paint-brush
How WordPress Sites Get Hacked: 5 Common Vulnerabilities & How to Prevent Themby@jtruong
2,200 reads
2,200 reads

How WordPress Sites Get Hacked: 5 Common Vulnerabilities & How to Prevent Them

by Jessica TruongJuly 3rd, 2021
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

WordPress is a free and open source content platform where users can choose different themes based on the user’s preference. A popular platform means that there is a higher chance of attackers hacking these WordPress sites. To help you understand where the weak spots are, here are the five common WordPress hacks and vulnerabilities that could put a WordPress site in jeopardy. Common Wordpress Hacks: Brute Force Attacks, Cross-Site Scripting (XSS) Malicious Code, SQL Injection DDoS Attack and Sucuri Security plugin.

Company Mentioned

Mention Thumbnail
featured image - How WordPress Sites Get Hacked: 5 Common Vulnerabilities & How to Prevent Them
Jessica Truong HackerNoon profile picture

WordPress is a popular free and open source content platform where users can choose different themes based on the user’s preference. This is an “open-source content management system written in PHP and paired with a MySQL or MariaDB database” (Wikipedia). A popular platform means that there is a higher chance of attackers hacking these WordPress sites. To help you understand where the weak spots are, here are the five common WordPress hacks and vulnerabilities that could put  a WordPress site in jeopardy. 

Common Wordpress Hacks:

  1. Brute Force Attacks
  2. Cross-Site Scripting (XSS)
  3. Malicious Code
  4. SQL Injection
  5. DDoS Attack


1. Brute Force Attacks

Brute force attacks are the simplest attacks to gain access to a website by repeatedly entering username and passwords until the attacker is able to get in. A common way attackers use brute force attack in WordPress is “to hammer the wp-login.php file over and over until they get in or the server dies” (WordPress). 

Typically people use ‘admin’ as their username which makes it very easy for WordPress sites to get hacked. 

How to Prevent Brute Force Attacks?

  • Do not use ‘admin’ as your username - that would be the attacker’s first guess and how your WordPress site gets hacked quickly 
  • Implement a strong password that consist of numbers, upper and lower case characters, space bar, special characters and is long making it hard for a brute force attack to be successful 
  • Enable two factor authentication

2. Cross-Site Scripting (XSS)

Another common Wordpress hack is Cross-Site Scripting. Cross-site scripting is “a vulnerability that allows unauthorized JavaScript code to be executed on a website” (MalCare). A Wordpress XSS attack is typically carried out by exploiting a XSS vulnerability which typically exists on the Wordpress plugins. There are two methods that an XSS can be executed:

  • First, the malicious script is executed on the client-side browser and the 
  • Second is where the malicious scripts are stored and executed on server then served by the browser 

In either method, the hacker uses an XSS attack to steal or manipulate data which is how the Wordpress sites get hacked. As a result it affects the user’s experience on the Wordpress site. XSS attacks are common on WordPress Sites because of the plugins; they are extremely complex which means the higher possibility of security issues.

How to Prevent XSS?

To prevent an XSS attack from occurring, you should use data sanitization across the whole WordPress site to make sure that only the appropriate variables are inserted. 

3. Malicious Code

Malicious code can be injected into Wordpress via an infected theme, outdated plugin or script. Once the code has been injected it could cause mild to serious damages if not handled in a timely manner.   

How to Prevent Malicious Code?

The best way to prevent malicious code from being injected is to make sure that you only download WordPress themes and plugins from trusted sources. It is also important to check that the WordPress plugin is up to date as malware typically enters through infected themes and outdated plugins. 

4. SQL Injection

SQL injection is a “web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database” (PortSwigger). Performing an SQL injection attack would allow an attacker to view data from the database that they would not normally be able to retrieve. If the SQL query entered is successful, then the attacker has successfully hacked the WordPress site. The hacker can then manipulate the MySQL database and potentially gain admin access to your WordPress account to change the credentials. This is just one way how the WordPress sites get hacked via sql injection. 

How to Prevent an SQL injection attack? 

  • Use input validation to validate user submitted data 
  • Update and patch regularly - make sure that the WordPress themes and plugins are updated regularly to prevent any possibility to perform an sql injection attack 
  • Implement a firewall - this could add as an additional level of security against an SQL injection attack 
  • Limit access privilege to only those who need access to the WordPress site
  • Activate Sucuri Security plugin - it is popular and a free plugin that allows you to monitor who logs into your site and what kind of changes were made

5. DDoS Attack 

Our final Wordpress Hack is DDoS Attacks. Distributed denial of service is when a large volume of requests are made to a server which causes the server to be slow and ultimately crash. This kind of an attack is another easy way how WordPress sites get hacked causing reduced performances from the web. 

How to Prevent DDoS Attacks?

  • Activate Sucuri Security plugin because it is the website’s firewall; it “runs on a DNS level which means they can catch DDoS attacks before it can make a request to your website” (wpbeginner)
  • Make sure that your WordPress is up to date 
  • Check logs - you can see where the incoming traffic is coming from 

Final Thoughts on Wordpress Hacks and Vulnerabilities

As WordPress is a popular platform that people use to create their own websites, it is very important to make sure that you take all security measures to keep your site secure. These are the vulnerabilities explained here that show how WordPress sites get hacked. I am sure that there are more vulnerabilities that exist, however these are just some of the common ones that you should keep a lookout for and how to prevent them from occurring.