{"id":22128,"date":"2023-11-30T22:16:57","date_gmt":"2023-11-30T18:16:57","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/wordpress-security-issues\/22128\/"},"modified":"2023-11-30T22:16:57","modified_gmt":"2023-11-30T18:16:57","slug":"wordpress-security-issues","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/wordpress-security-issues\/22128\/","title":{"rendered":"WordPress security issues"},"content":{"rendered":"<p>WordPress is the world\u2019s most popular content management system. As its developers like to point out, <a href=\"https:\/\/wordpress.org\/40-percent-of-web\/\" target=\"_blank\" rel=\"nofollow noopener\">over 40% of all websites are built on WordPress<\/a>. However, this popularity has its downside: such a huge number of potential targets inevitably attracts malicious actors. For this very reason, cybersecurity researchers carefully investigate WordPress and regularly report various problems with this CMS.<\/p>\n<p>As a result, it\u2019s not uncommon to hear that WordPress is full of security issues. But all this attention has a positive side to it: most of the threats and the methods to combat them are well known, making it easier to keep your WordPress site safe. That\u2019s what we\u2019ll be discussing in this article.<\/p>\n<h2>1. Vulnerabilities in plugins, themes, and the WordPress core (in that order of descending importance)<\/h2>\n<p>In all the lists of WordPress security issues available on the internet, it\u2019s things like XSS (cross-site scripting), SQLi (SQL injection), and CSRF (cross-site request forgery) keep popping up. These attacks, alongside various others, are made possible due to vulnerabilities in either the WordPress core software, its plugins or themes.<\/p>\n<p>It\u2019s important to note that, statistically, only a small fraction of the vulnerabilities are found in the WordPress core itself. For example, for the whole of 2022, a mere <a href=\"https:\/\/solidwp.com\/blog\/the-2022-wordpress-vulnerability-annual-report\/\" target=\"_blank\" rel=\"nofollow noopener\">23 vulnerabilities were discovered<\/a> in the WordPress core software \u2014 which is 1.3% of the total 1779 vulnerabilities found in WordPress that year. Another 97 bugs (5.45%) were discovered in themes. Meanwhile, the lion\u2019s share of vulnerabilities were found in plugins: 1659 \u2014 making up 93.25% of the total.<\/p>\n<p>It\u2019s worth mentioning that the number of vulnerabilities discovered in WordPress should not be a reason to avoid using this CMS. Vulnerabilities exist everywhere; they\u2019re just found most frequently where they\u2019re most actively sought \u2014 in the most popular software.<\/p>\n<p><strong>How to improve security:<\/strong><\/p>\n<ul>\n<li>Always update the WordPress core promptly. Though vulnerabilities are not found as often here, they are exploited more intensively, so leaving them unpatched is risky.<\/li>\n<li>Remember to update themes \u2014 especially plugins. As mentioned, plugins are responsible for the vast majority of known vulnerabilities in the WordPress ecosystem.<\/li>\n<li>Avoid installing unnecessary WordPress plugins \u2014 those that your site doesn\u2019t need to operate. This will significantly reduce the number of potential vulnerabilities on your WordPress site.<\/li>\n<li>Promptly deactivate or entirely remove plugins you no longer need.<\/li>\n<\/ul>\n<h2>2. Weak passwords and lack of two-factor authentication<\/h2>\n<p>The second major security issue with WordPress is the hacking of sites using simple password guessing (brute-forcing) or compromised usernames and passwords (credential stuffing) from ready-made databases, which are collected as a result of leaks from some third-party services.<\/p>\n<p>If an account with high privileges is compromised, attackers can gain control of your WordPress site and use it for their own purposes: stealing data, discreetly adding to your texts links to the resources they promote (SEO spam), installing malware (including <a href=\"https:\/\/www.kaspersky.com\/blog\/illicit-code-on-legitimate-sites\/48509\/\" target=\"_blank\" rel=\"noopener nofollow\">web skimmers<\/a>), using your site to <a href=\"https:\/\/www.kaspersky.com\/blog\/how-to-protect-your-site\/48920\/\" target=\"_blank\" rel=\"noopener nofollow\">host phishing pages<\/a>, and so on.<\/p>\n<p><strong>How to improve security:<\/strong><\/p>\n<ul>\n<li>Ensure strong passwords for all users of your WordPress site. To achieve this, it\u2019s good to apply a <a href=\"https:\/\/www.kaspersky.com\/blog\/bad-password-policies\/49212\/\" target=\"_blank\" rel=\"noopener nofollow\">password policy<\/a> \u2014 a list of rules that passwords must satisfy. There are <a href=\"https:\/\/wordpress.org\/plugins\/search\/password-policy\/\" target=\"_blank\" rel=\"nofollow noopener\">plugins<\/a> available that let you implement password policies on your WordPress site.<\/li>\n<li>Limit the number of login attempts \u2014 again, there are <a href=\"https:\/\/wordpress.org\/plugins\/tags\/brute-force\/\" target=\"_blank\" rel=\"nofollow noopener\">plenty of plugins<\/a> for this purpose.<\/li>\n<li>Enable two-factor authentication using one-time codes from an app. And again, there are <a href=\"https:\/\/wordpress.org\/plugins\/tags\/2fa\/\" target=\"_blank\" rel=\"nofollow noopener\">WordPress plugins<\/a> for this.<\/li>\n<li>To prevent your WordPress users from having to remember long and complex passwords, encourage them to install a password manager. By the way, our [KPM placeholder]Kaspersky Password Manager[\/placeholder] also lets you use one-time codes for two-factor authentication.<\/li>\n<\/ul>\n<h2>3. Poor control over users and permissions<\/h2>\n<p>This issue is connected to the previous one: often, owners of WordPress sites don\u2019t manage the permissions of their WordPress users carefully enough. This significantly increases risk if a user account gets hacked.<\/p>\n<p>We\u2019ve already discussed the potential consequences of an account with high access rights being compromised \u2014 including those access rights issued mistakenly or \u201cfor growth\u201d: SEO spam injection into your content, unauthorized data access, installing malware, creating phishing pages, and so on.<\/p>\n<p><strong>How to improve security:<\/strong><\/p>\n<ul>\n<li>Be extremely careful when assigning permissions to users. Apply the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Principle_of_least_privilege\" target=\"_blank\" rel=\"nofollow noopener\">principle of least privilege<\/a> \u2014 grant users only the access rights they absolutely need for their tasks.<\/li>\n<li>Regularly review your list of WordPress users, and remove any accounts that are no longer necessary.<\/li>\n<li>Move users to less privileged categories if they no longer need elevated permissions.<\/li>\n<li>Of course, the advice from point 2 also applies here: use strong passwords and enable two-factor authentication.<\/li>\n<\/ul>\n<h2>4. Malicious plugins<\/h2>\n<p>Aside from plugins that are \u201cjust\u201d vulnerable, there are also outright malicious ones. For example, not long ago, researchers <a href=\"https:\/\/thehackernews.com\/2023\/10\/researchers-uncover-malware-posing-as.html\" target=\"_blank\" rel=\"nofollow noopener\">discovered<\/a> a WordPress plugin masquerading as a page-caching plugin but which was actually a full-fledged backdoor. Its main function was to create illegal administrator accounts and gain complete control over infected sites.<\/p>\n<p>Earlier this year, researchers <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/attackers-use-abandoned-wordpress-plugin-to-backdoor-websites\/\" target=\"_blank\" rel=\"nofollow noopener\">found<\/a> another malicious WordPress plugin, which was originally legitimate but had been abandoned by developers over a decade ago. Some bleeding hearts picked it up and turned it into a backdoor \u2014 allowing them to gain control over thousands of WordPress sites.<\/p>\n<p><strong>How to improve security:<\/strong><\/p>\n<ul>\n<li>Avoid installing unnecessary WordPress plugins. Only install the ones truly essential for your site\u2019s operation.<\/li>\n<li>Before installing a plugin, read its user reviews carefully \u2014 if a plugin does something suspicious, chances are someone\u2019s already noticed it.<\/li>\n<li>Deactivate or remove plugins you no longer use.<\/li>\n<li>There are plugins that <a href=\"https:\/\/wordpress.org\/plugins\/tags\/malware\/\" target=\"_blank\" rel=\"nofollow noopener\">scan WordPress sites for malware<\/a>. However, keep in mind they can\u2019t be completely trusted: many of the latest instances of WordPress malware <a href=\"https:\/\/solidwp.com\/blog\/why-wordpress-malware-scanners-are-worthless\/\" target=\"_blank\" rel=\"nofollow noopener\">can deceive them<\/a>.<\/li>\n<li>If your WordPress site is behaving strangely and you suspect it\u2019s infected, consider contacting specialists for a security audit.<\/li>\n<\/ul>\n<h2>5. Unrestricted XML-RPC Protocol<\/h2>\n<p>Another vulnerability specific to WordPress is the XML-RPC protocol. It\u2019s designed for communication between WordPress and third-party programs. However, back in 2015, WordPress introduced support for the REST API, which is now more commonly used for application interaction. Despite this, XML-RPC is still enabled by default in WordPress.<\/p>\n<p>The problem is that XML-RPC can be used by attackers for two types of attacks on your site. The first type is brute-force attacks aimed at guessing passwords for your WordPress user accounts. With XML-RPC, attackers can combine multiple login attempts into a single request, simplifying and speeding up the hacking process. Secondly, the XML-RPC protocol can be used to orchestrate DDoS attacks on your WordPress website through so-called <a href=\"https:\/\/managewp.com\/blog\/pingback-vulnerability-protect-wordpress\" target=\"_blank\" rel=\"nofollow noopener\">pingbacks<\/a>.<\/p>\n<p><strong>How to improve security:<\/strong><\/p>\n<ul>\n<li>If you don\u2019t plan on using XML-RPC in the near future, it\u2019s best to disable it on your WordPress site. There are <a href=\"https:\/\/blogvault.net\/wordpress-disable-xmlrpc\/\" target=\"_blank\" rel=\"nofollow noopener\">several ways<\/a> to do this. If you need this functionality later, it\u2019s not difficult to re-enable it.<\/li>\n<li>If you <em>intend<\/em> to use XML-RPC, it\u2019s advisable to configure its restrictions, which can be done <a href=\"https:\/\/wordpress.org\/plugins\/tags\/XML-RPC\/\" target=\"_blank\" rel=\"nofollow noopener\">using WordPress plugins<\/a>.<\/li>\n<li>Also, to protect against brute-force attacks, you can follow the advice from point 2 of this article: use strong passwords, enable two-factor authentication, and use a <a href=\"https:\/\/me-en.kaspersky.com\/password-manager?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2c_kasperskydaily_wpplaceholder____kpm___\" target=\"_blank\" rel=\"noopener\">password manager<\/a>. By the way, this is included in the license of our product designed for protecting small businesses \u2014 <a href=\"https:\/\/me-en.kaspersky.com\/small-business-security\/small-office-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksos___\" target=\"_blank\" rel=\"noopener\">Kaspersky Small Office Security<\/a>.<\/li>\n<\/ul>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"ksos-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Typical security issues of WordPress, and how they can be addressed to protect your website or online store from cybercriminals.<\/p>\n","protected":false},"author":2726,"featured_media":22129,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[2088,2078,187,1825,417,97,521,121,268,399,304],"class_list":{"0":"post-22128","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-tips","11":"tag-cms","12":"tag-passwords","13":"tag-permissions","14":"tag-plugins","15":"tag-security-2","16":"tag-threats","17":"tag-updates","18":"tag-vulnerabilities","19":"tag-websites","20":"tag-wordpress"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/wordpress-security-issues\/22128\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/wordpress-security-issues\/26705\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/wordpress-security-issues\/29460\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/wordpress-security-issues\/26987\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/wordpress-security-issues\/36652\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/wordpress-security-issues\/49955\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/wordpress-security-issues\/27251\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/wordpress-security-issues\/32978\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/wordpress-security-issues\/32627\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/websites\/","name":"websites"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2726"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=22128"}],"version-history":[{"count":0,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/22128\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/22129"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=22128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=22128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=22128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}