WordPress is by far the most popular content management system worldwide, powering over 40 percent of all websites on the internet. This enormous prevalence makes WordPress a preferred target for cybercriminals. In our penetration tests, we regularly find critical vulnerabilities in WordPress installations -- even in organizations that believe their website is well secured. In this article, we reveal the most common vulnerabilities and how you can effectively protect your WordPress website.
Why WordPress Is a Popular Attack Target
WordPress's popularity is both a blessing and a curse. On one hand, users benefit from a vast ecosystem of themes and plugins, an active community, and regular updates. On the other hand, this very prevalence makes WordPress a lucrative target: a single working exploit can potentially affect millions of websites. Automated attack bots continuously scan the internet for vulnerable WordPress installations, and the open-source nature of the system allows attackers to analyze the source code for vulnerabilities.
The Most Common Vulnerabilities from Our Penetration Tests
1. Outdated Core Version, Plugins, and Themes
This is by far the most common issue we identify in WordPress pentests. Outdated software contains known vulnerabilities for which publicly available exploits often exist. Third-party plugins are particularly critical, as they are frequently maintained less rigorously than the WordPress core. In a typical WordPress installation, we find an average of three to five plugins with known, unpatched security vulnerabilities.
2. Weak Authentication
Simple usernames like "admin" combined with weak passwords remain widespread. Without rate limiting or account lockout mechanisms, attackers can execute brute force attacks on the WordPress login page. The default login URL /wp-admin is universally known and automatically targeted by attack bots. The lack of two-factor authentication implementation further exacerbates the problem.
3. XML-RPC Abuse
The XML-RPC interface (xmlrpc.php) is enabled in many WordPress installations even though it is not needed for most use cases. This interface can be abused for amplified brute force attacks, DDoS amplification attacks, and SSRF (Server-Side Request Forgery) attacks. The system.multicall method in particular allows attackers to bundle hundreds of password attempts in a single HTTP request.
4. Missing Security Headers
In nearly every WordPress pentest, important HTTP security headers are missing, including Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security. These headers provide an additional layer of protection against Cross-Site Scripting (XSS), clickjacking, and other client-side attacks and can be implemented with minimal effort.
5. Information Disclosure
WordPress reveals numerous pieces of information by default that help attackers prepare targeted attacks. These include the WordPress version in the HTML source code, a list of installed plugins and their versions, user enumeration via the REST API, the WordPress core readme.html, and detailed PHP error messages in production. Each of these pieces of information helps an attacker refine their attack.
Concrete Protective Measures
Basic Hardening
- Regular Updates: Enable automatic updates for the WordPress core and implement a process for timely plugin and theme updates.
- Strong Authentication: Enforce complex passwords, implement 2FA, limit login attempts, and consider renaming the login URL.
- Minimal Plugin Usage: Completely uninstall unnecessary plugins. Each additional plugin increases the attack surface.
- File Permissions: Ensure file permissions are correctly set: 644 for files, 755 for directories, and wp-config.php should be 400 or 440.
Advanced Measures
- Web Application Firewall (WAF): A WAF filters malicious traffic and blocks known attack patterns before they reach WordPress.
- Content Security Policy: Implement a strict CSP to prevent XSS attacks and other injection attacks.
- Change Database Prefix: The default prefix wp_ makes SQL injection attacks easier. Use a custom prefix.
- Restrict REST API: Limit access to the WordPress REST API to authenticated users to prevent user enumeration.
- Monitoring and Logging: Implement security monitoring that detects suspicious activities such as unusual login attempts, file changes, and plugin installations.
Conclusion
WordPress can be operated securely -- if the right measures are taken. A professional penetration test uncovers the specific vulnerabilities of your installation and provides clear recommendations for action. SecTepe conducts specialized WordPress pentests that include both automated and manual testing, giving you a detailed picture of your security posture. Invest in the security of your WordPress website before an attacker does.