It would be nice if WordPress sites weren’t vulnerable to hackers. Everything was safe and secure, right out of the box. Unfortunately, that’s not the case with WordPress, or any website.

But…fear not.

Most safety issues aren’t because of WordPress core vulnerabilities. It’s usually because somebody didn’t implement simple preventative measures.

As you’ll see in this article, fixing vulnerabilities in WordPress is, for the most part, simple and easy to do. It just requires due diligence on your end and putting systems in place to ensure that hackers can’t access your site and make themselves at home.

Plus, with some plugins’ help, quite a few vulnerabilities are taken care of automatically—many of them with our security plugin, Defender. We’ll be recommending him and other plugins throughout this post.

This article will take a close look at:

With that being said, let’s look at why WordPress is vulnerable to hackers and also seven common WordPress security vulnerabilities — and how to fix them.

Why WordPress is Vulnerable

It’s worth repeating that it’s not just WordPress sites that are vulnerable to hackers. All websites are.

WordPress is by far the most popular website builder, which makes WordPress sites a frequent target of malicious attacks from hackers and bots, partially because of how many sites there are.

It’s also easier for hackers to locate WordPress vulnerabilities. And, well, that leads to frequent WordPress security issues.

The good news is WordPress doesn’t have to be vulnerable.

More common than not, WordPress vulnerability is due to admins neglecting simple tasks (e.g. keeping WordPress up to date and using strong passwords). When precautions are put in place, your site’s chances of staying safe are better.

You can do other things, such as having good hosting, removing outdated plugins, and more. We’ll get into all of the essentials in a moment.

Also, WordPress has you covered with their experts when it comes down to the core of things.

WordPress’s security team is made up of over 50 professionals. And to ensure issues are handled well, the team sometimes collaborates with other security pros to address problems in common dependencies.

In a nutshell, the sites that aren’t updated, well maintained, and don’t have security precautions implemented are the most vulnerable ones.

So, let’s take a look at the most common WordPress security vulnerabilities and how to fix them if these measures are not already implemented on your site.

Seven Common WordPress Security Vulnerabilities and Fixes

There are some common threads when it comes to WordPress vulnerabilities. We’ll take a look at seven of the most common and see how to fix each issue as easily as possible.

1. Outdated Plugins or Theme

WordPress offers various plugins and themes to suit your needs, as you’re probably well aware. It’s great to have all of the options available; however, each extension can be a hacker’s potential entryway.

Your site becomes vulnerable when a plugin or theme is outdated or not updated.

The reason for a plugin or theme to become unmaintained is because either the developer abandoned it or the admin didn’t update it.

It’s vital to keep your plugins and theme updated. If you don’t, an outdated plugin or theme is vulnerable to security flaws. That’s mostly because nobody is monitoring it, and vulnerabilities go undetected.

Plus, don’t download outdated plugins or themes to begin with. You can see what to look out for here.

The Fix

You can easily update plugins and themes from the WordPress admin panel. From here, it will indicate the number of updates available.

The update area in WordPress admin.
In this case, there is one update available.

You can update your WordPress version, plugins, and themes from here manually. Plus, WordPress’s auto-update feature can automatically update core, plugins, and themes, so you don’t even have to think about it.

Also, if you’re a WPMU DEV member, our very own answer to updating, Automate, will handle updating for you automatically.

Automate updates WordPress, themes, and plugins for all of your sites — all from The Hub. Check out Automate in action and how he makes updating simple in this article.

2. Your WordPress Isn’t Upgraded to the Latest Version

Wait — are you STILL using version 4.3? That’s a problem…

WordPress has core updates to fix bugs and increase security. If you’re using an outdated version, you’re inviting unwelcome vulnerabilities. Having the latest version of WordPress alone can prevent a lot of problems.

However, not everyone does it. In the latest look at what WordPress version users have, only 27.1% are using 5.6 — the most recent version at the time of this writing.

Pie graph of WordPress versions being used.
As you can see, 27.1% are using 5.6. That means the majority of users are using an outdated version. (Source: WordPress.org)

It can be easy to forget to update your WordPress site, especially if you’re not frequently using it or not paying attention.

The Fix

Luckily, it’s extremely easy to upgrade to the newest version of WordPress to ensure your site isn’t as open to WordPress core vulnerabilities.

Updating WordPress is in the same area as updating plugins and themes. You can do this directly from the admin panel under Update or with a plugin like Automate.

You can also set it to update your WordPress site automatically in this area, so you don’t need to worry about updating manually.

3. Poor Hosting Environment

Your hosting environment can play a role in your WordPress security. A good example is what PHP version your hosting is providing. PHP security support expires in older versions, opening you up to vulnerabilities, so your PHP needs to be kept up-to-date.

Like with outdated WordPress versions, many users aren’t using updated PHP.

Pie graph of what PHP version WordPress users are on.
As you can see, there are a lot of WordPress users using outdated PHP versions. (Source: WordPress.org)

You can check what PHP version your site uses from the WordPress dashboard.

Simply go to Tools > Site Health first.

If it’s recommended to update your PHP, it will state that in the Recommended Improvements. If your PHP is in good shape, it will be displayed in the Passed Test area. It also indicates what version of PHP you’re running.

What version of PHP a WordPress is running.
As you can see, this site is using 8.0.0.

If you host with us, you can check your PHP version by going to Hosting then the Overview area of The Hub.

Where to check your PHP version in The Hub.
This is running on 8.0. Here, you can also see what WordPress version you have, too.

From here, you can change what PHP Version you’re running to ensure it’s up to date.

PHP is just one aspect of having a good hosting environment. Good hosting companies should safely and automatically update your WordPress site so that you’re always running the latest software.

They’ll be able to update your PHP, offer free SSL certificates (more on this in a bit), backup your site, 24/7 support, and more.

The Fix

An awesome hosting environment. It’s as simple as that.

For example, our hosting offers all the security features mandatory for keeping your WordPress site safe. Find out more about what all we include with our hosting plans. Plus, you can compare our hosting with other companies in this article.

And more information on keeping your PHP updated, check out this post.

4. Giving Users Unnecessary Privileges

Allowing users to specific roles can be risky, especially if they have access to passwords, payment gateways, and editing of your WordPress site.

WordPress has six different user roles that can be granted for various permissions. They are:

  • Administrator
  • Editor
  • Author
  • Contributor
  • Subscriber

You can assign and add new roles in the User area in the admin area of WordPress.

Out of all of these roles, administrators are the most important. They have unrestricted access to the whole website.

Unfortunately, some websites allow practically all of their users to have admin access.

If there’s one bad apple (and we’re not talking the MacBook type), that can wreak havoc. It gives them the ability to do things, like create ghost admin accounts and backdoors, so that they can regain access if you ever delete their account.

Plus, they can delete your information, link payment gateways to another account, and much more. Practically anything imaginable can happen when devastating your WordPress if the wrong person gets control.

The Fix

It’s usually best not to hand over administrator access unless it’s a key partner or extremely trustworthy individual. This will depend on the needs of individuals who need full access for business, and it’s vital to assign proper permissions.

If you run a business that allows users into your WordPress account or site, and they are let go or terminated, be sure to restrict their access or delete their accounts.

Suppose, by chance, you find you can’t get into your account, and your admin privileges were revoked. In that case, you may have to create a new admin account through your database using phpMyAdmin or by contacting your CMS administrator.

For example, here at WPMU DEV, we have 24/7 support and can help get you back into your site and fix the issue.

Situations will vary, so the fix may be everything from calling a professional to clean up some bad code or to just simply deleting the trouble maker as soon as a situation is noticed.

Whatever the case may be, it’s best to try to prevent it from the start by limiting admin access.

5. Weak Password

A strong password is recommended almost always, whether for WordPress or any other online site. Yet, weak passwords are still common.

Hackers design bots that have the sole purpose of figuring out your login credentials. They try hundreds of usernames and passwords — all in just a few minutes. It’s known as a brute force attack.

When there are hundreds of login attempts on your site, it can take a toll on your server. This can slow down your WordPress site, and your site may crash due to a system overload.

The Fix

We’ll break this up into two separate fixes.

First off, a strong password is an easy fix. You can change and create a password in the WordPress admin under Users > Profile.

WordPress will generate and recommend a strong password for you. Or, you can create your own.

The strong password that WordPress generates.
A strong password that WordPress generated and recommends.

WordPress’s recommended password has all you need for security, and it’s best to use it, or something similar if you create your own.

When it comes to brute force attacks, this can be stopped with our free security plugin, Defender, and his strong firewall.

Defender's Firewall dashboard.
Defender is ready to stop brute force attacks with his firewall.

Defender will lock out users after a failed number of login attempts.

You can change the threshold of how many login attempts are allowed before a lockout, the lockout duration and create a customized message to the user to let them know what happened.

The firewall also includes 404 Detection and IP Banning. Plus, if you really want to up your login game, Defender also has 2-factor authentication.

Read a detailed step-by-step look at setting up Defender’s firewall in this article.

6. Using WordPress’s Default Login Area

WordPress has default slugs of wp-admin and wp-login. Hackers and bots are aware of this, and it’s where they’ll go to try to login to your site.

The Fix

Make it difficult for them to find your login slug.

You can help stop hackers and bots from finding your login by creating a customized login area with Defender. Simply go to Advanced Tools, and you can get started in one-click.

Where you activate the masked login area.
Defender is ready when you are to set up a masked login area.

Once activated, you can create a custom URL slug that will replace WordPress’s default. Also, you have the option to redirect traffic to a specific page or custom URL to avoid 404s.

Mask login area settings.
Add any new login URL slug that you’d like here.

Having a masked login area is a great way to fix login vulnerabilities and avoid being hacked.

7. Not Using SSL/HTTPS

SSL/HTTPS is an encryption method for your WordPress site. It secures the connection between users’ browsers and your hosting server for WordPress.

When an SSL Certificate is installed successfully, the application protocol (e.g. HTTP) will transform to HTTPS. The ‘S’ means ‘secure.’

The result is that it makes it harder for hackers to get into your connection.

Without an SSL/HTTPS enabled site, your site can be vulnerable to hackers.

The Fix

It’s just a matter of adding SSL/HTTPS to your website. Luckily, getting an SSL/HTTPS is easy to obtain and set up.

Most hosting providers include them. For example, if you have hosting through us, it’s automatically included in all of your websites. We use Let’s Encrypt for all of our SSL certificates. Plus, we offer free Wildcard SSL for Multisite subdomains.

For more on how SSL works and getting it activated on your WordPress site, we have some detailed information in this article.

Make Vulnerabilities Vanish

With all that we’ve gone over, your WordPress should be much less vulnerable to hackers and bots. These simple tweaks can keep your site secure and running smoothly.

With the help of a plugin like Defender and some good hosting, it’s practically effortless to get these improvements implemented today, and some of the significant vulnerabilities your WordPress site had can vanish in a few clicks.

Plus, with this being #SecurityMonth you can currently get 35% off your first year of our Security & Backups Pack featuring Defender Pro, Snapshot Pro, Shipper Pro, and Automate. Click on the coupon below to unlock the exclusive deal.

35% Off Security & Backups Pack

This is THE LAST WEEK of #SecurityMonth, so be sure to grab this special offer.

And for more on WordPress vulnerabilities, check out our articles on 7 Free Online Tools to Scan Websites for Security Vulnerabilities and A History of WordPress Security Exploits and What They Mean.

Free Video Why 100 is NOT a Perfect Google PageSpeed Score (*5 Min Watch) Learn how to use Google PageSpeed Insights to set realistic goals, improve site speed, and why aiming for a perfect 100 is the WRONG goal.
Watch the video