Wordpress Security Vulnerabilities Explained

There are a number of commonly exploited and potential WordPress vulnerabilities including:

• SQL Injection (SQLI) – Occurs when SQL queries and statements can be entered and executed from a site’s URL
• Cross-site Scripting (XSS) – A hacker can inject code into a site, typically through an input field
• File Upload – A file with malicious code is uploaded to a server without restriction
• Cross-Site Request Forgery (CSRF) – Code or strings are entered and executed from a site’s URL
• Brute Force – Constantly trying to log in by guessing the admin’s account username and password
• Denial of Service (DoS) – When a site goes down due to a steady stream of traffic coming from a hackbot
• Distributed Denial of Service (DDoS) – Similar to a DoS attack, except the hackbot is sending traffic from multiple sources such as infected computers or routers
• Open Redirect – Occurs due to a vulnerability and it’s a site’s page that’s redirected to a different one that’s set by a hacker and is often spam or a phishing site
• Phishing (Identity Theft) – A site or page created by a hacker that looks like a well-known, commonly trusted site, but is used to collect login credentials by tricking a user to input their details
• Malware – A malicious script or program with a purpose to infect a site or system
• Local File Inclusion (LFI) – An attacker is able to control what file is executed at a scheduled time that was set up by the CMS or web app
• Authentication Bypass – A security hole that enables a hacker to circumvent the login form and gain access to the site
• Full Path Disclosure (FPD) – When the path to a site’s webroot is exposed such as when the directory listing, errors or warnings are visible
• User Enumeration – Being able to determine a valid username to later use for brute force attacks by adding a string to the end of a WordPress site’s URL to request a user ID which may return an author’s profile with the valid username
• XML External Entity (XXE) – An XML input that references an external entity and is processed poorly by improperly set up XML parser and can lead to confidential information disclosure
• Security Bypass – Similar to authentication bypass, except that a hacker can circumvent the current security system that’s in place to gain access to some part of a site
• Remote Code Execution (RCE) – A hacker has the ability to execute arbitrary code on a machine or site from a different machine or site
• Remote File Inclusion (RFI) – Exploiting a reference to an external script on a site in order to exploit it to upload malware and all from an entirely different computer or site
• Server Side Request Forgery (SSRF) – When a hacker can take control of a server either partially or totally to force it to execute requests remotely
• Directory Traversal – Cases where HTTP can be exploited to access a site’s directories and execute commands outside of the server’s root directory

There are are also other ways a site could be vulnerable including human error such as using passwords that are easy to guess as well as insecure or unreliable hosting.

According to Wordfence as well as a report by WP WhiteSecurity, XSS, SQLI and File upload vulnerabilities are the most commonly exploited security issues. Improperly coded plugins are also the largest culprit and accounts for 54% of these attacks, followed by the WordPress core and themes, respectively.