Accessibility Tools

Quick Takeaways:

  • WordPress powered sites are under constant attack by hackers,
  • The 4 major ways WordPress gets hacked,
  • Some of the most critical attacks from 2007 to present times,
  • Leverage these 12 tips to make your WordPress installation more secure.

WordPress powers 25%+ of the Internet. It’s an amazing Content Management System leveraged by some of the biggest brands on the Internet. Indeed, content managed in WordPress tends to perform quite well in Google.

However, there’s a dark side to WordPress. Managing it can be daunting. In particular, maintaining WordPress security can be a real challenge. After all, WordPress is complex software. When installed in its default mode, WordPress has vulnerabilities that create risk to the website owner.

Top 4 Vulnerabilities

According to WPScans, these are the top 4 ways WordPress websites get hacked:

  • 29% Vulnerable themes
  • 22% Vulnerable plugins
  • 8% Weak passwords
  • 41%Service Providering vulnerabilities

It’s important to note that WordPress itself is deeply committed to maintaining a robust and secure platform for managing site content. Here is their security strategy in a nutshell. The WordPress core is pretty secure.

Yet the reality is that WordPress can only control its code. The 5,000+ themes, 50,000+ plugins, passwords, and hosting vulnerabilities are all outside of what the WordPress development team can address. It’s up to the website owner to be careful and certain they have deployed WordPress in a secure manner.

Examples of attacks on WordPress powered sites demonstrates why implementing active security on WordPress is a must.


A potential backdoor was discovered in WordPress version 2.1.1. The backdoor gave hackers access to the entire platform. By mid-2007 WordPress was up to version 2.7 which featured the introduction of “one-click” updates to the WordPress core. In spite of this addition, 46% of WordPress sites are running old versions of WordPress.


This was a watershed year for WordPress security at its core. A series of blistering attacks took advantage of user-security loopholes to allow users the ability to modify elements within WordPress they shouldn’t have had access to. By the end of 2009 WordPress realized they needed to adopt a more proactive security stance.

2011 to 2014

These years were a time when an image resizing utility outside of the WordPress core was found to create a significant back door to load and execute arbitrary code on a server. It wasn’t incorporated by WordPress itself. Instead it was a component shipped with many popular WordPress designs during this period. In fact this impacted competing content management systems as well.

What’s important to understand about this episode is that once an attack vector is found, hackers will feast on it for a long, long time… particularly as they know website owners are terrible at keeping their site’s systems up-to-date.


There was a massive brute-force attack against WordPress sites. It peaked at more than 14.1 million attacks per hour and targeted more than 190,000 WordPress sites per hour. The goal of the attack was to overwhelm sites and cause them to break or grant access to user accounts via weak passwords.


WordPress attacked by a “botnet” of over 20,000 infected WordPress websites worldwide. Over 30 days, this botnet attempted more than 5 million malicious WordPress login attempts on websites powered by WordPress. The attack originated in Russia and takes advantage of easy to hack WordPress sites that are running older implementations of WordPress and/or that have weak passwords protecting WordPress user accounts.

The attack leverages a sophisticated attack against something called XML-RPC. This WordPress technology has an innocent enough purpose. It can be leveraged, for instance, in allowing authorized 3rd party applications to post content directly to WordPress. For example, it empowers technologies like JetPack to connect with WordPress. (JetPack is a plugin that adds extra features and capabilities to WordPress.)

CAUTION: WordPress, by default, is installed with XML-RPC enabled.

As of version 4.4 WordPress distributed security changes on how XML-RPC works to try and defeat malicious attacks. However, the hackers involved in this latest attack are sophisticated enough to have figured out how to bypass the security included by default in more current releases of WordPress. (They submit one request at a time and wait… defeating the protection which looks for a flood of requests.)

While this method of attack is slow… because of the level of sophisticated automation and the sheer volume of the attack, the attack is proving to be effective.

If you run WordPress what can you do to protect against this and other ongoing hacking attempts?

SiteforLess has managed WordPress sites for Financial Services, Non-profits, and small businesses since 2010. In that time we’ve learned quite a few tricks along the way to keep client sites secure and safe from hacking. (We even encrypt form data at the field level in real-time when it is saved to the WordPress database.) Hopefully, this is a helpful checklist in creating and maintaining a secure WordPress implementation.

  • Protect your website starting at the DNS layer. Blocking hackers before they make it to your server is a great way to start. A service such as CloudFlare offers this protection. Note this is only a beginning to a solid security strategy. (We’ve worked with CloufFlare since it was a simple HoneyPot. We also recommend CloudFlare’s RailGun which retails for $200/mo.)
  • Make sure your website hosting solution offers protection of the servers and make sure they are constantly updating core server files with security patches. (Some hosts limit how often they update their servers. We recommend working with a solution that updates their core in 4-hour intervals.)
  • Block XML-RPC. Simply turn it off. Avoid technologies that require it. (We disable XML-RPC to ensure this threat vector isn’t available to hackers.)
  • Block global IPs that have zero business accessing your website. If you serve a local market why do you need traffic from Brazil, Russia, India, China, and all of the other hacking hotspots from around the globe? Blocking the traffic will significantly cut down on attacks. (We proactively block traffic against the entire world except for the U.S., Canada, Austrailia, and the U.K. This proactive protection has reduced the volume of hacking attempts against our cloud by more than 80%.)
  • Pay attention to login attempts. If someone is trying to access your installation of WordPress with a user like “admin” they mean you harm. Be sure you block those offending IP addresses. (We’ve built our system to scan for login threats and immediately block offending IP addresses.)
  • Be sure you have a web application firewall (WAF) that protects your WordPress installation. This is different than the normal security plugins that are talked about for WordPress. (A solid WAF runs without calling WordPress PHP core files. There are more than 200 threat vectors for WordPress. Be sure you leverage a WAF that covers these and that actively defends against local file inclusions, code execution, uploads, SQL injections, bots and scanners, PHP injection, privilege escalation, and other threats.)
  • Run a security plugin like iThemes Security Pro to further protect your WordPress installation. (We include iThemes Security Pro and handle all of the configurations to maximize the protection it offers.)
  • Scan your website for Malware frequently.(Most services don’t include Malware detection by default. iThemes Security Pro integrates a simple Malware scanner in those situations.)
  • Keep WordPress, Plugins, and Themes updated. As of the writing of this article, WordPress is up to version 5.0. If you are running an old version of WordPress your site is at significant risk to compromise. (Look for a managed WordPress partner that will work directly with developers when incompatibilities occur as a result of updates that can interfere with WordPress and plugins running optimally.)
  • Ensure SSL is running on your WordPress website and that your logins are always processed via a secure connection. (Look for a Managed WordPress host that offers SSL for $0.)
  • Require complex passwords for all users. (Ensure your WordPress is set to do this by default.)
  • Require 2-Factor authentication for all user logins. (2-factor authentication can be done via cell phone, Email, or pre-generated authentication codes. It effectively is a secondary password that is constantly changing.)

If you have further questions or find WordPress security overwhelming and would prefer to let someone else worry about threats and protecting your brand online, please click Get Started to let us help.