Wordpress Vulnerabilities

WordPress Security Issues & Vulnerabilities – How To Fix [2024]

⚡️ WordPress Security Vulnerabilities


WordPress is one of the most widely used Open source CMS tool that powers millions of websites. This popularity of WordPress has made it an important target for web attackers. The WordPress team is sharing security guides timely to protect the websites from WordPress security issues and even the protection is tightened down by many websites. But still, there are some websites that are vulnerable due to several reasons which makes it easy for hackers to hack a wordpress site.

In this article, we provide you list of various wordpress core issues, vulnerabilities in 2024 how to identify & fix a security vulnerability in wordpress using various tools.

 Also Read – List Of Best WordPress Security Scanners 2024

Check out the latest Vulnerable WordPress Plugins And WordPress security News

Make sure to update latest WordPress version 5.4. 2, a security and maintenance release that came out on June 10th, 2020. Other recent versions include: WordPress 5.4.

From time to time, WordPress releases have been vulnerable and exploits were commonly found in these versions. In case you want to have a deeper look into the exploits you can have it below.

  • WordPress 5.0 & 5.0.1 exploits (here)
  • WordPress 5.2.2 exploits (here)
  • WordPress 5.2.4 exploits (here)
  • WordPress 5.2.5 (here)
  • WordPress 5.0.8 exploits (here)

⭐ WordPress REST API Content Injection Vulnerability

This kind of WordPress Security vulnerability allows an unauthorized user to change the content of any blog, post or page within a WordPress Website. When a web application is not securely handled, it becomes an easy target for WordPress hackers to supply content via a parameter value which will modify the contents of the page. As the page is linked with a trusted domain, the user believes that the certain content appearing on the Web site is legitimate and not from an external source. Also ReadWordPress REST API Vulnerability Content Injection Exploit [FIXED]

The malicious links are crafted specially with the motive to spoof a login form and steal sensitive information, for example, the login credentials. These links are sent to user via an email. If the user visits the page, designated with the malicious URL and logins the account believing that he is viewing an authentic content, this provides an opportunity to the attacker to exploit website’s content and break user trust. A strong work around this is to add WordPress 2-Factor Authentication

How To Fix Content Injection Vulnerability in WordPress?

The only way to secure your website against serious content injection WordPress Security Vulnerability is to update your Websites with the latest versions as soon as wordpress security updates are released. – See latest WordPress Releases

  • Enable the automatic updates on your websites as soon as possible.

In order to enable automatic updates in WordPress versions 3.7 or later, you will need to look for the code used to disable the option in the wp-config.php.

  1. Login to your cPanel
  2. Open the File Manager and then go to the WordPress installation files. You will need to find your wp-config.php file.
  3. Search for define( ‘AUTOMATIC_UPDATER_DISABLED’, true );
  4. Once you find the line, delete it from the WP-CONFIG.PHP file
  5. Click on SAVE in order to save your changes.
  • Update the plugins as well to avoid an injection of any kind of plugin-specific shortcodes injection to exploit vulnerabilities to infect the site content with a Japanese SEO spam campaign, or inject ads, etc. Depending on the plugins enabled on the site, even PHP code could be executed very easily.
  • Secure your logins by updating them timely.

⭐ Stored Cross-Site Scripting Vulnerability

XSS Vulnerability is one of the most common attacks in which malicious code is injected directly  into a vulnerable web application. In Stored Cross-Site Scripting, the vulnerability occurs within the WordPress editor, responsible for the creating and editing all of the WordPress posts, pages, and topics (in bbPress).

The perpetrator injects malicious script on your website which steals visitors session cookies for every site visitor and thus can steal sensitive information. By acting on the behalf of an administrator user, he can send authenticated requests to edit the website’s current PHP code, leading to Remote Command Execution (RCE) and complete takeover.

Types of store XSS Vulnerability

  • Stored (Persisted) Cross-Site Scripting
  • Reflected XSS also Uses Your Server

The figure below illustrates a step-by-step walk through of a simple XSS attack.

How To Fix Stored Cross-Site Scripting Vulnerability in WordPress 4.8.1:

Update your WordPress installation as soon as possible. If you have automatic updates enabled on your WordPress site, you should already be using the latest version and are now protected from this vulnerability.

This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. If you believe your WordPress site is hacked, you can use WordPress security services.

Prevent XSS Vulnerability Plugin

This plugin encode the following signs and then Remove some XSS signs from the URL.

These methods—validation, sanitation, and escaping—prevent all types of WordPress XSS attacks

For Further Reading;

⭐ SQL Injection & URL Hacking:

Sql is a standard command language used in MySQL database. WordPress SQL injection is a type of attack triggered by embedding commands in a URL that reveals sensitive information about database thus permitting a hacker to enter the website and potentially change the original content of your website.

Whereas, URL hacking is another attempt to trigger unintended PHP commands that  leads to injecting malware to your website or revealing sensitive information.

How to fix SQL Injection in WordPress?

  • Protect Queries Against SQL Injection Attacks

WordPress Codex on protecting queries against SQL Injection attacks can be found here:

Most WordPress installations are hosted on the popular Apache web server. which uses a file named .htaccess to define the access rules for your web site.

A thorough set of rules can prevent many types of SQL Injection and URL hacks from being decoded and thus secures your website from many dangerous .htaccess attack injections.

  • .htaccess Rules to Help Protect from SQL Injections

<IfModule mod_rewrite.c>
# Enable rewrite engine
RewriteEngine On

# Block suspicious request methods
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]

# Block WP timthumb hack
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteRule . - [S=1]

# Block suspicious user agents and requests
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

# Block MySQL injections, RFI, base64, etc.
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]

# PHP-CGI Vulnerability
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC,OR]

#proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]

RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>

source: shane.kinsch.com

  • Focus on sanitizing and escaping anything you may send to the database.
  • Restrict the database user privileges
  • Data Backup and obscurity

⭐ Brute-Force Login Attempts

As the name suggests, this type of vulnerability is encountered when hackers try to login your administrator panel using login guess. Hackers often rely on automated scripts to make numerous attempts to log into your WordPress administration page by trying thousands and millions of combinations of usernames and passwords. The brute-force attempts not only slow down your website but also if hackers succeed in their mission may provide hackers complete control of your website and thus harmful for your website.

How To Block Brute Force Attacks?

Two important ways to fix Brute-Force Login Attempts:

  • Firstly start using very strong passwords. A longer, mixed-type password is not easy to be decoded for a brute-force attack to decode. These attacks typically use combinations of dictionary words and numbers.
  • Password protect your wordpress site
  • Another effective defence is to use WP Limit Login Attempts,  specifically designed to protect WordPress site from brute force attacks.

⭐ Default Prefix for Database Tables

A WordPress table consists every bit of information about your website. Thus, it acts as the most favourite target for hackers. Your WordPress website must have a number of tables. In general, these database tables are named with a prefix “wp-” which makes it easy to predict for hackers and plan a attack to get your WordPress hacked.

How To Fix:

The smartest way to protect your WordPress website from this type of vulnerabilities is to change the prefix of WordPress tables.

This way you can choose something unpredictable and unique making it harder for hackers to predict.

To know, how to change default prefix for your WordPress tables, you can watch this video. To avoid any kind of loss to your data, we strongly recommend you to keep backups daily.

Other way to secure your WordPress database tables from vulnerabilities is to use ithemes security plugin which provides security against plugin vulnerabilities, weak password attacks, and obsolete software.

⭐ Default Admin User Account Vulnerability

When a user downloads WordPress, there is a default admin account whose password is simply set as ‘admin’ which is so easy to guess by professional hackers. Thus, a hacker can try to access your account using password.

How To Fix:

Never give an edge of predictability of passwords to a hacker. Secondly, why to use an default admin account. You must change your default wordpress username.

Create a new user account and keep a unique name very hard to guess. Authorize the permissions of admin to this user account.

This way, the hacker would have to predict both the username as well as password to access administrator account.

⭐ Sensitive File Disclosure Vulnerability

As a WordPress Security Scanner, we observed that out of thousands websites we scan every day, each of those websites have at least one sensitive file visible to anyone on the internet.

An important source of vulnerability lies on the files which have nothing to do with your website and are created just as backups copies.

Sometimes Performing in-place editing or other administrative actions on production web servers may inadvertently leave backup copies, either generated automatically by the editor while editing files, or by the administrator who is zipping a set of files to create a backup.

These files post a serious security threat to the application as are  the easiest target for hackers. This may include configuration files, un referenced files, pages, backup files, sensitive log files etc.

How To Fix:

For a typical WordPress installation, block the access to directory listings, using

Add commands to the Apache .htaccess file to block access to sensitive private files related to WordPress and the Web server itself.

To restrict access to just your wp-admin, add the follow code snippet:

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^42\.114\.178\.163$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

This is a great method to secure your site because it ensures the only people with access to your wp-admin are users with authorised IPs.

If you want to restrict access to your WordPress configuration file, wp-config.php, you need to add the following files to your htaccess file.

<files wp-config.php>
order allow,deny
deny from all
</files>

  • Keep a check on every activity performed on WordPress files which are on server.
  • While editing any file on a production server, make sure not to leave any bookmark behind.
  • File system snapshots should not be accessible via web. Configure your web server to deny access to such directories.

⭐ Privilege Escalation Attack

As the name itself says, the Privilege Escalation Attack is a web attack that involves network intrusion resulting from configuration failure to your operating system or system software,  programming errors or designing flaws and grants the hacker an elevated access to application network, data and other information than intended by application developer and it privileges the hacker to perform unauthorised actions. A hacker can get complete control on targeted system through this WordPress security vulnerability.

A privilege escalation comes under two categories:

  1. Vertical Privilege Escalation Attack
  2. Horizontal Privilege Escalation Attack

Vertical Privilege Escalation

This type of privilege escalation attack involves performing those kernel-level operations which permit the attacker to run unauthorised code. It is also known as privilege elevation for the reason that a low privilege user is granted an access to functions performed by a high privilege user.

Horizontal Privilege Escalation

Under Horizontal Privilege Escalation, the attacker would require the access to another user’s account to enter into application’s network.

How To Fix:

The first step to prevent your WordPress website from this serious vulnerability is to check the different roles and permissions supported by the application and set Correct file permissions for WordPress.

To check the user roles and authorities granted to WordPress users.(source:wp-snippets)

Code Snippet:

<?php
if( current_user_can('editor') ) {
    // true if user is an editor
}

if( !current_user_can('administrator') ) {
    // true if user is not admin
}

if( current_user_can('edit_posts') ) {
    // true if user can edit posts
}
?>

You need to keep a check over this time to time.

List every role registered in WordPress.

Code Snippet:

$roles = new WP_Roles();
$roles_names = $roles->get_names();
foreach ($roles_names as $role) {
    print_r($role);
}

To get a user’s role using the user’s id (source:stackexchange)

function get_user_roles_by_user_id( $user_id ) {
    $user = get_userdata( $user_id );
    return empty( $user ) ? array() : $user->roles;
}

Then, an is_user_in_role() function could be implemented like so:

function is_user_in_role( $user_id, $role  ) {
    return in_array( $role, get_user_roles_by_user_id( $user_id ) );
}

WordPress Arbitrary File Deletion Vulnerability

The vulnerability was fixed in WordPress 4.9.7 version, ( Also See Latest WordPress Versions) released on July 5. In order to successfully exploit this issue, the attacker would need to gain access to edit and delete media files which can be achieved by taking over an Author account or by targeting sites that expose the media functionality through various plugins. Website which did not updated their WordPress versions and were still running on outdated versions with specific media plugins installed, were mostly affected by this exploit.

How to Find Vulnerabilities in My WordPress Website?

Before moving ahead, lets know about how to find a security vulnerability in wordpress site. There are various website vulnerability scanner tools which we can use to scan your site for security vulnerabilities and malware. Mostly these Vulnerability Scanners ensures web application security by securing your website and web applications against hacker attacks. These automated tools scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection.

Finding vulnerable website using special search strings

Shhhhh……!!!!! This is something you wont find on any other WordPress security blog. This is a bit of reverse engineering stuff here.  You can use such strings and append your website to find any possible loophole which might be present in your website, in case your site turns up in the results, than you might need to worry a little.

inurl:php?=id1
inurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num= andinurl:index.php?id=
inurl:trainers.php?id=
inurl:buy.php?category=
inurl:article.php?ID=
inurl:play_old.php?id=
inurl:declaration_more.php?decl_id=
inurl:pageid=
inurl:games.php?id=
inurl:page.php?file=
inurl:newsDetail.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=
inurl:staff_id=
inurl:newsitem.php?num=

Using Top WordPress Vulnerability Scanner Tools

WP Hacked Help

WPHH is a WordPress malware Scanner which scans your entire website and identify security issues in detail. This web vulnerability scanner is easy to use, fast, and accurate

Apart from this, you can find many other web vulnerability scanner tools online, but most of them are limited to mobile/web applications and are not specific to WordPress.

Some of the most commonly used tools are:

We hope you find this article very useful. We are available to help you with different wordpress security issues via our WordPress security guide. If you want a website scan or removal of other malware infections, contact us to better analyze the security of your website and fix your wordpress site.

Other Related Posts You Must Read:
24/7 WP Security & Malware Removal
Is your site hacked or infected with malware? Let us get it fixed for you
Secure My Website(s)

Tags: fix website vulnerabilities identify wordpress vulnerabilities WordPress Security Vulnerabilities wordpress vulnerabilities