WordPress Security Vulnerabilities

WordPress Core and popular WordPress plugins have numerous security vulnerabilities, some of which are historic and taken care of by current versions of the platform, and some which are still very relevant today. In order to secure your WordPress blog or site, it's important to gain an understanding of important vulnerabilities and historic attacks, which may repeat themselves in different variations. Below we have collected the top 10 resources on WordPress security vulnerabilities, including a history of WordPress security exploits, a Check Point report on WordPress core security issues, tools for scanning and reporting on vulnerabilities, and descriptions of specific, notable WordPress attacks.

[Related] Pantheon Website Security Services


Background on WordPress Vulnerabilities

A History of WordPress Security Exploits and What They Mean For Your Site

The emergence of significant security vulnerabilities this year have yet again reminded us of the need for ongoing vigilance and the importance of keeping sites updated. In this article we’ll cover a selection of the major WordPress security exploits to date and what they meant for both users like you and the future of the WordPress.

Interview with WordPress.org's Security Czar, Nikolay Bachiyski

At WordCamp Europe 2015 , Matt Mullenweg named Nikolay Bachiyski the first Security Czar for the WordPress project . With over 10 years of experience contributing to the WordPress project, Nikolay is a great fit and has embraced the role. I had the opportunity to chat with him about this new role and his thoughts...

Finding Vulnerabilities in Core WordPress: A Bug Hunter's Trilogy, Part I

In this series of blog posts, Check Point vulnerability researcher Netanel Rubin tells a story in three acts - describing his long path of discovered flaws and vulnerabilities in core WordPress, leading him from a read-only 'Subscriber' user, through creating, editing and deleting posts, and all the way to performing SQL injection and persistent XSS attacks on 20% of the popular web.

Using WPScan: Finding WordPress Vulnerabilities

When using WPScan you can scan your WordPress website for known vulnerabilities within the core version, plugins, and themes. You can also find out if any weak passwords, users, and security configuration issues are present. The database at wpvulndb.com is used to check for vulnerable software and the WPScan team maintains the ever-growing list of vulnerabilities.


Notable WordPress Security Vulnerabilities

Persistent XSS Vulnerability in WordPress Explained

We explain the recent security updates to WordPress that included the function used to temporarily preview a specific theme.

Understanding WordPress Plugin Vulnerabilities

The last 7 days have been very busy with a number of WordPress plugin vulnerabilities being disclosed on multiple WordPress plugins. Some of them are minor issues, some are more relevant, while others are what we'd categorize as noise. How are you supposed to make sense of all this?

Get Email Notifications of Plugin Vulnerabilities in WordPress

Vulnerabilities in the installed plugins can lead to hacked sites, data loss, etc. So it is the responsibility of every WordPress admin to keep their site secure and safe. One way to keep your WordPress site secure is to keep it up to date and keep track of the site activities and changes. Taking it one step further, here is how to receive email notifications of security vulnerabilities in installed plugins on your WordPress website so that you can update them as soon as possible.

WordPress Brute Force Attacks - 2015 Threat Landscape

One of the first server-level compromises I had to deal with in my life was around 15 years ago, and it was caused by an SSH brute force attack. A co-worker set up a test server and chose a very weak root password.

Behind the Malware - Botnet Analysis

While analyzing our website firewall logs we discovered an old vulnerability being retargeted in RevSlider, a popular WordPress plugin. In 2014 / 2015, this led to massive website compromises. Now it's being leveraged again in a new attempt to infect websites. The patched version (4.2) was released February 2014.

DIY Python-based mass insecure Wordpress scanning/exploting tool with hundreds of pre-defined exploits spotted in the wild

In this post, I’ll discuss a DIY type of Python-based mass WordPress scanning/exploiting tool, available on the underground marketplace since July 2013, emphasize on its core features, and overall relevance in a marketplace dominated by competing propositions.


Learn how to achieve secure WordPress hosting with Pantheon.

Topics Security, WordPress