WordPress security issues

WordPress is the world’s most popular content management system. As its developers like to point out, over 40% of all websites are built on WordPress. However, this popularity has its downside: such a huge number of potential targets inevitably attracts malicious actors. For this very reason, cybersecurity researchers carefully investigate WordPress and regularly report various problems with this CMS.

As a result, it’s not uncommon to hear that WordPress is full of security issues. But all this attention has a positive side to it: most of the threats and the methods to combat them are well known, making it easier to keep your WordPress site safe. That’s what we’ll be discussing in this article.

1. Vulnerabilities in plugins, themes, and the WordPress core (in that order of descending importance)

In all the lists of WordPress security issues available on the internet, it’s things like XSS (cross-site scripting), SQLi (SQL injection), and CSRF (cross-site request forgery) keep popping up. These attacks, alongside various others, are made possible due to vulnerabilities in either the WordPress core software, its plugins or themes.

It’s important to note that, statistically, only a small fraction of the vulnerabilities are found in the WordPress core itself. For example, for the whole of 2022, a mere 23 vulnerabilities were discovered in the WordPress core software — which is 1.3% of the total 1779 vulnerabilities found in WordPress that year. Another 97 bugs (5.45%) were discovered in themes. Meanwhile, the lion’s share of vulnerabilities were found in plugins: 1659 — making up 93.25% of the total.

It’s worth mentioning that the number of vulnerabilities discovered in WordPress should not be a reason to avoid using this CMS. Vulnerabilities exist everywhere; they’re just found most frequently where they’re most actively sought — in the most popular software.

How to improve security:

• Always update the WordPress core promptly. Though vulnerabilities are not found as often here, they are exploited more intensively, so leaving them unpatched is risky.
• Remember to update themes — especially plugins. As mentioned, plugins are responsible for the vast majority of known vulnerabilities in the WordPress ecosystem.
• Avoid installing unnecessary WordPress plugins — those that your site doesn’t need to operate. This will significantly reduce the number of potential vulnerabilities on your WordPress site.
• Promptly deactivate or entirely remove plugins you no longer need.

2. Weak passwords and lack of two-factor authentication

The second major security issue with WordPress is the hacking of sites using simple password guessing (brute-forcing) or compromised usernames and passwords (credential stuffing) from ready-made databases, which are collected as a result of leaks from some third-party services.

If an account with high privileges is compromised, attackers can gain control of your WordPress site and use it for their own purposes: stealing data, discreetly adding to your texts links to the resources they promote (SEO spam), installing malware (including web skimmers), using your site to host phishing pages, and so on.

How to improve security:

• Ensure strong passwords for all users of your WordPress site. To achieve this, it’s good to apply a password policy — a list of rules that passwords must satisfy. There are plugins available that let you implement password policies on your WordPress site.
• Limit the number of login attempts — again, there are plenty of plugins for this purpose.
• Enable two-factor authentication using one-time codes from an app. And again, there are WordPress plugins for this.
• To prevent your WordPress users from having to remember long and complex passwords, encourage them to install a password manager. By the way, our [KPM placeholder]Kaspersky Password Manager[/placeholder] also lets you use one-time codes for two-factor authentication.

3. Poor control over users and permissions

This issue is connected to the previous one: often, owners of WordPress sites don’t manage the permissions of their WordPress users carefully enough. This significantly increases risk if a user account gets hacked.

We’ve already discussed the potential consequences of an account with high access rights being compromised — including those access rights issued mistakenly or “for growth”: SEO spam injection into your content, unauthorized data access, installing malware, creating phishing pages, and so on.

How to improve security:

• Be extremely careful when assigning permissions to users. Apply the principle of least privilege — grant users only the access rights they absolutely need for their tasks.
• Regularly review your list of WordPress users, and remove any accounts that are no longer necessary.
• Move users to less privileged categories if they no longer need elevated permissions.
• Of course, the advice from point 2 also applies here: use strong passwords and enable two-factor authentication.

4. Malicious plugins

Aside from plugins that are “just” vulnerable, there are also outright malicious ones. For example, not long ago, researchers discovered a WordPress plugin masquerading as a page-caching plugin but which was actually a full-fledged backdoor. Its main function was to create illegal administrator accounts and gain complete control over infected sites.

Earlier this year, researchers found another malicious WordPress plugin, which was originally legitimate but had been abandoned by developers over a decade ago. Some bleeding hearts picked it up and turned it into a backdoor — allowing them to gain control over thousands of WordPress sites.

How to improve security:

• Avoid installing unnecessary WordPress plugins. Only install the ones truly essential for your site’s operation.
• Before installing a plugin, read its user reviews carefully — if a plugin does something suspicious, chances are someone’s already noticed it.
• Deactivate or remove plugins you no longer use.
• There are plugins that scan WordPress sites for malware. However, keep in mind they can’t be completely trusted: many of the latest instances of WordPress malware can deceive them.
• If your WordPress site is behaving strangely and you suspect it’s infected, consider contacting specialists for a security audit.

5. Unrestricted XML-RPC Protocol

Another vulnerability specific to WordPress is the XML-RPC protocol. It’s designed for communication between WordPress and third-party programs. However, back in 2015, WordPress introduced support for the REST API, which is now more commonly used for application interaction. Despite this, XML-RPC is still enabled by default in WordPress.

The problem is that XML-RPC can be used by attackers for two types of attacks on your site. The first type is brute-force attacks aimed at guessing passwords for your WordPress user accounts. With XML-RPC, attackers can combine multiple login attempts into a single request, simplifying and speeding up the hacking process. Secondly, the XML-RPC protocol can be used to orchestrate DDoS attacks on your WordPress website through so-called pingbacks.

How to improve security:

• If you don’t plan on using XML-RPC in the near future, it’s best to disable it on your WordPress site. There are several ways to do this. If you need this functionality later, it’s not difficult to re-enable it.
• If you intend to use XML-RPC, it’s advisable to configure its restrictions, which can be done using WordPress plugins.
• Also, to protect against brute-force attacks, you can follow the advice from point 2 of this article: use strong passwords, enable two-factor authentication, and use a password manager. By the way, this is included in the license of our product designed for protecting small businesses — Kaspersky Small Office Security.