Despite the thousands of hours that have gone into making sure WordPress is secure and stable, the default platform still has certain aspects that are vulnerable to attacks. It’s vital to know what those attacks are, so you can take steps to bolster your security and provide needed peace of mind.

As we discussed in a previous article, code injection attacks – such as Cross-Site Scripting and SQL injection – remain a high-priority concern for many website owners. Fortunately, protecting your site from these intrusions is simply a case of using some common-sense techniques, along with a snippet or two of code.

In this post, we’ll take a cue from the official WordPress developer website, and run through some of the most common attacks the platform has to contend with. Plus, we’ll also discuss how to fix them. Let’s get started!

What WordPress Already Does to Fight Hackers

security 3 Common WordPress Attacks You Can Stop In Their Tracks design tips
WordPress takes security very seriously, as demonstrated by the dedicated page on the official website.

It’s worth mentioning up front that WordPress is already highly secure, which is what you’d expect from a platform that powers so much of the web. However, if you were to go by WordPress’ portrayal in the media, you’d be forgiven for thinking it was an insecure platform not suitable for professional use. Of course, nothing could be further from the truth.

On their security page, the WordPress team clearly outlines their commitment to closing off potential hacker entry points. This includes:

  1. Presenting fixes on an almost constant basis, via regular incremental and point updates.
  2. A commitment to backward compatibility, which encourages users to install those regular updates.

Despite all of this effort, WordPress – much like every web application and Content Management System (CMS) – still needs an occasional helping hand to stop intrusions. The good news is that this is something completely within your control.

3 Common WordPress Attacks You Can Stop in Their Tracks

As we mentioned above, no platform can ever be completely safe. In this section, we’ll cover three of the most common attacks according to the WordPress development team, and discuss how you can keep them at bay.

1. Cross-Site Scripting (XSS)

First up, Cross-Site Scripting (XSS) is one of OWASP’s top ten security risks, so it’s worth paying special attention to. It’s a member of the ‘injection’ group of attacks and happens when JavaScript is loaded via vulnerable dynamic site elements – such as contact forms and other user input fields. A notable case of a severe XSS attack occurred in 2013, targeting Yahoo. This attack left user accounts in the hands of hackers.

As you can imagine, an XSS attack could severely reduce the trust customers place in your (or your client’s) business. As such, taking the measures necessary to prevent such an attack should be a priority. Fortunately, you can stamp out XSS by simply escaping your outputs correctly, and stripping away unwanted data.

Take this piece of HTML, for example:

<img src="<?php echo esc_url( $great_user_picture_url ); ?>" />

The esc_url() function is specific to WordPress and replaces certain characters to prevent XSS attacks. For another example, check out this snippet:

$allowed_html = array( 'a' => array( 'href' => array(), 'title' => array() ), 'br' => array(), 'em' => array(), 'strong' => array(),
echo wp_kses( $custom_content, $allowed_html );

Here, wp_kses() has been used to allow only the specified HTML elements and attributes to occur in a string.

These are two handy WordPress-specific functions to combat XSS in your own projects. Using these and similar measures is a smart way to tighten your site’s security.

2. SQL Injection

SQL injection is closely related to XSS, in that it requires a vulnerable entry point based on your sanitization efforts. However, the difference here is that these attacks directly affect your database, which can have disastrous consequences. SQL injection can affect any site, most notably NASA way back in 2009. Fortunately, WordPress makes it relatively easy to stave off SQL injection attacks.

The standard WordPress APIs provide a number of functions to help protect inputted data from SQL injections. For example, add_post_meta() offers you a secure way of using SQL’s INSERT INTO command, meaning you don’t have to add database calls manually to your code.

Of course, some of your SQL queries aren’t going to be this simple, and there’s a chance the API won’t account for them. In these situations, you’ll want to turn to the wpdb class. Here’s an example of how that works:

$wpdb->get_var( $wpdb->prepare( "SELECT something FROM table WHERE foo = %s and status = %d", $name, // an unescaped string (function will do the sanitization for you) $status // an untrusted integer (function will do the sanitization for you)
) );

As you can see, we’ve used the $wpdb->prepare() function, which escapes the SQL query before executing it. This is just the tip of the iceberg, and there’s plenty more under the hood of WordPress to help halt SQL injection attacks.

3. Cross-Site Request Forgery (CSRF)

Finally, we have CSRFs – pronounced “sea-surfs.” In short, this is where an oblivious user is tricked into performing an action of the attacker’s choosing. To understand how this attack works, it’s worth considering how simple requests (such as clicking a link) work under the hood. Ultimately, these requests are one of two types: GET or POST. The former is a request for a page, and the latter is when data is sent to the server.

Consider a Google search for WordPress, where browsing to Google initiates a GET response, and searching for WordPress becomes the POST request. A CSRF is when this happens without the user’s consent. YouTube is one of many websites to succumb to this attack, and if a site that prominent can be vulnerable, you’ll need to do all you can to keep your site as safe as possible.

The solution here is to use ‘nonces’ – single-use security tokens designed to protect URLs and forms from being compromised. Take a look at this code example:

<form method="post"> <!-- some inputs here ... --> <?php wp_nonce_field( 'name_of_my_action', 'name_of_nonce_field' ); ?>

Here, we’ve used the wp_nonce_field() function to add a nonce to our form. This will guarantee that the user intends to perform the action (i.e. submitting the form) as expected and that there’s nothing they need to do on the front end.

Validation of the nonce doesn’t require setting any specific parameters, but there are options relating to the input action and name that can make your nonce more secure. What’s more, there are also functions to add nonces to a URL, as well as a custom format that’s ideal for AJAX requests.


A platform that powers about 30% of the web needs to be rock-solid, and this is definitely true of WordPress. However, no platform can guarantee 100% security. Some attacks can cripple a WordPress website, so you need to do what you can to ensure that malicious users have a hard time trying to hack your website.

To get you started, we’ve looked at three common WordPress attacks and how to fix them. Let’s recap each quickly:

  1. Cross-Site Scripting: This attack can be fixed by correctly escaping your outputs.
  2. SQL Injection: This related attack takes advantage of poor data sanitization to access your SQL database.
  3. Cross-Site Request Forgery: WordPress nonces can help validate a user action, and guarantee that it’s legitimate.

Have you ever been affected by any of these vulnerabilities, and if so, what was the outcome? Share your stories in the comments section below!

Featured image: dimitrisvetsikas1969.

John-Hughs_avatar_1473285718-70x70 3 Common WordPress Attacks You Can Stop In Their Tracks design tips

John is a blogging addict, WordPress fanatic, and a staff writer for WordCandy.

The post 3 Common WordPress Attacks You Can Stop In Their Tracks appeared first on Torque.