WordPress, the popular open-source Content Management System (CMS), is used by 60% of all websites. However, because it is open-source and can be endlessly customized and optimized, it can be vulnerable to security flaws. According to the Common Vulnerability Score, 8 out of 10 WordPress sites have a medium or high security risk. There are methods to help prevent security attacks, but the key is to first understand the most common security threats to your WordPress sites and then learn how to keep them at bay! This blog provides you with an overview of the most common WordPress security attacks.
Common WordPress Security Attacks
Security Attack #1: Brute-force
Brute-force: In this attack, bad actors attempt to guess login information by using automated password generators.
Basic defense: Use strong passwords. For recommendations about how to generate strong passwords, see our Knowledge Base article.
Security Attack #2: Cross-Site Scripting (XSS)
This is a hacking technique where malicious code from user input is injected into web pages and then viewed by site visitors. XSS attacks can potentially extract sensitive information, affect website functionality, and more.
Basic defense: Wherever a web site receives user input, the input should be filtered as strictly as possible based on the expected or valid input.
Security Attack #3: SQL injection
In this type of attack, malicious SQL statements are injected via unsanitized user input. SQL injection attacks can be used to tamper with data, extract sensitive information, and more.
Basic defense: Scan your site for SQL injection vulnerabilities using online website scanning tools like Sucuri SiteCheck.
Security Attack #4: Backdoor
A backdoor is malicious code that contains a hidden way to bypass the login or authentication process of a website.
Basic defense: Make sure your server has antivirus and firewall protection and is kept up to date. Also make sure you keep WordPress itself and any associated plugins updated with the latest security patches.
Security Attack #5: Denial-of-Service (DoS) attacks
This type of attack renders a website inaccessible or unavailable to its users. For example, a Distributed Denial-of-Service (DDoS) attack sends traffic from multiple sources to a website, overwhelming its network connection.
Basic defense: Using a well-established Content Delivery Network (CDN) such as Cloudflare can help mitigate or even prevent these types of attacks.
Security Attack #6: Phishing
Attackers use the phishing technique to impersonate a legitimate company, typically via email, in order to obtain personal information directly from the target. The attacker then uses the information to hack the site or commit fraud.
Basic defense: Spam filters can detect and prevent most malicious emails from reaching users’ inboxes.
Security Attack #7: Hotlinking
This is a technique where a website links directly to the targeted website’s assets, such as video or image files, in order to increase SEO ranking or to feature media without using their own server resources or bandwidth. For example, if website B hotlinks to website A’s featured image, and website B receives a lot of traffic on the page with the image, website A’s server resources are depleted, potentially affecting website A’s performance.
Basic defense: Use a plugin or Content Delivery Network (CDN) such as Cloudflare to help protect your media files. Conclusion
Now that you understand the various types of security threats to be aware of, consider the following root causes of why your WordPress site may be vulnerable to security breaches:
Your WordPress site is out of date and requires an update to the most recent version.
You have unused or outdated themes or plugins installed on your site, which cause compatibility issues and open up security holes.
Your WordPress site admin login page is still set to the default /wp-admin, making it vulnerable to brute-force attacks.
Give your site a thorough security audit, if you want to improve the security of your WordPress sites.