Wordpress & Web Development

Why Update Your Blog: WordPress Vulnerabilities You Should Be Aware Of

Joel Lee 26-02-2013

wordpress vulnerabilitiesI have a lot of great things to say about WordPress. It’s an internationally popular piece of open source software that allows anyone to start their own blog or website. It’s powerful enough to be extensible by seasoned coders, yet simple enough that tech-illiterate people can still benefit from it. We even have a mini-guide for starting your own WordPress site 10 Essential First Steps When Starting A Wordpress Blog Having created quite a few blogs, I'd like to think that I have a good system down for those essential first steps, and I hope it can be of use to you too. By following... Read More .


However, as with all Internet-related software, there will always be security holes that need patching. Even when past holes are fixed, new features will inevitably introduce new holes, and then those holes need to be fixed. It’s a process that never ends, which is why it’s so important for you to update your WordPress regularly.

Updating WordPress is the best way to patch the latest WordPress security vulnerabilities. What sorts of security vulnerabilities? Here’s an overview of the most common ones you’ll encounter.

1. Default Admin Account

wordpress vulnerabilities

When you first install WordPress, your basic administrator account will be called “admin” with an equally simple password. Keeping security credentials at their default settings can be a big vulnerability because hackers and crackers will know what those default settings are and, thus, will exploit them with ease.

Actually, this isn’t a problem unique to WordPress. Anything that comes with product-wide default access credentials 3 Default Passwords You Must Change & Why Passwords are inconvenient, but necessary. Many people tend to avoid passwords wherever possible and are happy to use default settings or the same password for all their accounts. This behavior can make your data and... Read More (such as router logins or phone unlock codes) will inherently have this WordPress vulnerability. But while routers and phones usually require your physical presence for mischief, anyone can potentially hack your WordPress site as long as they have the URL.


So what can you do? The easiest solution is to create a new administrator account on your WordPress site and delete the default “admin” account. This leaves no predictability in terms of administrator access.

2. Default Database Prefixes

wordpress vulnerability lis

When WordPress is first installed, the database tables are named with a default prefix of wp_. This is done so that all of the tables remain organized in your database in case you’re working with other software packages in the same database. The wp_ signifies that those specific tables are related to WordPress.

But here’s the catch – if a hacker is attempting to mess with your WordPress site, then this bit of predictability automatically makes him one step closer to tampering with your database tables. By knowing the names of your database tables, a hacker can manually poke at it until he gains access.


Think of it this way. Suppose a thief wants to steal something from your home but your home is equipped with special doors that have hidden keyholes until you call out the right “name” for that door. If the thief knows that your door’s name is “Sandy”,  then all he needs to do is pick the lock, but if the thief doesn’t know your door’s name, he needs to first figure that out somehow before he can even start to pick it.

So what can you do? Simple. WordPress allows you to install using a table prefix that is different from the default prefix.

3. Accessible Files & Directories

wordpress vulnerability lis

With any website, the number of files that you actually want users to access is far smaller than the number of files that are necessary to power that website. You may have a lot of function files, class files, template files, configuration files, and more – none of which should be publicly available. The same is true for directories.


Using CHMOD, you can set permissions on various files and directories to prevent unwanted users from accessing sensitive materials. If a user had access to your configuration file, for example, he could tamper with your WordPress settings and break your website. WordPress is vulnerable when your website’s files and directories aren’t secured behind proper permission settings.

So what can you do? I actually had to deal with this problem recently, and the fix isn’t too difficult. Make sure that your WordPress installation is in accordance to the WordPress permission scheme.

4. SQL Injections & Hijacking

wordpress vulnerabilities

SQL injections are not unique to WordPress; in fact, they are one of the most common (and destructive) forms of web server attacks in the world. Not familiar with the term? Give my introduction to SQL injections article What Is An SQL Injection? [MakeUseOf Explains] The world of Internet security is plagued with open ports, backdoors, security holes, Trojans, worms, firewall vulnerabilities and a slew of other issues that keep us all on our toes every day. For private users,... Read More a quick peek to give yourself a basic understanding of the problem.


In essence, WordPress has had a few SQL injection security holes in their code over the years. Some have been patched while others remain uncovered or undetected. If a hacker gains access to one of these holes, he can inject malicious SQL code into your database, which can be used to steal data or just delete it altogether.

So what can you do? Well, here’s the catch – if you aren’t well-equipped enough to know how to defeat SQL injections, then you probably don’t have the technical know-how for building up a protection in the first place. You can probably look around for WordPress plugins that might address potential injection holes, but most users will simply need to wait for the next WordPress security patch.

Recommended Plugins

  • WP Security Scan – this plugin will scan your website setup and look for potential security vulnerabilities. It covers all sorts of areas from file permissions to database holes to password management and more.
  • WordPress File Monitor Plus – in case someone has gained access to your site’s file structure, this plugin will let you know. It regularly monitors your system’s files and directories and makes note of any discrepancies.
  • WordPress Firewall 2 – this plugin sets up a metaphorical wall around your site, scanning all inputted data and traffic for malicious intent. It’s pretty good at preventing attacks like SQL injections and other database attacks.
  • Wordfence – Wordfence is something of an all-in-one security suite plugin that includes malicious attack protection, anti-virus scanning, a firewall, and more. Definitely worth a try.


While WordPress may be both open source and widely popular, that doesn’t mean it isn’t without its flaws. WordPress vulnerabilities pop up from time to time and when one is fixed, another one is usually right around the corner. With careful monitoring and preventative steps, you can minimize the risk that your WordPress site faces.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Ron Lister
    February 27, 2013 at 5:11 pm

    Has anyone at MUO ever tried out Drupal. I'm just starting out with it.

    • Joel Lee
      March 1, 2013 at 8:19 pm

      I gave it a shot once (maybe 1-2 years ago) and it seemed much more convoluted than WordPress with very little benefit. I think in terms of free PHP CMS, WordPress would be my #1 choice followed by Joomla.

  2. Shmuel Mendelsohn
    February 27, 2013 at 4:13 pm

    Thanks so much MUO - you got me started with Word Press, and now you continue to help me!

  3. Rama
    February 27, 2013 at 2:00 pm

    One thing, the first point about "admin" where the author states "When you first install WordPress, your basic administrator account will be called “admin” with an equally simple password." Is absolutely and totally false, obviously the author has never installed WordPress. What happens by default, it the installer is prompted to enter any name for the administrative account, an email address and a password.

  4. Mac Witty
    February 27, 2013 at 9:06 am

    Thanks, updates can never never be emphasized enough! Then if you are a person who do not visit your wp-installation every day it might be a good idea to set up google analytics alerts for a couple of the most used "spam words". Then you will be noticed very soon if your site has been hacked. Maybe a MUO guide how to do it could be something?

    • Joel Lee
      March 1, 2013 at 7:20 pm

      Interesting idea with the Analytics alerts. Will have to think about that for a bit. Thanks!

  5. Alexander Carstensen
    February 27, 2013 at 7:56 am

    I am currently using WordPress, and i am definately going to fix these vulnerabilities !

  6. Nevzat Akkaya
    February 27, 2013 at 7:12 am

    It's scary to have a serious security bug on your precious blog. One should always check the logs, bandwidth usage and always get backups to protect against data loss.

    • Joel Lee
      March 1, 2013 at 7:19 pm

      I cannot emphasize enough the importance of backups! Eventually something bad will happen to your blog and you're going to wish you had a recent backup or else you're going to lose a lot of data PERMANENTLY. Good point!

  7. Choon Khai
    February 27, 2013 at 6:09 am

    I have been using WordPress for awhile, and this is really an eyeopener to me! Never thought that such trivial matters could really change everything.