Top 5 WordPress security flaws

Categories Web Design, Wordpress

To date, more than 70 millions websites around the world use the WordPress framework. There’s no more popular system: and though drupal and website builders have been aggressively growing their clientele, they each represent a far smaller slice of the pie. But the very popularity of WordPress has become problematic.

Because hackers tend to set their sights on the largest pool of users. Social media websites are one of the biggest targets for hackers for this same reason: but increasingly, many hackers are also targeting WordPress sites. And since approximately half of the world’s WordPress websites are independently hosted, their owners are the ones responsible for the bulk of the website’s cyber security suite.

Sure, there are immediate and easy ways to improve the security of a WordPress installation, but most WordPress admins fail to do so. And themes and plugins which go too long without updates can represent increased risks to both their administrators and their users. It’s the quintessential problem of an open-source platform: some additions are coded strongly and have thorough documentation… while others are not.

We’ve developed a collection of the top WordPress security flaws which can cause major issues for developers and administrators. But we also went one step further, and suggest easy solutions for each of those problems.

SQL Injection Vulnerabilities

WordPress is backed on SQL databases, and executes its script in PHP. As anyone familiar with SQL databases might be aware, it’s possible that URL insertion attacks can cause major problems. Most hackers abuse this capability to send commands to WordPress websites to trigger responses from the database. Doing so can yield dozens of different kinds of results, from revealing sensitive data in the database, to actually modifying the website itself. In most cases, hackers want to accomplish one of two things: to take information, or to inject malware.

The solution here is to modify your website’s access permissions in the .htaccess file. You can limit logins and administrator functions to specific IP addresses, for example, which will prevent hackers from being able to create changes.

Brute Force Login Hacks

Did you know that the vast majority of WordPress installations include an administrator account simply called ‘admin’? This is akin to having all your sensitive passwords set to simply be ‘password’: any login credential which can be easily guessed or anticipated automatically known dramatically reduce the security of a WordPress installation. Knowing that there is an ‘admin’ account means that 50% of a hacker’s job is done; they simply need to guess or hack the password.

The solution here is to have an unpredictable name which hackers could not easily guess or anticipate. Simple! This means that any hacker wanting to engage in a brute-force login hack would need to do double the work; and believe it or not, hacking both the username and password is much more challenging. Activating two-factor authentication systems and multiple-login attempt lockdowns will also help keep your website more secure.

Default Database Table Prefixes

Databases consist of tables, and in the case of a custom database, all the tables are named uniquely by their creator. But in the case of the WordPress framework, the prefixes of the tables on all WordPress websites begins with the same thing. And as the above informed you, any time that a hacker can predict architecture, your website is a little less safe.

Changing the prefixes of database tables won’t stop a determined hacker. But it will absolutely add another cushion of defense to your WordPress website. And most WordPress users aren’t quite tech-savvy enough to manually edit database information. Many top-rated WordPress security plugins allow administrators to edit these fields with nothing more complicated than a click.

Improving Your Cyber Security Practices

Creating secure websites should be the ultimate goal of any developer or designer. But building a secure WordPress website won’t mean much if the developer’s other browsing, download, and app habits open up their hardware to malware and other attackers. It’s unfortunate but true that many website hacks aren’t direct hacker-to-website initiatives, but are instead accomplished by hacking the machines or other accounts of website developers.

Security starts with you. Keep antivirus for pc and malware security suits installed, and run them often. Avoid downloading collateral from unknown emails or websites, and be vigilant about the quality of the websites you visit.

Feature image curtsey of

Catalin is the founder of Mostash - a social marketing boutique - and he's always happy to share his passion for graphic design & social media.