerable to this kind of attack because most are designed to foster a sense of community. Attackers most often use SQL injections through visitor facing submission forms, like contact forms, payment info fields, and lead forms. When hackers enter information in these forms, they're not hoping to use your content offer — they’re submitting code that will run and make changes from within.

What You Can Do

最好的做法是在怀疑我们er input. Any form submission on your site is an opportunity for visitors with malicious intent to submit information directly into your SQL database.

限制访客提交中特殊字符的列表。限制访客提交中特殊字符的列表。没有符号，您将一串恶意代码串成无害的gibberish。考虑使用WordPress form pluginand/or aWordPress security pluginto do this work for you. You can also use a captcha as a final step in the submission process to prevent bots from making injection attempts.

7. Search Engine Optimization (SEO) Spam

These spammy hacks are similar to SQL injections, but they target what any website owner values the most:SEO。这些骇客利用您的顶级页面，填充垃圾关键字和弹出广告，并利用您的辛勤工作出售商品或伪造商品。

Why are WordPress sites vulnerable?

WordPress sites are vulnerable to these attacks the same way that they are vulnerable to other security issues on this list: outdated plugins, themes, and core software. Successful brute attacks and undefined user roles can also make your site vulnerable.

These hacks are also harder to detect, which makes them even more dangerous. The hackers will often gain access but wait to make any changes so as to not raise immediate suspicion. Since they’re SEO-based, these spammy keyword additions are only placed on your high-ranking pages so you won’t identify them when conducting a site-wide review. The hackers simply insert a keyword here and there within relevant pages, like “cheap Chanel bags” so your code remains relatively intact.

That means SEO Spam is most noticeable to SEO crawlers, as they’ll index your site for the spammy keywords, and users searching for Chanel bags (or whatever the spammy keyword is).

What You Can Do

One of the first things to do is follow the aforementioned security measures like updating on time and defining user roles. You can also use a WordPress security plugin that can run malware scans. We’ve created a list of高质量的安全插件and asecurity checklistthat you can use to protect your site from SEO spam (and other issues on this list).

If you’re keen on identifying these hacks on your own, pay close attention to your analytics data and note any sudden changes in SERP positions or increased site traffic for no apparent reason. You may also be notified by an internet browser that notices your site is featuring in search results for something that doesn’t seem related to your site. If you have coding knowledge, you can sift through your high-ranking pages that seem to be affected and attempt to identify the misplaced keywords.

Regardless of the route you choose to take, it’s important to target and address these hacks early on because SEO crawlers will strike against your site for spammy tactics and all the hard work you’ve put in will go to waste.

8. Cross-Site Scripting

Cross-Site Scripting (XSS) happens when an attacker places malicious code into the backend code of the chosen website. XSS attacks are similar to database injections in that attackers try to plant code that runs in your files, but XSS primarily targets web page functionality. Once they get access to your front-end display, hackers might try to harm visitors by, for example, posting a disguised link to a faulty website or displaying a fake contact form to steal user information.

Why are WordPress sites vulnerable?

同样，WordPress插件和主题是这里的罪魁祸首。如果攻击者在您身边找到过时或维护过的插件，他们可以利用它来访问决定您网站前端的文件。WordPress主题也是如此。

What You Can Do

Update, update, update! Always keep your WordPress Core, plugins, and theme running their latest versions, and be very careful when implementing any third-party software on your website.

Another helpful tool for preventing XSS is a web application firewall (WAF), which inspects traffic and prevents unapproved visitors from entering your system from outside networks. WAFs are easy to set up and maintain, so we recommend browsing reputableWAF pluginsto protect your WordPress site from XSS, SQL injections, and other attacks.

9. Denial-of-Service Attacks

A Denial-of-Service (DoS) attack aims to block site administrators and visitors from accessing a website. This is done by sending so much traffic to a targeted server that it crashes, taking down all websites hosted on it. Eventually, the server and its hosted websites are restored, but the reputation of the attacked websites might be difficult to rebuild.

These attacks are often conducted from multiple machines at a time (forming a botnet), which hides the original source of the traffic and compounds the volume of spam. This is known as a distributed denial-of-service (DDoS) attack, and it’s a lot worse.

Why are WordPress sites vulnerable?

Like any website, those powered by WordPress need hosting. DoS and DDoS attacks target hosting servers, namely those with limited security in place.

What You Can Do

Don’t just rely on plugins for this one; the best defense against DoS/DDoS attacks is secure WordPress hosting. Find a reliablehosting providerthat suits your business’ needs and maintains a reputation for taking security seriously. For example, WP Engine’s managed hosting plans include DDos Mitigation tools as well as a high-powered security solution known asGlobal Edge Security专门为保护WordPress站点而建立的企业级网络防御可以帮助防止您网站上的DDOS攻击。

10. Phishing

Phishing gets its name from actual fishing, where people cast out line after line hoping to get a bite. When phishing, hackers send out massive amounts of spammy links hoping that at least one person will click on it and have their information compromised. You’ve probably heard about, or been exposed to, phishing attacks through seemingly legitimate emails in your inbox, or text messages from unknown numbers.

Unfortunately, WordPress is not immune to these spammy practices.

Why are WordPress sites vulnerable?

像其他安全问题在这个列表,WordPresssites become vulnerable to phishing attempts through outdated plugins, themes, software, or lack of security checks for submission and comment forms.

如果具有MAL意图的用户是通过管理特权访问您的网站，则可以发布垃圾邮件链接以供用户单击，以损害其信息。网络钓鱼利用了用户对您和您的内容的信任，因为他们的基线假设不太可能是您正在尝试调解它们。黑客还可以在您的网站页面上发表评论，并带有链接，这些链接似乎可能将用户引导到垃圾邮件的其他资源。reybet雷竞技下载

Here’s an example of a spammy comment that entices readers to click a link.

Image Source

What You Can Do

Protection against phishing involves the usual steps: conduct regular updates, monitor site activity, and use secure passwords,You should also download additional security measures for your site, likeReCAPTCHA, to protect against spammy phishing bots. ReCAPTCHA uses machine learning to understand browsing patterns to distinguish between humans and bots.

11. Supply Chain Attacks

供应链攻击还利用WordPress最受欢迎的功能之一：主题和插件。发生这种攻击的方法有两种：插件所有者在客户网站上安装恶意软件，或者黑客购买流行的插件，并注入伪装成更新的垃圾邮件代码。

As a result of both methods, hackers are granted access to the backend capabilities of their site. They can access secure files and wreak havoc on site visitors’ secure information or implement additional hacks like SEO spam and phishing.

Why are WordPress sites vulnerable?

WordPress sites are vulnerable to these types of attacks because they’re based on something that you’re supposed to do, and what we recommend doing to combat most of the issues on this list: regular updates.

What You Can Do

Thankfully, supply chain attacks often have a short shelf life because WordPress developers actively work to identify these fake plugins and themes and are quick to ban those affected. However, if one happens to fly under the radar, installingsecurity plugins该网站上的定期检查将迅速确定任何漏洞。

It’s also worthbacking up your WordPress site data,so you can save it if it becomes compromised. As always, this can be done manually or bydownloading additional plugins。

12. Hotlinking

Hotlinking is one of the worst things to experience as a content creator — your work is used by others without permission or credit. Typically, another website will embed content, like images, from your website that is hosted on your server, instead of downloading it themselves. They take advantage of the money you’re spending to keep your site up and running to load the images on their site, which can result in higher monthly bills from yourhosting provider。

It’s not a direct spammy attack as the people who are hotlinking likely aren’t hackers, but it is a poor internet practice that has yet to be eradicated. If your content is licensed and restricted for your individual use, then hotlinking is not just bad etiquette — it’s illegal.

Why are WordPress sites vulnerable?

作为网站所有者，您想与网站访问者共享高质量的内容。WordPress站点很容易受到热链接的影响，因为人们会利用这一点。

They simply copy and paste a link to an image or digital file from another site onto their site without giving credit. Some WordPress site owners might not have the time to take preventative measures against hotlinking — or even think to do so.

What You Can Do

有多种方法可以protect your content from hotlinkers, but an easy option is to add discernible watermarks. It’s a user-friendly solution that won’t necessarily stop all malicious parties, but it will require an additional step to remove your personal tag.

水印可以是你的名字,网站区域形成n, or a copyright trademark logo for registered content. You can personally add this watermark to your content, or you can use the tried-and-true WordPress method: a plugin. Most of the tools onthis listare marketed towards photographers but are suitable for anyone hoping to include a watermark on their image (example shown below.)

Image Source

Protect What You’ve Created

我们都知道互联网可能是一个可怕的地方。这似乎是压倒性的，但是重要的是要了解有时会使互联网恐怖的可能风险和威胁。如果您花时间在WordPress上创建一个个性化的内容丰富的网站，这一点尤其重要。

Staying informed aboutcybersecurityis one of the best ways to defend your online presence, protect your business’s growth, and earn the trust of your customers.