View Categories

The 5 Most Common WordPress Attacks (And How to Prevent Them)

  • Aug 18, 2020
  • 0
  • by A2 CMS Team

Cybersecurity is a perennial hot topic, more so today than ever before. As a WordPress site owner, it is highly important to go big on security and do your best to protect your site against any form of attack now or in the future.

WordPress is inherently a highly-secure platform. The security team is made up of a number of experts who work hard to deal with security concerns at every new update. However, no site is totally safe, which means there are still vulnerabilities you’re liable to experience.

In this article, we’ll consider five of the most common WordPress security threats and how to prevent them using the best practices. Let’s go!

How We’ve Chosen the Most Common WordPress Attacks

For the purpose of this article, we’ll be basing our advice on the Open Web Application Security Project (OWASP) ranking. Since 2001, OWASP has been an integral part of the promotion of security and trustworthiness online. They are a nonprofit foundation that works hard to improve software integrity on the internet.

The project sets a clear goal of comprehensive data collection and achieves it by leveraging the OWASP Azure Cloud Infrastructure to collect, analyze, and store data contributed. In essence, volunteers can simply contribute data by sending a CSV/Excel file by email or uploading it to a contribution folder.

OWASP uses this data collection and analysis system to compile a list of the Top Ten security risks sites encounter regularly. With about 275 local chapters worldwide, the project has grown a reputation for helping organizations to develop and maintain trustworthy software applications.

The 5 Most Common WordPress Attacks (And How to Prevent Them)

If your WordPress site’s security is a priority, this list will help you to know the attacks to look out for and how to prevent them. Let’s begin!

1. Injection Flaws

The most prominent vulnerability you’re likely to encounter on your WordPress site is a code injection flaw. You mostly experience an injection when your site lets users enter data through a vulnerable entry point, such as a contact or login form.

When the data entered is not ‘validated’, you can be susceptible to this attack. SQL injections are the most common but other types such as NoSQL, OS, and LDAP injections may also be an issue.

Injection flaws often lead to access denial, data loss and corruption, disclosure to unauthorized parties, and even total host takeover.

The best approach to prevent injection involves separating commands from queries on your site. WordPress developers can use certain SQL controls such as LIMIT to prevent this. Site owners can also take advantage of security plugins (such as Malcare) to keep their websites protected.

2. Broken Authentication

Broken authentication occurs when there’s a vulnerability in the implementation of identity and session controls. The strength of a site’s authentication control is highly dependent on session management.

If this is not implemented properly, hackers can compromise your keys, passwords, and session tokens. In most cases, you may end up suffering identity theft, social security fraud, and disclosure of highly sensitive information.

If you want to minimize the risk of broken authentication, you should implement multi-factor authentication on your site. What’s more, look to replace the default credentials you’re given when creating a new WordPress site. Weak password checks should also not be an option, especially for admin users.

3. Cross-Site Scripting (XSS) Attacks

Very similar to injection attacks, XSS attacks occur at entry points into site – such as user input fields. These attacks happen when automated applications detect any form of XSS on your site. It can be exploited to sneak untrusted data into a new page that lacks proper validation or an existing one through user-inputted data.

Cross-site scripting lets the attacker execute code remotely within the victim’s browser. This way, they can either steal their credentials or deliver malware. You can prevent an XSS attack by making use of two strategies.

The first strategy is to ensure that network requests generated from one page doesn’t gain access to data on another. Likewise, your website must be able to differentiate between regular input and malicious code. Frameworks such as React JS escape this attack by design.

Generally, preventing XSS attacks starts with good development practices. For a site owner, choosing a strong, secure theme is vital.

4. Sensitive Data Exposure

Sensitive data exposure can be considered a data breach. When sensitive data is being transferred or stored on your site, you must put adequate measures in place to ensure that hackers can’t lay their hands on it. Otherwise, if exposed, attackers can steal passwords, credit card details, session tokens, and much more besides.

Apart from putting your own sensitive data at risk, your site visitors can also be victims. This is why you must do your best to keep data secure on your site.

In a bid to escape this type of attack, it is important that you never store data in plain text or accept data sent over non-HTTPS connections. For site owners, a suitable SSL certificate can help you encrypt the most sensitive data across networks.

5. XML External Entities (XXE)

This type of attack arises due to old or poorly managed eXtensible Markup Language (XML) processors. These evaluate references to external entities within XML documents. In the process, an attacker can exploit an incorrectly configured XML parser that accepts XML directly or through XML upload. In other words, they can now access any XML input that makes references to external entities.

XXE can be used to execute a Denial of Service (DOS) attack, extract your data, or even implement a remote request from your server as well. Developer expertise goes a long way in identifying and dealing with XML external entities.

To prevent this attack as an end user, you’ll want to keep your core WordPress installation up to date. XXE concerns are usually at a fundamental code level, and are patched during version updates of core software.


While the core WordPress software is continually updated to mitigate major security threats, plugins and themes can be a major source of concern for users – especially if they’re poorly coded. In essence, the more attention you pay to your site’s security, the less the probability of having to deal with these issues.

In this post, we’ve looked at five of the most common WordPress attacks today. Let’s recap them quickly:

  1. Injection flaws
  2. Broken authentication
  3. Cross-site scripting (XSS) attacks
  4. Sensitive data exposure (SSL Certificates can help avoid this)
  5. XML external entities (XXE)

Featured Image Credit: iStock.