What To Do About WordPress Vulnerabilities and Exploits in 2019


You work hard to make your WordPress site a great experience for visitors. Do you want unauthorized third parties horning in and messing up your good thing? Of course not! That’s why you want to be aware of and safeguard against any potential vulnerabilities and exploits.

If you’ve just seen the infographic 20 Chilling WordPress Vulnerabilities and Exploits, keep reading and we’ll tell you how to take action to prevent the most dangerous ones from that list.


Content injection doesn’t mean that you decide to inject your older content with something new that helps it remain evergreen. This term refers to an outside party introducing or injecting malicious content into your site. That malicious content may install some sort of malware, trigger redirects to other sites, or serve as a pass-through to funnel information away from your site.

Both you and your host have to safeguard against content injection. That means maintaining strong firewalls, updating protection software regularly, and monitoring any attempts to breach the site.


You wouldn’t think that a plugin for Google Maps could lead to problems, but it’s possible for a infected plugin to lead to quite a bit of trouble. Remember there are counterfeit plugins out there that look and seem to perform like the original.

Your first line of defense is to make sure you are using an authentic Google Map plugin. By sticking with WordPress and other verifiable sources and staying away from questionable distributors of plugins, you help to minimize this risk.

A fake Google Map plugin would generate a fake listing. That listing then redirects users to sites infected with viruses. That’s not a good way to build and retain your audience.


Recaptcha is a great tool. The plugin is designed to minimize the risk of spam on WordPress and other sites. Most of the time, it works perfectly. Unfortunately, some versions have been more effective than others.

Like most plugins, each version has come with vulnerabilities. Those usually go away with some updating. In the meantime, running an older version increases the odds a bad guy or girl will exploit one or more vulnerabilities.

For example, cross-site scripting could leave you with administrative privileges compromised and someone else able to make changes to the pages without permission. Keeping the plugin up to date and finding out what vulnerabilities are currently known will help prevent this type of attack.


Cookies are great for saving login data and making it easier for pages to load the next time a visitor comes to your site. They also happen to be a point of entry for those who would use your pages for their own purposes. With the right approach to exploitation, the cookies could pave the way for a hacker to bypass HTTPS protections and steal quite a bit of data.


Think of what that means if customers have the opportunity to order affiliate products through your site. Though the order is placed on your site, the commission is redirected to the banking or PayPal account of someone else. That’s the recipe for a sad day.


Remember the content injection we talked about? There’s also such a thing as Structured Query Language (SQL) injection, which is the same idea but targets the WordPress database. Perhaps you use an unsecured network to log in. Your data may be copied or captured in the process. That makes it easy for a third party to get through your network’s system later on, change passwords, copy data, and do just about anything before you know something’s wrong.

The best way to deal with an unsecured network is to (surprise!) secure it with a virtual private network (VPN). This type of service has grown exponentially in popularity and creates a secure encrypted “tunnel” through which you access the internet.

Keep in mind that, as long as you use a good VPN service which doesn’t keep traffic logs, there is no downside to using one - other than the cost. When compared to the possibility of total financial ruin that could result from having your personal information stolen and sold on the Dark Web, the risk-reward of using a VPN is a no-brainer.


Who doesn’t like to enhance the look of a blog post with some sort of graphic, video, or image? The thing to keep in mind is that those attachments need to come from a trusted source. They also should be scanned to ensure there are no hidden threats.

All it takes is one corrupt attachment inserted by one unauthorized party to open the door. From there, this miscreant can launch all sorts of attachments and siphon away revenue from clicks, redirect visitors to other sites, and in general undermine the function of your site.

Remember that depending on the type of virus in the attachment, your personal information could also be captured and exploited.


Like any other aspect of your setup, a firewall may have vulnerabilities. When that’s the case, hackers can breach the wall and gain access to your proprietary data. That includes any client information you may store somewhere on the site.

Updating your firewall is one way to minimize the risk. You should also look into protecting your pages more completely by combining the firewall with other approaches.


It’s simple. Update older plugins. If they don’t update automatically, set up a schedule to update them manually.


Hackers don’t stop looking for weaknesses just because a new plugin update was released because they know not everyone is diligent with updates.

And plugins are not the only point of vulnerability. Always update to the latest versions of themes and the WordPress core code as well. Better yet, try a new theme that has just been released. They are more likely to contain protections from known threats.


We’ve spent a lot of time talking about WordPress vulnerabilities and how best to prevent them, but there’s one administrative tactic left unmentioned until now - security or activity logs. For those unfamiliar with the idea, security logs are a record of everyone who has logged into your website, where they came from, and what they did while they were there.

There are serious security benefits in having this information, but it all comes down to one idea. If something goes wrong on your website, being able to audit these logs makes it easier to track down where things went sideways and fix it.

To accomplish this, check out these plugins. Most are free. A few come with premium upgrades. The important point is that you need one sooner rather than later. It’s like having a security camera to catch those nasty hackers in the act.


Though we’ve talked about a number of WordPress vulnerabilities, keep in mind that this is a massively popular website platform and draws a huge amount of attention from hackers. It’s no surprise they manage to penetrate the code now and then. The good news is that a strict schedule of updating plugins, themes, and the platform itself will put you a long ways down the road to safety.

In other words, getting proactive today could prevent a lot of grief tomorrow.

About Will Ellis

Will Ellis develops the guts beneath beautiful websites and can't wait to see what the blockchain world will look like once the technology fully emerges. He invests in cryptocurrencies and studies history.

Leave a Comment