There are a number of commonly exploited and potential WordPress vulnerabilities including:
- SQL Injection (SQLI) – Occurs when SQL queries and statements can be entered and executed from a site’s URL
- Cross-site Scripting (XSS) – A hacker can inject code into a site, typically through an input field
- File Upload – A file with malicious code is uploaded to a server without restriction
- Cross-Site Request Forgery (CSRF) – Code or strings are entered and executed from a site’s URL
- Brute Force – Constantly trying to log in by guessing the admin’s account username and password
- Denial of Service (DoS) – When a site goes down due to a steady stream of traffic coming from a hackbot
- Distributed Denial of Service (DDoS) – Similar to a DoS attack, except the hackbot is sending traffic from multiple sources such as infected computers or routers
- Open Redirect – Occurs due to a vulnerability and it’s a site’s page that’s redirected to a different one that’s set by a hacker and is often spam or a phishing site
- Phishing (Identity Theft) – A site or page created by a hacker that looks like a well-known, commonly trusted site, but is used to collect login credentials by tricking a user to input their details
- Malware – A malicious script or program with a purpose to infect a site or system
- Local File Inclusion (LFI) – An attacker is able to control what file is executed at a scheduled time that was set up by the CMS or web app
- Authentication Bypass – A security hole that enables a hacker to circumvent the login form and gain access to the site
- Full Path Disclosure (FPD) – When the path to a site’s webroot is exposed such as when the directory listing, errors or warnings are visible
- User Enumeration – Being able to determine a valid username to later use for brute force attacks by adding a string to the end of a WordPress site’s URL to request a user ID which may return an author’s profile with the valid username
- XML External Entity (XXE) – An XML input that references an external entity and is processed poorly by improperly set up XML parser and can lead to confidential information disclosure
- Security Bypass – Similar to authentication bypass, except that a hacker can circumvent the current security system that’s in place to gain access to some part of a site
- Remote Code Execution (RCE) – A hacker has the ability to execute arbitrary code on a machine or site from a different machine or site
- Remote File Inclusion (RFI) – Exploiting a reference to an external script on a site in order to exploit it to upload malware and all from an entirely different computer or site
- Server Side Request Forgery (SSRF) – When a hacker can take control of a server either partially or totally to force it to execute requests remotely
- Directory Traversal – Cases where HTTP can be exploited to access a site’s directories and execute commands outside of the server’s root directory
There are are also other ways a site could be vulnerable including human error such as using passwords that are easy to guess as well as insecure or unreliable hosting.
According to Wordfence as well as a report by WP WhiteSecurity, XSS, SQLI and File upload vulnerabilities are the most commonly exploited security issues. Improperly coded plugins are also the largest culprit and accounts for 54% of these attacks, followed by the WordPress core and themes, respectively.
Comments
0 comments
Please sign in to leave a comment.