How WordPress Sites Get Hacked: 5 Common Vulnerabilities & How to Prevent Them

Written by jtruong | Published 2021/07/03
Tech Story Tags: wordpress-security | web-vulnerabilities | blogging-fellowship | wordpress-security-plugin | cyber-security-awareness | cybersecurity | wordpress-plugin | hackernoon-top-story

TLDR WordPress is a free and open source content platform where users can choose different themes based on the user’s preference. A popular platform means that there is a higher chance of attackers hacking these WordPress sites. To help you understand where the weak spots are, here are the five common WordPress hacks and vulnerabilities that could put a WordPress site in jeopardy. Common Wordpress Hacks: Brute Force Attacks, Cross-Site Scripting (XSS) Malicious Code, SQL Injection DDoS Attack and Sucuri Security plugin.via the TL;DR App
WordPress is a popular free and open source content platform where users can choose different themes based on the user’s preference. This is an “open-source content management system written in PHP and paired with a MySQL or MariaDB database” (Wikipedia). A popular platform means that there is a higher chance of attackers hacking these WordPress sites. To help you understand where the weak spots are, here are the five common WordPress hacks and vulnerabilities that could put  a WordPress site in jeopardy. 

Common Wordpress Hacks:

  1. Brute Force Attacks
  2. Cross-Site Scripting (XSS)
  3. Malicious Code
  4. SQL Injection
  5. DDoS Attack

1. Brute Force Attacks

Brute force attacks are the simplest attacks to gain access to a website by repeatedly entering username and passwords until the attacker is able to get in. A common way attackers use brute force attack in WordPress is “to hammer the wp-login.php file over and over until they get in or the server dies” (WordPress). 
Typically people use ‘admin’ as their username which makes it very easy for WordPress sites to get hacked. 
How to Prevent Brute Force Attacks?
  • Do not use ‘admin’ as your username - that would be the attacker’s first guess and how your WordPress site gets hacked quickly 
  • Implement a strong password that consist of numbers, upper and lower case characters, space bar, special characters and is long making it hard for a brute force attack to be successful 
  • Enable two factor authentication

2. Cross-Site Scripting (XSS)

Another common Wordpress hack is Cross-Site Scripting. Cross-site scripting is “a vulnerability that allows unauthorized JavaScript code to be executed on a website” (MalCare). A Wordpress XSS attack is typically carried out by exploiting a XSS vulnerability which typically exists on the Wordpress plugins. There are two methods that an XSS can be executed:
  • First, the malicious script is executed on the client-side browser and the 
  • Second is where the malicious scripts are stored and executed on server then served by the browser 
In either method, the hacker uses an XSS attack to steal or manipulate data which is how the Wordpress sites get hacked. As a result it affects the user’s experience on the Wordpress site. XSS attacks are common on WordPress Sites because of the plugins; they are extremely complex which means the higher possibility of security issues.
How to Prevent XSS?
To prevent an XSS attack from occurring, you should use data sanitization across the whole WordPress site to make sure that only the appropriate variables are inserted. 

3. Malicious Code

Malicious code can be injected into Wordpress via an infected theme, outdated plugin or script. Once the code has been injected it could cause mild to serious damages if not handled in a timely manner.   
How to Prevent Malicious Code?
The best way to prevent malicious code from being injected is to make sure that you only download WordPress themes and plugins from trusted sources. It is also important to check that the WordPress plugin is up to date as malware typically enters through infected themes and outdated plugins. 

4. SQL Injection

SQL injection is a “web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database” (PortSwigger). Performing an SQL injection attack would allow an attacker to view data from the database that they would not normally be able to retrieve. If the SQL query entered is successful, then the attacker has successfully hacked the WordPress site. The hacker can then manipulate the MySQL database and potentially gain admin access to your WordPress account to change the credentials. This is just one way how the WordPress sites get hacked via sql injection. 
How to Prevent an SQL injection attack? 
  • Use input validation to validate user submitted data 
  • Update and patch regularly - make sure that the WordPress themes and plugins are updated regularly to prevent any possibility to perform an sql injection attack 
  • Implement a firewall - this could add as an additional level of security against an SQL injection attack 
  • Limit access privilege to only those who need access to the WordPress site
  • Activate Sucuri Security plugin - it is popular and a free plugin that allows you to monitor who logs into your site and what kind of changes were made

5. DDoS Attack 

Our final Wordpress Hack is DDoS Attacks. Distributed denial of service is when a large volume of requests are made to a server which causes the server to be slow and ultimately crash. This kind of an attack is another easy way how WordPress sites get hacked causing reduced performances from the web. 
How to Prevent DDoS Attacks?
  • Activate Sucuri Security plugin because it is the website’s firewall; it “runs on a DNS level which means they can catch DDoS attacks before it can make a request to your website” (wpbeginner)
  • Make sure that your WordPress is up to date 
  • Check logs - you can see where the incoming traffic is coming from 

Final Thoughts on Wordpress Hacks and Vulnerabilities

As WordPress is a popular platform that people use to create their own websites, it is very important to make sure that you take all security measures to keep your site secure. These are the vulnerabilities explained here that show how WordPress sites get hacked. I am sure that there are more vulnerabilities that exist, however these are just some of the common ones that you should keep a lookout for and how to prevent them from occurring. 
Written by jtruong | Interested in security? Follow along for content within Cybersecurity
Published by HackerNoon on 2021/07/03
ABOUTHow hackers start their afternoons. We publish tech stories and build publishing software.

READEntirely free library read by hundreds of millions to learn anything about any technology.

WRITEHackerNoon elevates quality technology writing far and wide across the interwebs.

PARTNERHackerNoon works directly with tech companies to place ads by content relevancy