![](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/11\/30130533\/wordpress-security-issues-featured.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Alanna Titterington| Date: Thu, 30 Nov 2023 18:16:25 +0000<\/strong><\/p>\n WordPress is the world’s most popular content management system. As its developers like to point out, over 40% of all websites are built on WordPress<\/a>. However, this popularity has its downside: such a huge number of potential targets inevitably attracts malicious actors. For this very reason, cybersecurity researchers carefully investigate WordPress and regularly report various problems with this CMS.<\/p>\n As a result, it’s not uncommon to hear that WordPress is full of security issues. But all this attention has a positive side to it: most of the threats and the methods to combat them are well known, making it easier to keep your WordPress site safe. That’s what we’ll be discussing in this article.<\/p>\n In all the lists of WordPress security issues available on the internet, it’s things like XSS (cross-site scripting), SQLi (SQL injection), and CSRF (cross-site request forgery) keep popping up. These attacks, alongside various others, are made possible due to vulnerabilities in either the WordPress core software, its plugins or themes.<\/p>\n It’s important to note that, statistically, only a small fraction of the vulnerabilities are found in the WordPress core itself. For example, for the whole of 2022, a mere 23 vulnerabilities were discovered<\/a> in the WordPress core software \u2014 which is 1.3% of the total 1779 vulnerabilities found in WordPress that year. Another 97 bugs (5.45%) were discovered in themes. Meanwhile, the lion’s share of vulnerabilities were found in plugins: 1659 \u2014 making up 93.25% of the total.<\/p>\n It’s worth mentioning that the number of vulnerabilities discovered in WordPress should not be a reason to avoid using this CMS. Vulnerabilities exist everywhere; they’re just found most frequently where they’re most actively sought \u2014 in the most popular software.<\/p>\n How to improve security:<\/strong><\/p>\n The second major security issue with WordPress is the hacking of sites using simple password guessing (brute-forcing) or compromised usernames and passwords (credential stuffing) from ready-made databases, which are collected as a result of leaks from some third-party services.<\/p>\n If an account with high privileges is compromised, attackers can gain control of your WordPress site and use it for their own purposes: stealing data, discreetly adding to your texts links to the resources they promote (SEO spam), installing malware (including web skimmers<\/a>), using your site to host phishing pages<\/a>, and so on.<\/p>\n How to improve security:<\/strong><\/p>\n This issue is connected to the previous one: often, owners of WordPress sites don’t manage the permissions of their WordPress users carefully enough. This significantly increases risk if a user account gets hacked.<\/p>\n We’ve already discussed the potential consequences of an account with high access rights being compromised \u2014 including those access rights issued mistakenly or “for growth”: SEO spam injection into your content, unauthorized data access, installing malware, creating phishing pages, and so on.<\/p>\n How to improve security:<\/strong><\/p>\n Aside from plugins that are “just” vulnerable, there are also outright malicious ones. For example, not long ago, researchers discovered<\/a> a WordPress plugin masquerading as a page-caching plugin but which was actually a full-fledged backdoor. Its main function was to create illegal administrator accounts and gain complete control over infected sites.<\/p>\n Earlier this year, researchers found<\/a> another malicious WordPress plugin, which was originally legitimate but had been abandoned by developers over a decade ago. Some bleeding hearts picked it up and turned it into a backdoor \u2014 allowing them to gain control over thousands of WordPress sites.<\/p>\n How to improve security:<\/strong><\/p>\n Another vulnerability specific to WordPress is the XML-RPC protocol. It’s designed for communication between WordPress and third-party programs. However, back in 2015, WordPress introduced support for the REST API, which is now more commonly used for application interaction. Despite this, XML-RPC is still enabled by default in WordPress.<\/p>\n The problem is that XML-RPC can be used by attackers for two types of attacks on your site. The first type is brute-force attacks aimed at guessing passwords for your WordPress user accounts. With XML-RPC, attackers can combine multiple login attempts into a single request, simplifying and speeding up the hacking process. Secondly, the XML-RPC protocol can be used to orchestrate DDoS attacks on your WordPress website through so-called pingbacks<\/a>.<\/p>\n How to improve security:<\/strong><\/p>\n1. Vulnerabilities in plugins, themes, and the WordPress core (in that order of descending importance)<\/h2>\n
\n
2. Weak passwords and lack of two-factor authentication<\/h2>\n
\n
3. Poor control over users and permissions<\/h2>\n
\n
4. Malicious plugins<\/h2>\n
\n
5. Unrestricted XML-RPC Protocol<\/h2>\n
\n