Scroll Top

26 vile methods attacking your WordPress Security


26 vile methods attacking your WordPress Security

Talking to customers regarding WordPress Security and what kind of defences their site might need, made us realise, that owners somehow totally imagine it wrong. There are no epic battles of gigantic beast going one versus another. There are no epic battles, where several armies collide in a single point of total destruction. Yes, those are impressive as movie animations, but the reality is far more simple, yet far scarier.

Wanting to do something bad against your website, in a specific moment is always (or mostly) a single individual. This individual uses technology and automation to against your website. So, a real-world equivalent attack would be the pinnacle of current battle technology: a submarine or a jet fighter. Why those two? Because they can carry a wide variety of arsenal suited for specific needs.

A near miss would be a repelled attack tentative, yet divulging critical information of defensive capabilities. A direct hit would be the equivalent of a defence penetration. If something significant blew up, then…there is always more damage to be done, forcing a more dangerous blow towards the remaining WordPress Security. Technological precisions, automated target selection with only two approaches. Either a relentless onslaught, as soon as defences are down or a patient hit-and-run, then try again with a different method.


Our only security is our ability to change. ~ John Lilly

According to Wordfence in addition to a report by WP WhiteSecurity, XSS, SQLI and File upload vulnerabilities are the most typically exploited security concerns. Poorly coded plugins are also the biggest offenders and account for 54% of these attacks, followed by the WordPress Core and WordPress Themes, respectively. From the same report: “73.2% of the most popular WordPress installations have vulnerabilities which can be detected using free automated tools.”

Custom solutions and tailor-made changes are separate but bigger issues. When writing code, it’s near impossible to not develop any security holes whatsoever. When hackers discover these vulnerabilities, they exploit them and you’re left with a compromised website. Focusing only on features, completely unaware of what holes have been bunched into your WordPress Security, creates an open-door policy for anybody capable of seeing that public invite.

There are likewise other methods a website might be susceptible, including human mistake such as utilizing passwords that are simple to think as well as insecure or undependable hosting. Lack of information also creates a false security sensation. Ignorance just feeds the unavoidable moment.

With all the above in mind, this is why it’s important to take your WordPress website’s security seriously. Luckily, there is information available publicly about these methods, and being informed is the first step towards building up your defences. I’ll begin with the essentials and get gradually advanced as you work your way through this short article.


Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

These are the 26 most commonly used and vile methods attacking your WordPress Security:

1 – SQL Injection (SQLI):
SQL injection is a code injection technique, used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injection must exploit a security vulnerability in an application’s software, for example, when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.

2 – Cross-site Scripting (XSS):
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007. In 2017, XSS is still considered a major threat vector. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site’s owner.

3 – File Upload:
A file with malicious code is uploaded to a server without constraint. Remote uploading is used by some online file hosting services. It is also used when the attacker wants to remain anonymous. Without remote uploading functionality, the data would have to be first be uploaded to the attacked host and then used, after the upload has finished.

4 – Cross-Site Request Forgery (CSRF):
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript XML/HTTP Requests, for example, can all work without the user’s interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user’s browser.

5 – Brute Force:
A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found. A brute-force attack is a cryptanalytic attack that can, in theory, be used to attempt to decrypt any encrypted data. Such an attack might be used when it is not possible to take advantage of other weaknesses in an encryption system (if any exist) that would make the task easier.

6 – Denial of Service (DoS):
A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

7 – Distributed Denial of Service (DDoS):
A distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. This effectively makes it impossible to stop the attack simply by blocking a single source.

8 – Open Redirect:
Also known as URL redirection, or URL forwarding is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened, specified by the hacker, thus hijacking the entire traffic the initial domain receives.

9 – Phishing:
Phishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in electronic communication. Typically carried out by email spoofing or instant messaging, it often directs users to enter personal information at a fake website, the look and feel of which are identical to the legitimate site. Phishing is an example of social engineering techniques being used to deceive users. Users are often lured by communications purporting to be from trusted parties such as social web sites, auction sites, banks, online payment processors or IT administrators.

10 – Identity Theft:
Identity theft is the deliberate use of someone else’s identity, usually as a method to gain a financial advantage or obtain credit and other benefits in the other person’s name, and perhaps to the other person’s disadvantage or loss. The person whose identity has been assumed may suffer adverse consequences, especially if they are held responsible for the perpetrator’s actions. Identity theft occurs when someone uses another’s personally identifying information, like their name, credentials (username + password), identifying number, or credit card number, without their permission, to commit fraud or other crimes.

11 – Malware:
Malware (short for malicious software) is any software intentionally designed to cause damage to a computer, server, client, or computer network. Malware does the damage after it is implanted or introduced in some way into a target’s computer and can take the form of executable code, scripts, active content, and other software.

12 – Ransomware:
Ransomware is a type of malicious software, that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them.

13 – Spyware:
Spyware is software that aims to gather information about a person or organization, sometimes without their knowledge, that may send such information to another entity without the consumer’s consent, that asserts control over a device without the consumer’s knowledge, or it may send such information to another entity with the consumer’s consent, through cookies .

14 – Adware:
Adware, or advertising-supported software, is a software that generates revenue for its developer by automatically generating online advertisements in the user interface of the software or on a screen presented to the user during the installation process. The software may generate two types of revenue: one is for the display of the advertisement and another on a “pay-per-click” basis if the user clicks on the advertisement. The software may implement advertisements in a variety of ways, including a static box display, a banner display, full screen, a video, pop-up ad or in some other form.

15 – Scareware:
Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it.

16 – Local File Inclusion (LFI):
A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic directory traversal attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file includes vulnerability will result in remote code execution on the web server that runs the affected web application.

17 – Authentication Bypass:
A security hole that enables a hacker to prevent the simply bypass login security and gain access to the site.

18 – Full Path Disclosure (FPD):
This vulnerability is exploited, due to misconfigurations. It is simply visible the path to a site’s webroot. This makes all directory site listing, errors or warnings visible, offering valuable information for further exploitations.

19 – User Enumeration:
Being able to determine a legitimate username to, later on, use for brute force attacks by including a string to the end of a WordPress site’s URL to ask for a user ID which might return an author’s profile with the valid username.

20 – XML External Entity (XXE):
An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

21 – Security Bypass:
Comparable to authentication bypass, other than that a hacker can circumvent the current security system that’s in location to get to some part of a website. Most commonly exploited are physical files (pdf, doc, xls, epub, mobi) or full backup archives.

22 – Arbitrary Code Execution (ACE):
In computer security, arbitrary code execution (ACE) is used to describe an attacker’s ability to execute arbitrary commands or code on a target machine or in a target process. An arbitrary code execution vulnerability is a security flaw in software or hardware allowing arbitrary code execution. A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit.

23 – Remote Code Execution (RCE):
The ability to trigger arbitrary code execution over a network (especially via a wide-area network such as the Internet) is often referred to as remote code execution (RCE).

24 – Remote File Inclusion (RFI):
A file inclusion vulnerability is a type of web vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. A file include vulnerability is distinct from a generic directory traversal attack, in that directory traversal is a way of gaining unauthorized file system access, and a file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file includes vulnerability will result in remote code execution on the web server that runs the affected web application.

25 – Server Side Request Forgery (SSRF):
In computer security, server-side request forgery (SSRF) is a type of exploit where an attacker abuses the functionality of a server causing it to access or manipulate information in the realm of that server that would otherwise not be directly accessible to the attacker.

26 – Directory Traversal:
A directory traversal (or path traversal) consists in exploiting insufficient security validation/sanitization of user-supplied input file names, such that characters representing “traverse to parent directory” are passed through to the file APIs. The goal of this attack is to use an affected application to gain unauthorized access to the file system. This attack exploits a lack of security (the software is acting exactly as it is supposed to) as opposed to exploiting a bug in the code. Directory traversal is also known as the ../ (dot dot slash) attack, directory climbing, and backtracking. Some forms of this attack are also canonicalization attacks.

Please note: this isn’t a total list of security vulnerabilities used against WordPress. They’re only the most common methods used, almost always through automated bots. Multiple vulnerabilities could also be exploited at the same time as well.


Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!

Do you have any concerns with WordPress Security?
Leave your thoughts in the comments below!

Related Posts