WordPress: Plugging Security Holes

Blog / Rob Hyndman / December 5, 2019

Securing your site is a critical and often overlooked component of working with WordPress. ‘Website Hack Trend Report 2018’ [1] by security company Sucuri reported that:

  • 20 severe WordPress vulnerabilities were found throughout 2018,
  • 68% of all attacks left behind a PHP backdoor,
  • On average 292 files were affected per infected site,
  • Malware infections increased by 9% to 56.4% since 2017.

Don’t turn your WordPress site into just another statistic! Read on to discover several security holes that could be present in your site, learn how they may be affecting you, and follow some simple instructions on how to plug them.

Fig.1 – Usage of CMS for websites [2].
Fig.2 – Market share for top 3 CMS [3].

The vast majority of websites are using WordPress [3], so it follows that such a big player will be targeted by those seeking to reap rewards for as little work as possible. If your website is not secured it is only a matter of time before your site is the target of an attack, indiscriminate or otherwise.

Outcomes of Poor Security

Poor security can lead to a host of problems, many of which you may never notice unless you dig a little deeper. One of the common goals of a security breach is the injection of malicious code into various PHP files on your server. The code is always heavily obfuscated, and it will be extremely difficult to determine its exact purpose. There are several possible outcomes that are likely in these situations, and they are rarely isolated.

Fig.3 – An example of injected obfuscated code.


There are varying degrees of defacement, and all have a negative impact. A defacement could range from the addition of text or inappropriate images to a home page to the complete replacement of your site with another. These defacements could be:

  • Political statements meant to share a message,
  • Meant to drive away customers from a site,
  • Fake versions of your site intended for the phishing of user data,
  • Signatures left by a hacker or hacker group such as ‘Hacked by 1337haxxor’.

Mail Server Hijacking

Some malicious code will not visibly affect your site at all, but instead hijack your email server to send out spam emails. The severity of the consequences of this may vary, but it is likely that your email domain will end up blacklisted which will prevent emails from being received by your users.

Phishing and Data Leaks

Some breaches are concerned with accessing user data. Any identifiable information about a user may be valuable to a hacker, especially when these data points are linked in some way like being stored within a user account. A credit card number alone is dangerous, but if the breached data also contains a name and residential address then the severity of the data breach increases dramatically.

What does this mean for me?

Breaches of personal information for you and your clients is a severe problem, but it doesn’t end there. Consider the following:

  • Loss of reputation and revenue, and how that can impact the success of business,
  • Dissemination of malicious code will most likely end with your site being blacklisted by Google [4],
  • Ransomware may find you purchasing your site back from an unscrupulous hacker.

Security Weak Points

Most PHP applications will have some weak points and WordPress is no different. PHP files provide endpoints that can be taken advantage of, allowing hackers to use or gain access to your application in ways that were not intended. PHP file execution is, therefore, something that needs to be prohibited.

A service provided by WordPress known as ‘XML-RPC’ allows remote procedure calls to access your site via the internet in order to publish blog posts and the like. The unfortunate thing here is that this service is not secure, and cannot be disabled within the WordPress administration panel options.

The last security weak point is the site itself, or more specifically when the site is allowed to run neglected and is not up to date. An outdated WordPress core installation and outdated themes or plugins is a surefire way to let your site become vulnerable.

Ways to Strengthen Security

The situation is not without hope. There are a number of small changes that you can make to your site in order to provide a strong defence.

Update WordPress core, themes, and plugins

As WordPress is an open source application, anyone can access the source code to learn how it works and find ways to improve it. Unfortunately, this also means that hackers can study the code and find ways to exploit it. This is the primary reason why you should always update your WordPress installation to the latest versions as they become available. Over the last five years WordPress updates have included security fixes five times per year on average [5].

Fig.4 – WordPress versions in use [6].

A large data sample taken two weeks after WordPress version 5.2.1 was released in June 2019 shows that a significant number of websites are using outdated versions—35% of which are still using 4.x versions [6]. As new vulnerabilities are uncovered these out of date WordPress installations become much more susceptible to malicious attacks. By extension, the same logic also applies to any of your installed themes and plugins. Quite often these are also open source and have publicly accessible code repositories.

To ensure that your site is completely up to date, follow these short steps:

  1. Log in to your site’s administration panel,
  2. Navigate to Dashboard > Updates,
  3. Follow any prompts on this page to update everything as needed.

Install a security plugin

Install a comprehensive security plugin such as Sucuri Security or Wordfence Security. Plugins such as these allow for a wide range of security additions, such as a Web Application Firewall, malware scanner, and limiting login attempts. It is worth some extra research to see which option suits you best as the options offered vary between free or paid for each plugin.

Please keep in mind that while having a security plugin is a step in the right direction, just having the plugin will not be enough to ensure the safety of your site. You will most likely need to configure the plugin to work with your specific site setup, and there will be instructions relating to this configuration step available from the developer who created the plugin that you decide to use.

Enforce strong usernames and passwords

The easiest way for a hacker to gain access to your site is through your own login credentials. Ensure that your login credentials are not kept as defaults, nor should you use password phrases such as ‘admin’, ‘mysite’, or ‘password’. This applies to all of your credentials related to your site, such as user logins, hosting services and databases, as well as the names of your databases.

The best password is at least 16 characters long and comprised of random characters. Online tools such as LastPass or 1Password can help you create strong passwords, and manage them for you in one easy location.

Perhaps the most important rule to follow is to never reuse a password. It is far more inconvenient for a hacker than it is for you if your passwords are all different.

Tighten login security

Protect your site by limiting the number of unsuccessful login attempts and adding CAPTCHA to your login forms. Install a plugin such as WP Limit Login Attempts (login limiting) or Limit Login Attempts (login limiting, CAPTCHA). Configure the plugin to lock a user out for around 30 minutes to 2 hours after 3 unsuccessful login attempts.

Disable file editing and execution

If your WordPress installation allows file editing, the WordPress administrator panel provides a code editor that allows anyone with access the ability to freely edit the code of your site without restriction.

Prevent the editing of core files on your server by adding the following line to your wp-config file within your WordPress installation.

// wp-config.php

// Disallow file editing
define('DISALLOW_FILE_EDIT', true);

If you have had any code injected into your site that has created a backdoor, the hacker no longer needs to hack your site to gain access—they’ve already given themselves full access to bypass your security entirely.

One way in which they do this is to provide themselves with an endpoint they can connect to and transmit new data and/or instructions to your site. Once this endpoint exists, the hacker merely needs to navigate to your site using the backdoor that they created, for example mywebsite.com/backdoor.php, and provide additional instructions. An example of this (admittedly a very simplistic example) could look like the following:

// backdoor.php?hack=send_virus

// Bypass site security by executing this PHP file
$hack = $_GET['hack'];
if($hack == ‘send_virus’) {
} else if($hack == ‘steal_credit_cards’) {

To prevent the execution of PHP files on your server in this way, you can add the following entry to your .htaccess files on your server.

# .htaccess

# Block php file execution
<Files *.php>
  Deny from all

Disable directory indexing and browsing

Prevent anyone from browsing your server file directories by adding the following entry to your .htaccess file on your server.

# .htaccess

# Disable directory indexing
Options -Indexes

Restrict services, eg XML-RPC

As mentioned earlier, XML-RPC is a service provided by WordPress that allows remote access to your site. You can disable this service with either of the following methods.

Disable with a WordPress plugin

Add the following snippet to any plugin on your site, or create a new plugin for this purpose.

// plugin.php

// Disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');

Edit .htaccess file

Prevent anyone from accessing the file by adding the following entry to your .htaccess file on your server.

# .htaccess

# Block XML-RPC requests
<Files xmlrpc.php>
  Order deny, allow
  Deny from all
  Allow from # Change to your IP Address

Disconnect idle connections

There is one other way that attackers can gain access to your site that is unlike the PHP endpoints discussed earlier. The connection from your computer to your server is another potential access point for the enterprising hacker, and if left idle it could be hijacked. Protect your site by disconnecting idle connections using a plugin such as Idle User Logout or Inactive Logout. Configure the plugin to automatically log a user out after around 5 minutes of inactivity.


Securing your site is the most important thing that you can do to ensure that you have a successful online presence with WordPress. Not only do you shield yourself and your viewers from harmful malware and phishing, but you ensure that your site remains highly respected and reputable.

With a relatively small amount of initial effort and some regular ongoing maintenance, you will be able to ensure that your site is well protected.

As security is an ongoing effort, it’s important to keep informed of any new developments with WordPress security, and there are plenty of online resources available to you. To get you headed down the right path, here are just a few of the many great resources around:


  1. Sucuri 2019, Website Hack Trend Report 2018, retrieved 3 December 2019, https://sucuri.net/reports/2018-hacked-website-report
  2. W3 Techs 2019, Historical yearly trends in the usage of content management systems for websites, retrieved 3 December 2019, https://w3techs.com/technologies/history_overview/content_management/all/y
  3. W3 Techs 2019, Market share yearly trends for content management systems for websites, retrieved 3 December 2019, https://w3techs.com/technologies/history_overview/content_management/ms/y
  4. Sucuri 2019, What is a Google Blacklist?, retrieved 23 September 2019, https://sucuri.net/guides/what-is-google-blacklist
  5. WordPress 2019, Releases Category Archive, retrieved 23 September 2019, https://wordpress.org/news/category/releases
  6. HackerTarget 2019, Analysis of Top 100K WordPress Sites, retrieved 23 September 2019, https://hackertarget.com/100k-top-wordpress-powered-sites

Header image courtesy of Unsplash
Fig.3 image courtesy of makeawebsitehub.com.