Most Common Threats to WordPress Sites

The INTERNET is full of plagues and dangers. It is not a hundred percent safe environment. However, there are those threats that are constant and recurring to WordPress sites. Dangers and threats that we should not neglect if we need to keep any site safe. Especially if we have a WordPress site or blog that represents, or that is our own business.

In this article I address these threats; the most common types of attacks on WordPress sites. Every day, thousands of WordPress sites are attacked and hacked in different ways.

For the security of our WordPress sites, it is essential to know how to fight these attacks. We will not know how to fight without first learning to identify and know how they work.

There are several threats to WordPress sites. I describe bellow 5 of the most common:


1 – Brute Force Attacks

2 – DDoS Attacks

3 – SQL Injection

4 – Malware

5 – Infection in Plugins


Now that we have learned what they are, let’s learn how each one works so we can know how to identify them when we have our website under attack.



What is brute force attack?

A brute force attack is when a person or software, repeatedly tries to guess a system’s password and username, in order to access it. In the context of this article, the system is a WordPress site. As a general rule, brute force attacks are carried out by robots that try to use thousands of combinations of passwords and usernames to access systems. The brute force attack is the most used way of invasion on the internet.

How can people make brute force attacks?

If someone wants to access your site, for example, that person will patiently try to guess your username and password until they succeed and use them to hack the site.

Brute-force attacks by humans are usually carried out by people close to the site owner/ administrator or account owner, and know details about his personal life.

This kind of attacks can also be done by hackers who may have obtained some personal information of one of the users or of the system administrator through social engineering. Social engineering is also another type of attack.

Statistically, human-made brute force attacks have little chance of success.

Brute force attacks made by humans are generally successful if the user facilitate revealing his username, creating a weak password, or giving some vital information that the attacker can use to hack the system.

An example of a very common weak password is the famous and most used password, which is the increasing sequence of numbers from 1 to 8. (ex: password: 12345678)

If an account has this password and the username is exposed, then we can believe that the chances of a successful invasion attempt will be greater.


Use complex passwords that are difficult to guess to defend your system against brute force attacks

In order to solve this problem, the user can choose to use a password generator to generate a more complex and difficult to guess password.

When the user chooses to use an automatic password generator, it is good that this generator has the option of saving passwords and login credentials.

Creating multiple usernames and multiple passwords for multiple accounts makes the task of memorizing difficult. If the password generator does not have this function, look for a tool to store passwords and logins, unless you have an elephant memory.



What is a DDoS attack.

DDoS stands for Distributed Denial of Service.

DDoS ATTACKS, are very common attacks on the internet.

DDoS Attack is one of the most used type of attacks that hackers and cyber criminals use in order to destroy and take sites down.

In simpler words; To make DDoS attacks, hackers use multiple servers (or server networks, called botnets) in order to generate traffic through bad robots, with the purpose of overloading the target site with huge traffic, more than the site or server can support .

This traffic overload causes the bandwidth limits of the server where the attack target site is hosted, putting the site down and in some cases (when the server hosts several sites), even the server and other sites that are in the server.

When the attack is long and brutal it can even cause some damage to the target website’s server system.

There are several ways to protect against DDoS attacks. This I will address in the future on this site.



What is SQL Injection?

SQL injection is a way of attack or invasion where the hacker seeks access to the website’s database by injecting SQL codes into forms, where the inserted code is not sanitized.

WordPress uses SQL databases, when the hacker finds a website with forms without sanitization, he tries to introduce commands (SQL) in the form fields. However, these commands are received by the database, often giving the desired return by the hacker.

Having found the vulnerability and gaining access to the database, the attacker could extract precious data from the site, such as information about the site administrator, passwords, usernames, personal information, financial information, fully manipulate the database, make a copy of it or delete it completely.

There are cases where the attacker impersonalizes the site administrator and takes the entire site by storm. Causing owners to lose full or temporary access to the site.

To better understand this explanation you need to know what does mean sanitization of the code entered in the form


Here is a simple explanation of SQL Injection

You have a form that has a field where users are asked to enter a phone number. If the developer does not program in ways that this field only accepts numbers, any user can enter words, signs and codes.

When the user submits the form, the database will receive and record these words and signs. Which are totally irrelevant, since it is a field to collect information of phone numbers only.

Finding a loophole, a hacker can enter SQL commands in this field, which will manipulate the SQL database.

Sanitization means to code the form in ways that the form fields creates filters and accept only the submission of the type of inputs related to the information that you want to collect. In the case of our example, these inputs are just numbers.



What is malware?

The word Malware is the combination of the words, malicious and software, which means malicious software.

Malware are codes or programs created to cause to any computer or system.

In the context of this article, we are talking about malware developed to that attack WordPress sites.

There are several types of malware, among which the best known are: Virus, spyware, Adware, Trojans (Trojan horses), Ransomware and others

All these types of malware, when designed to attack WordPress sites, can cause damage to any WordPress website that present some security vulnerability.

Therefore, to keep any site safe and free from these malwares, it’s important to implement the necessary security measures.



Infected plugins are not exactly a type of attack or threat, but a vulnerability. The WordPress repository currently has more than 50,000 plugins.

Many developers of these plugins do not maintain the code of their plugins and also do not implement security updates.


Plugins in the WordPress Repository may also have security holes.

If, for example, in this multitude of plugins, someone from the WordPress community or a developer from companies focused on developing security solutions for WordPress, suddenly finds a vulnerability in any plugin. It is necessary that the developer of the plugin act quickly, launching an update with security patches, in order to extinguish such vulnerability.

If this does not happen, all sites that have this plugin installed may be exposed and suffer attacks through the security breach created by the plugin that presents the vulnerability.

Another point, are plugins with very poor code. All plugins go through an evaluation process, when submitting to the WordPress plugin repository. Even so, there are issues that can go through the evaluation process without being noticed.

And, of course, we can unknowingly install plugins with code that have security holes from the WordPress plugin repository.

For these reasons, care must be taken before installing any plugin, even if the plugin is in the WordPress plugin repository.

In the future I will talk about the care we should take with plugins, how to identify vulnerable plugins, and what kind of plugins we should avoid if we want to keep our website safe.


The 5 threats presented in this article, are part of the most common on WordPress sites.

If you want to keep your site protected, read more WordPress security articles and find out more information on the security page of the Codex WordPress.

By learning to combat these threats, we will be able to guarantee the security of any WordPress site.


Leave a Reply

Your email address will not be published. Required fields are marked *

I accept the Privacy Policy