The Three Most Common WordPress Attacks & How To Prevent Them

Wednesday, August 26, 2020

We all know we have to be safe online, but do you actually know how?

Online security is vital these days. More and more our lives are being spent in the digital realm. But too often people leave their safety in the hands of companies they don’t know much about, or they are not doing anything to protect themselves at all.

This point is applicable to most people online, but it is even more important if you have or run a website. Whether a hobby site or an online business, there are several reasons you have to have tight security. It’s not just about protecting yourself, there is a moral and potentially legal obligation to protect the visitors and customers that visit your webpages.

In general, WordPress is a well protected platform. It is regularly analysed by a qualified security team of experts and any issues are updated quickly. The community of WordPress is also extremely competent and will point out any issues they find that needs rectifying as well. This combination means WordPress is a great platform to run a site on for online security. However, this does not mean you can put your feet up at all. Websites on WordPress are still vulnerable to attack and you need to be vigilant of potential threats.

In this article we’ll cover the three most common WordPress attacks and how to prevent them. So to find out how to keep your website safer, read on below.

Authentication Broken

This type of attack happens if there are weaknesses in identity and session controls and the way they are implemented. Session management and authentication control are linked closely, meaning authentication relies heavily on session management for strength.

This vulnerability means that malicious attackers can potentially access keys, passwords, and tokens. This is serious and can result in identity theft, social security fraud, and the sharing of private data.

If you would like to improve your defences against an attack like this, consider using multi-factor authentication on your site. Alongside this, explore the option of replacing the credentials that are given to you as default when you created your WordPress website. A further option should be checks to make sure users, and admins in particular, aren’t using weak passwords.

Injection Flaws

This is the biggest weakness that is commonly attacked by hackers.  An injection flaw occurs when your website asks people to provide information through a vulnerable corridor. These are most typically contact and login forms. Malicious code can be injected into your site through these entry points if you don’t protect yourself properly.

If the information you have requested is not ‘validated’ then your site can be open to this form of attack. The most common coding language used is SQL, but also NoSQL, IS, and LDAP injections can cause a website trouble.

If you fall prey to this type of attack, there is the potential for access denial, corruption and loss of data, public sharing of data, as well as loss of control. To protect against these attacks, commands should be divided from queries on your website.

XSS Attacks (Cross-Site Scripting)

This type of attack has a few bits in common with an injection attack, like we discussed in the last point. XSS attacks also happen at entry corridors and input fields such as contact forms. This type of attack occurs when applications find XSS on your website. This leaves you vulnerable to malicious data being inserted into your website, either onto a new page that doesn’t have solid validation processes, or onto a new page via data submitted by a user.

Attackers are able to implement code on a particular victim's browser through cross-site scripting. If this is successful, data can be stolen or malware activated. To counter this, there are two options. You should begin by making sure pages are independent of each other, this means that if one page makes a network request, it's not able to gain access to another page’s data. Secondly, a site needs to be able to determine what code is malicious and what is normal user input.


Sometimes it can seem a bit overwhelming with the amount of information out there about keeping your website safe. It can be all too easy to pretend like it will never happen to you, which would be a big mistake. By following some simple steps from well respected experts, you can save yourself a lot of time, effort, and resources in the future.