So, today I wanted to cover the most common 🩻vulnerabilities found in WordPress sites. For those who don’t know what “WordPress” is, it’s a commonly used 📑CMS(content management system) where you can build(with easy drag and drop elements or via CSS/HTML) & host your website with their available options or via a third party provider like AWS, Digital Ocean, etc.
The reason why I wanted to cover this is because currently many so-called “Digital transformation” companies or agencies claim to build good-looking or revolutionary websites. Still, the truth is it’s just a WordPress website, which is barely functional, and anyone can build this now due to how easy it is. The reason for this is,
1. It’s time and 🕰cost-saving to build a website via WordPress rather than building it from scratch using Javascript/Nodejs for example.
2. You don’t need to be very 💡tech-savvy to build a WordPress site. Most of the parts are just drag and drop and basic CSS/HTML is enough.
3. Most of the client requirements are just a 🖼landing page and a basic WordPress site should do the job.
However, using WordPress comes with a lot of security issues. This may be due to a lack of knowledge to implement proper security measures or due to a lack of budget to add security plugins. Here are the common WordPress website vulnerabilities and how to resolve them,
1. Login Page (/wp-login.php, /wp-admin/) visible to the public,
🔹Issue: Attackers can brute-force WordPress credentials, if the login page is publicly visible.
🔹Example URLs:
🔹Prevention:
- Change the login URL using WPS Hide Login (e.g., /mysecurelogin) or add a long unique string at the end of the URL, so the URL can be shared amongst the relevant members only.
- Enable Two-Factor Authentication (2FA).
- Limit login attempts with Limit Login Attempts Reloaded.
- Block access to login page by IP in .htaccess:
<Files wp-login.php> order deny,allow deny from all allow from YOUR_IP_ADDRESS</Files>
2. XML-RPC (/xmlrpc.php)
🔹 Issue: Used for brute-force attacks and DDoS amplification. Attackers can try thousands of username/password combinations with a single request via system.multicall. Attackers abuse XML-RPC’s pingback feature to make a WordPress site attack another website, turning it into a botnet.
🔹 Example URL:
🔹 Prevention:
- Disable XML-RPC if not needed:
3. REST API (/wp-json/wp/v2/)
🔹 Issue: This issue leaks username and post details to unauthorised users.
🔹 Example URLs:
- https://example.com/wp-json/wp/v2/users (leaks usernames)
- https://example.com/wp-json/wp/v2/posts (reveals draft posts)
🔹 Prevention:
- Disable user enumeration:
add_filter('rest_endpoints', function($endpoints) {if (isset($endpoints['/wp/v2/users'])) {unset($endpoints['/wp/v2/users']);}return $endpoints;});
✅ Restrict access using Disable REST API plugin or with .htaccess:
<FilesMatch "wp-json"> Require all denied</FilesMatch>
4. Admin AJAX (/wp-admin/admin-ajax.php)
🔹 Issue: Admin AJAX(/wp-admin/admin-ajax.php) being publicly accessible can be abused for DDoS attacks or slow down site performance. WordPress uses admin-ajax.php to handle AJAX requests from themes, plugins and the admin panel
🔹 Example URL:
🔹 Prevention:
- Limit unnecessary AJAX requests using a firewall (e.g., Wordfence).
- Monitor requests and block suspicious behavior.
5. Plugin & Theme Directories (/wp-content/plugins/, /wp-content/themes/)
🔹 Issue: If directory listing is enabled, attackers can see plugin/theme versions and exploit vulnerabilities.
🔹 Example URLs:
🔹 Prevention:
- Disable directory listing in .htaccess:
Options -Indexes
- Use a security plugin to hide plugin/theme versions.
I am not against using WordPress. But if you are using it, please configure it properly as I recommended above and implement all necessary 🛡security measures. As WordPress is a widely used CMS, we have a lot of websites lying around waiting for the next breach or hack due to a lack of proper security measures implemented.✒️
April 6, 2025
By Jaeson Sha