Skip to main content

Wordpress Security Vulnerabilities Explained

Brenton Johnson
Updated

There are a number of commonly exploited and potential WordPress vulnerabilities including:

  • SQL Injection (SQLI) – Occurs when SQL queries and statements can be entered and executed from a site’s URL
  • Cross-site Scripting (XSS) – A hacker can inject code into a site, typically through an input field
  • File Upload – A file with malicious code is uploaded to a server without restriction
  • Cross-Site Request Forgery (CSRF) – Code or strings are entered and executed from a site’s URL
  • Brute Force – Constantly trying to log in by guessing the admin’s account username and password
  • Denial of Service (DoS) – When a site goes down due to a steady stream of traffic coming from a hackbot
  • Distributed Denial of Service (DDoS) – Similar to a DoS attack, except the hackbot is sending traffic from multiple sources such as infected computers or routers
  • Open Redirect – Occurs due to a vulnerability and it’s a site’s page that’s redirected to a different one that’s set by a hacker and is often spam or a phishing site
  • Phishing (Identity Theft) – A site or page created by a hacker that looks like a well-known, commonly trusted site, but is used to collect login credentials by tricking a user to input their details
  • Malware – A malicious script or program with a purpose to infect a site or system
  • Local File Inclusion (LFI) – An attacker is able to control what file is executed at a scheduled time that was set up by the CMS or web app
  • Authentication Bypass – A security hole that enables a hacker to circumvent the login form and gain access to the site
  • Full Path Disclosure (FPD) – When the path to a site’s webroot is exposed such as when the directory listing, errors or warnings are visible
  • User Enumeration – Being able to determine a valid username to later use for brute force attacks by adding a string to the end of a WordPress site’s URL to request a user ID which may return an author’s profile with the valid username
  • XML External Entity (XXE) – An XML input that references an external entity and is processed poorly by improperly set up XML parser and can lead to confidential information disclosure
  • Security Bypass – Similar to authentication bypass, except that a hacker can circumvent the current security system that’s in place to gain access to some part of a site
  • Remote Code Execution (RCE) – A hacker has the ability to execute arbitrary code on a machine or site from a different machine or site
  • Remote File Inclusion (RFI) – Exploiting a reference to an external script on a site in order to exploit it to upload malware and all from an entirely different computer or site
  • Server Side Request Forgery (SSRF) – When a hacker can take control of a server either partially or totally to force it to execute requests remotely
  • Directory Traversal – Cases where HTTP can be exploited to access a site’s directories and execute commands outside of the server’s root directory

 

There are are also other ways a site could be vulnerable including human error such as using passwords that are easy to guess as well as insecure or unreliable hosting.

According to Wordfence as well as a report by WP WhiteSecurity, XSS, SQLI and File upload vulnerabilities are the most commonly exploited security issues. Improperly coded plugins are also the largest culprit and accounts for 54% of these attacks, followed by the WordPress core and themes, respectively.

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk