Top 10 WordPress Core Vulnerabilities Discovered Till Date

WordPress Core Vulnerabilities

Having a website for your business needs has become the need of the hour. It allows you to scale your business globally and reach out to a larger audience base. WordPress is a popular platform which helps you achieve this. However larger the platform, greater the risk. Today we will take a look at the top 10 core vulnerabilities which hackers can use to exploit your WordPress website.

Outdated Themes and Plugins:

Outdated Themes and Plugins

WordPress provides you the opportunity to use different plugins and themes for your website. This helps your website function better and provides an enriching user experience. However these same plugins which can help you prosper can also be the harbingers of  misfortune if you do not keep them up to date. Plugins and themes usually fall prey to security vulnerabilities as hackers actively target such points. If you fall prey to such attacks you can lose control of your website. Hence it is very important to keep up with the latest security updates that the developers roll out in order to keep your website safe and secure.

Brute Force Attacks:

Brute Force Attacks

Brute Forcing is a type of attack where hackers try to gain access in to your account by guessing the username and passwords at the rate of hundreds of guesses per second. Although this may not be the most elegant way of hacking in to an account but it is certainly the easiest. Such unauthorized logins are easy to execute due to the fact that the default backend login page is relatively easy to find by simply appending /wp-admin or /wp-login.php at the end. Therefore it is extremely important to change the default login page settings for your website.

Outdated Core Software:

Outdated Core Software

When building a website on WordPress you get the advantage that the platform provides regular updates at approximately 3 months in order to keep up with current security features. As a website owner, you need to take advantage of this fact and keep your website’s core software up to date.

This is because if the previous version had any security vulnerabilities then it becomes easy for hackers to find out about those and then use them to target and attack websites who haven’t yet updated to the latest version.

Bad User Role Practices:

Bad User Role Practices

When you build a website on WordPress, it gives you the ability to choose between 6 user roles to assign to users. The roles are as follows: Administrator, Editor, Author, Contributor and lastly Subscriber. The hierarchy can be evidently visible to us and we can see that the most powerful role amongst these is that of the admin. There this roles should be assigned only to the owner of the website.

However in many cases, we see that website owners assign to each and every person using their website or to a majority of the users. This lapse in judgement can cause havoc if the users start abusing their powers. They can add, modify or delete on to your website without your permission. They can also get access to the banking information and user details stored on your website for their own financial gain.

SQL Injection:

SQL Injection

MySQL is a database management system which helps store, organize, view and modify data that you collect on your website. However hackers can get access to this database if you don’t employ good website security at your user input fields by injecting their own SQL codes in to your website.

The easiest way to prevent this from happening is to prevent the use of special characters in user inputs as this can reduce the possibility of a malicious code working properly.

Search Engine Optimization Spam:

Search Engine Optimization Spam

Such attacks are similar to SQL injections, however instead of targeting the database it targets the SEO of your website by filling your content with spam keywords. This will cause your website to fall off the SEO leaderboard or in the worst case scenario get blacklisted from search engines.

To avoid this from happening, you can assign user roles as mentioned above. If you don’t have proper coding knowledge, you can hire someone to remove the malware as well as sift through your content to remove the spam keywords from your high ranking pages.



True to its name, this method of attack is akin to fishing in a large ocean in the hopes that one fish will bite on your line. Hackers usually make a replica of your website by gaining access to the original website through the means of malware and get access to your source files and user data.

They then send mass emails to your users asking them to change their credentials while redirecting them to a similar looking but fake website. They then collect the credentials thus obtained and use it for their own ulterior motives. In order to prevent this from happening you should employ good security practices in order to deny access to your website in the first place. You should also try to warn your users to not fall for such type of scams.

Escalating User Privileges:

Escalating User Privileges

If a hacker gains access to a user’s account they cannot use it further unless they have higher privileges. However in such cases they can try and escalate the privileges of the account they have access to by exploiting security vulnerabilities in the plugins and themes installed on your website. You can prevent this by granting privileges only to required users as well as updating your plugins in a timely manner.

Cross Site Scripting:

Cross Site Scripting

In this method, hackers try to redirect your website users to other scam URLs by injecting your website with malicious code. This can cause unnecessary popups or redirects which users may click on. This can lead to data theft or infecting your user’s devices with malware. Therefore it is important to keep your core software, plugins and themes always updated in order to keep up with the latest security updates.

Supply Chain Attacks:

Supply Chain Attacks

In such type of attacks, the malware is injected in to your website directly through the software vendor. Either the plugin developers themselves put malicious code in their plugins to begin with or they either sold to hackers who modify them for their own personal gain. Either way unknowingly installing such plugins or themes can spell doom for your website. Therefore it is always recommended that you only install plugins from reputed sources and vendors and that you always check the reviews left by other users.

We hope that you were able to gain some information from this article and that you follow the necessary steps in order to help secure your website from these vulnerabilities.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top