11/06/2019

Top 8 WordPress Vulnerabilities to Watch Out for in 2020

We are going to discuss the Top WordPress Vulnerabilities to Watch Out, which we need to check-in 2020. WordPress is a beautiful Content Management System(CMS) powering more than 34% of the web. But its popularity also makes it vulnerable to a host of security risks. In fact, vulnerabilities in WordPress grew by an astonishing rate of 30% in 2018.

Top 8 WordPress Vulnerabilities

In this post, we will discuss the top WordPress vulnerabilities in 2020 that you should be aware of and take adequate preventive measures to protect your website.

List of Top Wordpress Vulnerability- Table of Content


  1. Cryptomining Malware
  2. Organized DDoS Attacks
  3. Weak Passwords
  4. Plugin Backdoor
  5. Installed Themes
  6. Hosting Platforms
  7. Push Notification Scams
  8. Not Keeping Your Site Updated
  9. What Are The Tell-tale Signs That Your Wordpress Site Is Hacked?
  10. Signs That Your Wordpress Site Is Hacked?
    1. Sudden traffic drop
    2. The appearance of spam links
    3. Unwanted popups
    4. An unusually slow or unresponsive site
    5. You cannot log in to your site
    6. Unusual findings in site scan
  11. Concluding the WordPress Vulnerability Discussion

I will also list the most obvious signs to watch out for in the event your site gets hacked.

#1: Cryptomining Malware- WordPress Vulnerability


Cryptomining is a rising threat to computers worldwide where the malware uses the computer’s resources for mining cryptocurrency without the knowledge or permission of the user.

So How Does This Make Wordpress Vulnerable?

Hackers could inject malicious script in your WordPress site, which would allow them to use the computer resources of users visiting your website for mining cryptocurrencies without yours or your user’s knowledge.

Cryptomining Malware

To prevent such type of injection, you should use a useful WordPress security plugin with built-in firewall and also run regular malware scans on your website.

#2: Organized DDoS Attacks- WordPress Vulnerability


Distributed Denial of Service (DDoS) attacks are not new, but when they become organized to reach a massive scale, they can wreak havoc on any WordPress site by clogging the entire bandwidth with fake HTTP requests, making the site unreachable to its genuine users.

One of the most common methods used in DDoS attacks is to exploit XML-RPC vulnerabilities. XML-RPC function allows services like trackbacks and pingbacks. DDoS WordPress Vulnerabilities need to Watch Out.

Organized DDoS Attacks

In a DDoS attack, hundreds of infected WordPress sites could be used to send thousands of fake pingbacks and trackbacks to other WordPress sites thereby clogging their bandwidth.

That’s why you should turn off pingbacks and trackbacks on your WordPress website or turn off the XML-RPC functionality altogether.

Using a managed WordPress hosting will also help since these hosting providers use advanced rate limiting and detection hardware to identify fake HTTP requests and block them at the server level without exposing your site to such attacks.

#3: Weak Passwords- WordPress Vulnerability


Your WordPress password is the first line of defence against hacking attempts. If you set a strong password that is not easy to guess by humans or crack by automated programs, you are doing yourself and your business great favour.

Do not under any circumstance set a weak password like ‘admin’ or 123456. You should also avoid easy to guess words in your WordPress passwords like your username or name.

Weak Passwords

You can use free password managers like LastPass or 1Password, that not only suggest strong passwords but also securely store your passwords.

Interesting Fact: 22% of all WordPress sites are hacked due to weak passwords.

#4: Plugin Backdoor- WordPress Vulnerability


Plugins are usually the #1 reason why most people choose WordPress. There are free and premium plugins for almost any use we want.

But you should only install plugins that are regularly updated by the plugin author since hackers are always looking to exploit backdoors in WordPress plugins to gain entry to your site.

Additionally, you should update plugins whenever an update is available. For this, you can enable auto-updates for plugins.

Plugin Backdoor

If you are running more than one WordPress website on the same hosting platform, make sure you update your plugins on all the sites since a vulnerability in one site could allow hackers to gain access to your other sites as well.

Tip: There is a useful list of vulnerable and hacked plugins that you should be wary of installing on your website. Popular but vulnerable plugins include Event Calendar, Ultimate Member, Coming Soon Page, Ninja Forms, and Duplicator Pro.

#5: Installed Themes- WordPress Vulnerability


Did you know that 29% of WordPress sites get hacked due to vulnerability in their installed themes?

It doesn’t matter if the vulnerable theme is your active theme or not.

I usually only keep the active theme on my site and delete the themes I no longer use, including the default WordPress themes, to minimize the chances of hackers gaining access to my site through a theme backdoor.

Installed Themes

Apart from this, you are advised to use those themes that are regularly updated. Many free themes on the WordPress repository are gathering dust for many years or months without being updated. It is best to avoid such themes.

Also, say no to ‘nulled’ themes or plugins that are being freely distributed on black hat sites since most of these free plugins and themes contain malicious code to compromise your WordPress site’s security.

#6: Hosting Platforms- WordPress Vulnerability


Almost 41% of all WordPress vulnerabilities result from the poor hosting environment. We all want to minimize our website running costs, but investing in cheap hosting with weak security credentials is not a great way to lower costs.

Poorly managed hosting providers fail to separate shared hosting accounts, so if one website is compromised, it could adversely affect other websites as well.

Hosting Platforms

That’s why it is crucial to invest in quality managed WordPress hosting provider with a good security track record which offers daily or weekly automated backups of your WordPress site at no additional cost.

The image below summarizes the four most common reasons why WordPress websites get hacked.

WordPress Vulnerabilities

#7: Push Notification Scams- WordPress Vulnerability


Hackers are always inventing new ways to infect your WordPress site for their vested interests. One of the latest trends is injecting malicious JavaScript code that obfuscates as HTML through plugins and theme backdoor.

Such scripts usually are of the following type: <script type=text/javascript src=……..</script>

This code loads external scripts that redirect users to push notification scam sites that obtain your permission to send notifications by deceit.

Push Notification Scams

The best way to protect yourself from such attacks is to use clean plugins and themes and update them at the earliest whenever a vulnerability is discovered.

#8: Not Keeping Your Site Updated- WordPress Vulnerability


Did you know that only 22% of the sites are running on the latest version of WordPress while almost 40% of websites are still using 4.x version of WordPress?

This is a scary statistic given the fact that WordPress regularly releases security updates between two major versions.

WordPress is an open-source CMS, and its code is freely available for all, including hackers, to tinker with. These hackers are in the business of discovering vulnerabilities in the WordPress code.

Not Keeping Your Site Updated

So, it is your responsibility to keep your site running on the latest version of WordPress. By default, all WordPress sites have core updates enabled for minor releases of WordPress like 5.2.x.

However, for the major updates like 5.x, you still need to update your website on your own from within the WordPress dashboard.

Whenever a major update is available, you should update your WordPress site at the earliest since websites running legacy WordPress versions are easy targets for hackers.

What Are The Tell-tale Signs That Your Wordpress Site Is Hacked?


If you take care of your WordPress website security, there is almost nil chance of your site getting hacked. But in the unfortunate event that your site does get hacked, how will you know about it to take corrective action immediately?.

Signs That Your Wordpress Site Is Hacked?


  • Sudden traffic drop
  • The appearance of spam links
  • Unwanted popups
  • An unusually slow or unresponsive site
  • You cannot log in to your site
  • Unusual findings in site scan

The following are the most common indications of a compromised WordPress website:

  • Sudden traffic drop: If your website experiences a sudden drop in traffic, it could be that malware is detected on your site, and Google is displaying a warning in the search results that dropped your click through rates and hence the drop in traffic.
  • The appearance of spam links: Hackers usually place spam links to 3rd party sites on their targets. If you discover such links or unusual redirections that have not been set up by you, you should take immediate corrective measures.
  • Unwanted popups: Are you or your users seeing unwanted popups displaying adware of redirecting to spam websites? This is an indication of malware affecting your website.
  • An Unusually slow or unresponsive site: If a DDoS attack has hit your site, it will either stop loading altogether or become very slow. You should investigate such happenings post-haste.
  • You cannot log in to your site: If you see a message like ‘username does not exist’ when you try to login to your WordPress site, it suggests that a hacker has gained access to your site.
  • Unusual findings in site scan: As I advised earlier that you should regularly run malware scans on your WordPress website. If any of these scans report some unexpected results like some malicious looking code, you should investigate further without delay.

Concluding the WordPress Vulnerability Discussion


We have seen the 8 top vulnerabilities that threaten WordPress websites in 2020 and how you should deal with these newfound threats.

We further discussed six signs of a hacked WordPress website to take corrective measures.

Perhaps, the best way to stay clear of WordPress vulnerabilities is to implement a pro-active approach to WordPress security where you regularly follow the best security practices to prevent any security mishappening with your WordPress website.

Did you find this information on the top WordPress vulnerabilities useful? Let me know in the comments below, along with any other vulnerability that you are aware of or have experienced on your WordPress website.

Author Bio


Trishan Mehta writes on WordPress and SEO. He is a keen follower of the latest trends in WordPress optimization and security and regularly publishes on these topics on PassionWP.

No comments:

Post a Comment