So, today I wanted to cover the most common 🩻vulnerabilities found in WordPress sites. For those who don’t know what “WordPress” is, it’s a commonly used 📑CMS(content management system) where you can build(with easy drag and drop elements or via CSS/HTML) & host your website with their available options or via a third party provider like AWS, Digital Ocean, etc.

The reason why I wanted to cover this is because currently many so-called “Digital transformation” companies or agencies claim to build good-looking or revolutionary websites. Still, the truth is it’s just a WordPress website, which is barely functional, and anyone can build this now due to how easy it is. The reason for this is,

1. It’s time and 🕰cost-saving to build a website via WordPress rather than building it from scratch using Javascript/Nodejs for example.

2. You don’t need to be very 💡tech-savvy to build a WordPress site. Most of the parts are just drag and drop and basic CSS/HTML is enough.

3. Most of the client requirements are just a 🖼landing page and a basic WordPress site should do the job.

However, using WordPress comes with a lot of security issues. This may be due to a lack of knowledge to implement proper security measures or due to a lack of budget to add security plugins. Here are the common WordPress website vulnerabilities and how to resolve them,

1. Login Page (/wp-login.php, /wp-admin/) visible to the public,

🔹 Issue : Attackers can brute-force WordPress credentials, if the login page is publicly visible.

🔹 Example URLs:

https://example.com/wp-login.php

https://example.com/wp-admin/

🔹 Prevention :

Change the login URL using WPS Hide Login (e.g., /mysecurelogin) or add a long unique string at the end of the URL, so the URL can be shared amongst the relevant members only.

Enable Two-Factor Authentication (2FA).

Limit login attempts with Limit Login Attempts Reloaded.

Block access to login page by IP in .htaccess:

<Files wp-login.php> order deny,allow deny from all allow from YOUR_IP_ADDRESS</Files>

2. XML-RPC (/xmlrpc.php)

🔹 Issue : Used for brute-force attacks and DDoS amplification. Attackers can try thousands of username/password combinations with a single request via system.multicall. Attackers abuse XML-RPC’s pingback feature to make a WordPress site attack another website, turning it into a botnet.

🔹 Example URL:

https://example.com/xmlrpc.php

🔹 Prevention:

Disable XML-RPC if not needed:

3. REST API (/wp-json/wp/v2/)

🔹 Issue : This issue leaks username and post details to unauthorised users.

🔹 Example URLs:

https://example.com/wp-json/wp/v2/users (leaks usernames)

https://example.com/wp-json/wp/v2/posts (reveals draft posts)

🔹 Prevention:

Disable user enumeration:

add_filter('rest_endpoints', function($endpoints) {if (isset($endpoints['/wp/v2/users'])) {unset($endpoints['/wp/v2/users']);}return $endpoints;});

✅ Restrict access using Disable REST API plugin or with .htaccess:

<FilesMatch "wp-json"> Require all denied</FilesMatch>

4. Admin AJAX (/wp-admin/admin-ajax.php)

🔹 Issue : Admin AJAX(/wp-admin/admin-ajax.php) being publicly accessible can be abused for DDoS attacks or slow down site performance. WordPress uses admin-ajax.php to handle AJAX requests from themes, plugins and the admin panel

🔹 Example URL:

https://example.com/wp-admin/admin-ajax.php

🔹 Prevention:

Limit unnecessary AJAX requests using a firewall (e.g., Wordfence).

Monitor requests and block suspicious behavior.

5. Plugin & Theme Directories (/wp-content/plugins/, /wp-content/themes/)

🔹 Issue : If directory listing is enabled, attackers can see plugin/theme versions and exploit vulnerabilities.

🔹 Example URLs:

https://example.com/wp-content/plugins/

https://example.com/wp-content/themes/

🔹 Prevention :

Disable directory listing in .htaccess:

Options -Indexes

Use a security plugin to hide plugin/theme versions.

I am not against using WordPress. But if you are using it, please configure it properly as I recommended above and implement all necessary 🛡security measures. As WordPress is a widely used CMS, we have a lot of websites lying around waiting for the next breach or hack due to a lack of proper security measures implemented.✒️