The Top WordPress Vulnerabilities in 2021

The Top WordPress Vulnerabilities in 2021 (And How to Combat Them)

There are over 28 million WordPress websites currently online. Unfortunately, this popularity makes the platform vulnerable to hacking, with attacks on WordPress sites becoming more commonplace in recent years. Like many site owners and developers, you may already be familiar with some WordPress security issues and you’re probably looking to reduce your exposure to a potential attack.

WordPress may be a favorite target among hackers, but there are steps you can take to keep your site safe. By following a few security best practices, you can defend your website against every major attack in the hacker’s arsenal.

In this post, we’ll explore all the vulnerabilities identified in Patchstack’s recent WordPress security survey. We’ll then share practical steps you can take to protect your site against the four most common attacks. Let’s get started! 

What You Need to Know About WordPress Vulnerabilities

In 2013, a Sophos Labs employee posted that 30,000 websites are hacked every day. Back in 2019, a report found that security breaches had increased by 67 percent over the last five years. 

Even without specific numbers, these statistics are concerning. In fact, when asked about web security, over 70 percent of freelancers, developers, and agencies confirmed that they are increasingly worried about their websites.

The WordPress team has a good track record of addressing security issues with their platform. However, themes and plugins can make your site more vulnerable to attack. According to the Patchstack report, more than 70 million WordPress websites are running plugins and themes that are known to be vulnerable.

This report also found that 25 percent of respondents had dealt with a hacked site in the month prior to participating in this survey. With hackers actively targeting security loopholes in WordPress themes, plugins, and core files, it’s vital that you take steps to protect your website

The Top WordPress Vulnerabilities in 2021 (And How to Combat Them)

A big part of protecting your site is understanding the risks. Cyber security specialists Patchstack recently published a report into the most common ways WordPress sites are compromised. Let’s take a look at the top four vulnerabilities, according to Patchstack’s report. 

1. Cross-Site Scripting (XSS) Attacks

A Cross-Site Scripting (XSS) attack occurs when a hacker injects a malicious script into your website or application. This code will then be executed in the browser, or on your server.

As part of an XSS attack, a hacker may collect data from your visitors, or even change how your site looks or functions. This may include redirecting your customers to an entirely different website.

According to Patchstack, XSS is the most common vulnerability affecting WordPress websites, accounting for over 36 percent of all the unique security issues discovered in 2020. If you only protect your site against one attack, then it makes sense to prioritize XSS vulnerabilities.

To do this, you can use a firewall to filter malicious requests before they have a chance to reach your website. You can also prevent the page from being loaded when an XSS attack is detected, using the X-XSS-Protection header.

To add this header to your site’s .htaccess file, you’ll need to connect to your site using a File Transfer Protocol (FTP) client such as FileZilla. You can then open the .htaccess file and add this code snippet

<IfModule mod_headers.c>
   Header set X-XSS-Protection "1; mode=block"

This header also helps to specify which resources are permitted to load, and which should be blocked. This can prevent the browser from loading malicious content. You can achieve this by defining a Content Security Policy (CSP). After creating your policy, you can add it to your site’s functions.php file via the WordPress theme editor. 

2. Structured Query Language (SQL) Injection Attacks

Many websites accept user input, most commonly in comment sections and contact forms. However, a malicious third party can use these common site elements against you by launching an SQL injection attack

Identified by Patchstack as the second most common WordPresss attack, SQL injection occurs when a hacker attempts to break the intended SQL query, and then queries for different information. An SQL injection attack can give hackers access to sensitive information that they wouldn’t normally be able to retrieve.

If you insert any user input directly into an SQL statement, then your site is vulnerable to these attacks. To keep your data safe, it’s vital that you ensure all inputted values are properly escaped, by using a prepared statement to execute your SQL statements. This ensures that the database processes the input and stores the result without executing it. The parameters are transferred later using a different protocol, which leaves no room for an SQL injection to occur. 

It also helps to validate the input’s data type. You can use the bind_param function to attach the parameters to the SQL query: 

$stmt->bind_param("sss", $firstname, $lastname, $email);

Here, SSS tells the database what type of data to expect. This puts you in a stronger position to identify malicious input. 

3. Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) happens when a hacker attempts to transfer malicious commands to your website. The attacker cannot see the response to their forged requests, but they can use the CSRF to perform a state change request. This might involve changing the customer’s login details without their consent, or even transferring funds into their own account. According to the Patchstack report, CSRFs are the third most common attack and account for 6.5 percent of vulnerabilities.

To launch a CSRF attack, the hacker needs to know the parameters and value combinations that you use in your input fields. You can help the server identify and block these invalid requests by adding an extra value that’s known only to the visitor’s browser and your website. 

One way to add this mystery value is via an anti-CSRF token, which is a random string of values that’s stored in a hidden field, and sent with the request. The server will only accept a request if the value of the session variable and the hidden form field are an exact match, which is an effective way to spot CSRFs.

4. Vulnerabilities in Third Party Themes and Plugins

Themes and plugins are a huge part of the WordPress experience. However, they’re also the biggest security risk facing your website. 

Patchstack found that around 96 percent of all vulnerabilities originate from third-party code. As part of their study, security experts discovered 82 unique vulnerabilities in WordPress themes, and almost 500 security issues in WordPress plugins. These security vulnerabilities had a staggering active installation count of 70 million.

Thankfully, there are ways to use third-party software safely. To start, always download your themes and plugins from a reputable source, such as the official WordPress repository or an established marketplace such as CodeCanyon

Protect your site against WordPress vulnerabilities.

It’s also a good idea to check the software’s recent reviews for any mention of security issues. Once you’ve installed your theme or plugin, it’s important to keep it up-to-date. Updates often add fixes or new features that can improve the software’s overall security and eliminate any known vulnerabilities. 

As previously mentioned, you can use a firewall to prevent malicious requests from reaching your site. This firewall can also make it more difficult for hackers to exploit vulnerabilities.

Even with all these precautions, there’s still a chance that you may install a theme or plugin that contains a vulnerability. To minimize your risk, it’s smart to regularly take stock of the software running on your website. If you no longer require a particular theme or plugin, we recommend deleting it. 

Always opt for deleting over deactivation, as some PHP files remain accessible even when the software is disabled. This means that a hacker could still use a deactivated theme or plugin against you. 


The core WordPress software has a good reputation for being a secure platform, but no software is foolproof. As we have seen, themes and plugins can make your site more vulnerable to attack. If you want to protect your visitors and your website, it’s important to follow the security practices outlined in this post.

Let’s quickly recap the four biggest threats facing your WordPress website:

  1. Cross-Site Scripting (XSS) attacks
  2. Structured Query Language (SQL) injection attacks
  3. Cross-Site Request Forgery (CSRF)
  4. Vulnerabilities in third party themes and plugins

Do you have any questions about any of the WordPress vulnerabilities mentioned in this article? Let us know in the comments section below!

Leave a Comment

Your email address will not be published. Required fields are marked *