6 Common WordPress Vulnerabilities
It's no surprise to hear that WordPress is the single most hacked website platform on the internet. Considering that WordPress sites make up about one-third of websites, you might even think this is a normal statistical fact, but it's not. Time and time again, dozens to thousands of sites are exposed to hackers and actively hacked, not because WordPress sites are a common target, but because WordPress sites are unbelievably easy to hack.
WordPress is Vulnerable By Default
WordPress' defense is that they are an open-source platform, a free toolkit for anyone to use as they see fit and like many open-source projects, security just isn't a concern. After all, you have access to the source code, so why don't you write your own security?
The problem is that even when site owners try to take security into their own hands and seemingly take all the right steps (install a firewall, encrypt, use backups, and pay for fancy security WordPress plugins) sites still get hacked. Why? Because WordPress is designed in a way so that almost everything is exposed by default.
The vast majority of website security best practices are simply not present in a basic WordPress installation and patch-up jobs with plugins can only do so much. Not to mention, it's nearly impossible to identify which WordPress security plugins are safe and will provide safety. Even if they are highly rated and widely used.
Common WordPress Vulnerability Exploits
1) SQL Injection
When a user account searches for something on a WordPress site, often these queries go directly to the SQL databases to pull up the most relevant pages and information. In an ideal world, this would be both useful and secure. However, many sites use search plugins for their site without realizing that these plugins are not secured against the incredibly common middle-schooler-could-do-it hack of SQL Injection.
SQL injection can occur when searches are not 'escaped', in other words the search terms are submitted raw into the SQL query code. If this is the case and a hacker enters the code, "Drop Table Products; any table named "Products" in the user's database will be lost forever unless there is a backup. It's as simple and devastating as that.
2) Arbitrary File Viewing
The next common Wordpress vulnerability is called Arbitrary File Viewing and, just like it sounds, it allows hackers to look at any unsecured file on your WordPress site. And all files are unsecured by default.
As you may already know, WordPress files are simple and easy to access and edit. This is a bonus for first-time web designers but a terrible idea for actually securing your website.
Hackers who are familiar with the WordPress file infrastructure can use certain access methods to look at far more than the few files that are supposed to be accessible to users. Including highly sensitive files like your configuration documents, backend resources, and from there your security plugin stack.
3) File Inclusion Exploits
WordPress sites are often very helpful at allowing users to upload their own files to your site, whether these are pictures, text documents, or videos. However, the ability to upload or inject files into your WordPress website server is highly dangerous without many layers of scanning and protection. One of the most common types of WordPress hack is called the File Inclusion Exploit.
With this trick, hackers use vulnerable code or upload options to load remote files that alter your website's security code and allow the hackers to gain remote access to the site itself. In other words, it opens back-doors so that hackers can make more extensive, harmful, and often well-hidden alterations to the detriment of your site and users.
4) Escalating a User Account to an Admin Account
WordPress touts its user privilege levels as one of the primary ways to ensure security on your site. Normal users who can make an account from any IP at any time are supposed to have very limited options in how they can interact with or influence your site.
As SQL injection has shown, however, even basic user permissions can give an informed WordPress hacker all the leeway they need to infiltrate and damage your website.
Just as file inclusion opens a backdoor to hackers, another common method is for hackers to simply let themselves into admin privileges by escalating their user account status.
First, they make a normal account on your site, then access your settings or hacked server to upgrade their privileges to an official admin. From there, they have the ability to access, edit, and embed to their heart's content, no matter what the next malicious goal might be.
5) Brute Force Login Hacks
Brute force attacks go hand-in-hand with DDoS tactics, as both involve accessing a single page or form submission over and over again in rapid secession. And a standard WordPress site will simply sit back and let it happen. The most common type of brute force attack for unsecured or poorly secured WordPress sites is brute-force password guessing.
When there is no limit on the number of times an IP address can attempt to log in, whether that limit is attempts-per-second or attempts-per-hour, a program can be implemented that guesses thousands of most-likely passwords within the span of a few minutes.
For hackers that have even a few clues as to the password of the account they're trying to hack, this can and will result in an eventual correct 'guess', giving them access to admin accounts, important client accounts, and all the privileges or information therein.
6) Hacked-Host Backdoor Access
The final common WordPress hack we'll cover today is what happens when beginner website owners host with a server-provider that is as careless with security as WordPress itself.
There are hundreds to thousands of hole-in-the-wall server hosting brands, many of which are a rack of servers in rented warehouse space or even the host's home garage. Of course, these servers are available at a fraction of the cost of a reputable provider like AWS or Azure. As you can expect, hackers have had little trouble invading these amateur-hosted servers to access every single website hosted within.
This is a form of back-door hacking in which the hacker doesn't even try to break through the firewalls and defenses of the websites themselves. Because, as sys-admins always say, physical access is total access. Once a hacker has control of a low-rent server hosting provider, they have access to everything those servers are hosting directly through the command line.
Don't Neglect Website Security
WordPress' open-source software and approachable platform have become a highly popular for both first-timer websites and experienced businesses alike, but WordPress core is just a website platform, not built for any kind of special protections.
Without the right security plugins and an experienced team to help you build your basic site into something suitable for modern business cyber security defense. The security admins who work on WordPress sites are aware of all of these common vulnerabilities and know how to close them for good.
Cyber Security Guidance
There are many common practices and behaviors that could be increasing your risk of cyber attack. If you need security peace of mind, the first step is to schedule a security and risk assessment to find out where you might have gaps in your defenses.
About Courtney Casey
In an industry dominated by men, Courtney Casey, Director of Marketing for Accent Computer Solutions, Inc., is making her mark on the world of information technology. Courtney has been immersed in the IT field most of her life and has been molded into the tech savvy expert she is today. She began working for Accent while earning her Bachelor's degree from California State University, Long Beach. Known in the Inland Empire as the "Tech Girl," Courtney is a regular columnist for the region's newspaper of record, The Press-Enterprise. Her columns address topical news trends, new technology products, and offer advice on how to embrace technology or avoid common IT pitfalls.