6 most popular WordPress Security Issues & How to Fix Them


According to the research on Global CMS Market Share conducted in August 2020, WordPress is the most popular open-source platform which is the root of more than 27 million live websites. Despite lots of awesome features including easy installation, full customization, and a wide active and supportive community, WordPress comes with some security risks. In this article, we are naming and giving you a short explanation of some most common WordPress security issues, and then presenting you the ways how to fix such problems.


What do we need to do before starting to secure WordPress website?

“Is WordPress having issue today?” Unfortunately, the answer to this question is “Yes”!

WordPress itself has a secure framework; however, everything can change over time and you have to think of many ways to keep your WordPress site secure completely. Because, lots of WordPress websites are the targets of hackers who are enemies or competitors, wanting to attack and steal those sites. Therefore, it’s necessary to protect your website from the WordPress security issues and the first step you need to do before applying any other security solution is taking a complete site backup. In this way, you are saving a copy of your WordPress site so that you can restore it in unexpected cases when something is wrong.

There are three main ways to duplicate your website data in WordPress.

Backup WordPress website through a web server

The first way to get WordPress website backup is by choosing the best Web Hosting Provider that completes full, daily backups of your WordPress site.

Many hosting providers have a prebuilt backup policy. Some offer it as an advanced functionality that costs extra, while some offer it for free. For example, if you are using the Cloudways server, you will have the backup process done by the hosting completely. Because Cloudways offers a backup process that allows you to set the backup frequency, and also download the copies to your local storage.

Another choice is WP Engine Managed WordPress hosting which offers you automatic daily backups up all of your WordPress database including core files, themes, plugins, etc. Besides, you can initiate your own backups at any point (like before a major WordPress update, or when changing themes).

If you want to take your server managed backups to the next level, log in regularly, and download your site copy to store it on your hard drive.

Backup WordPress website manually

The second method to duplicate your site is to backup WordPress manually. This process is quite complicated and requires you to know at least basic program experience, in return, you will get full control and customization over your website.

To completely backup WordPress website, you have to go through 2 main stages:

Stage 1: Manual Backup of your WordPress Files

In this stage, you have 2 ways to download your entire WordPress directory: by logging in to your server (cPanel), or via cPanel or using an SFTP.

Backup your WordPress site using cPanel

The process of backing up your site in cPanel is quite long and time-consuming. However, all steps in the process are extremely easy as below.

  • Step 1: Log in to your web host and navigate to cPanel. For most web hosting, the cPanel is usually the first page you see once logging in.
  • Step 2: Navigate to the File Manager, which should lead you to your  public_html or Home directory
  • Step 3: On the left panel, you will see a number of folders of your WordPress directory. Find “public_html”. Click on the “+” symbol to expand the folder. If you have various sites, you’ll need to select the folder that names your website.
  • Step 4: In this step, you should not download all files since it takes lots of time and can make your server overload. Instead, select and right-click on the folder you want to copy, then “compress” it.
  • Step 5: Then you are given 4 compression types: ZIP, Tar, GZiped tar, and Bzip2ed Tar for you to choose to save your file. I recommend you to go for Zip Archive because it makes the process faster and lighter, and reduces the storage space required.

Once the zip file is ready, selecting and downloading it. Then choose a secure location on your hard disk and save your backup. Even compressed backup can take a lot of space, so make sure to check the storage on your Mac or PC before saving. 


If your server uses a different control panel such as vDeck, Plesk, etc, you just need to locate your File Manager and then follow the process above.

Backup WordPress files via SFTP

SFTP, also known as Secure File Transfer Protocol, is a network protocol that offers users file transfer and manipulation functionality over any reliable data stream. Backup to SFTP is one of the most reliable methods of data secure, as it involves a remote SFTP backup server (which eliminates risks of “local” data loss due to fire, theft, etc.) and secure network connection.

When you choose to backup your WordPress database via SFTP, you should use a popular file manager like FileZilla or Transmit because they’re lightweight and easy to use. The detail process is described as the following steps:

  • Step 1: Install the application on your computer and retrieve your SFTP login credentials from your hosting account. In this example, we choose the Transmit.
  • Step 2: Login the file manager of the app and enter the details information for your website including a nickname, website URL, your unique SFTP username, and password, then change the port number to 2222

Then, you are located to the WordPress directory, simply select all of your files, right-click and “Download Selected Items.” Once downloaded, remember to zip up the files and save it.

Stage 2: Backup Database via phpMyAdmin

The next step is to copy your database via phpMyAdmin using the cPanel of your hosting account.

  • Step 1: Log in to your web host account. Navigate to your ‘product’ and select it. On the next page, you should see ‘cPanel Admin’.
  • Step 2: Under “Databases”, click phpMyAdmin, you’ll enter the area in which you can see your WordPress databases.

Then a new box appears, select ‘Databases’ from the tabs on the top.

  • Step 3: From the left panel, choose your database, then it will be expanded with the contents on the right panel.

Once choosing the right database, simply select all the tables on the right panel and export it.

Here, you need to choose the export method and format you want.


Now, you have a .sql file. You should move it to the database backup folder we created to store it.

That’s it. You’ve got a complete manual backup of your WordPress website.

Automatically Backup WordPress site with plugins

The third option is to backup WordPress automatically with plugins. WordPress backup plugins are tools providing WordPress users the needed element to create dependable backups for their website. All you have to do is install your desired WordPress backup plugin, setting up, and getting your website copied automatically.

There are many awesome backup plugins for WordPress such as Duplicator free WordPress plugin, BackWPup Free WordPress plugin, WPvivid (starting at $199, one-time fee), VaultPress ($39 per year), etc.

Our choice for WordPress backup plugins is WPvivid – which has been serving us well on many of our sites,” shared Donald Chan, a founder at MarTech Wise.

Once completely backing up your WordPress site, you can navigate to the next steps of protecting your website. Below, I will present you 6 most common WordPress Security issues and show you how to tackle theme.

6 Most Common WordPress Security Issues & Solutions to them

1. Don't keep WordPress latest updates

Not updating your WordPress software to the latest version is the most common reason why your website is hacked.

As mentioned above, WordPress is an open-source platform that comes with a secure framework. However, it can go wrong if you fail to keep WordPress updated with the latest version (at the time I am writing this article, WordPress 5.5 is the latest version). It is because hackers find exploits and security holes in WordPress core, and attack the websites which are not updated yet through such errors. Hackers can deface your web pages and posts, which can seriously affect your business. That’s why running a website on an outdated WordPress installation is one of the biggest reasons why it can get hacked.


The best and certain simple tip that can help you protect your site from WordPress update issues is to:

Keep your WordPress environment at the latest updates.

The core team of WordPress creates newer versions for more advanced features and bug fixes, better security patches, performance improvements, better compatibility with themes and plugins, and more. Updating your site to the latest version avoids the WordPress security vulnerabilities presenting in previous versions and prevents hackers to insert malicious codes that can make you lose your confidential information or even have a bad SEO impact on your site.

2. Brute Force Attacks

What are Brute force attacks?

Brute force attacks are the simplest form of hacking and the biggest threats that put the security of a WordPress site at risk. They are run by bots, target security vulnerabilities caused by administrators such as weak passwords, and are executed on several websites of any size at the same time; therefore, it is not difficult to succeed. Things get even worse if administrators use the same password for multiple accounts or don’t regularly update it which can significantly increase their risk.


To fix such WordPress issues, you can try the solutions as follows.

  • Make a strong password

The first way is to make a strong password. But what makes a strong password? Below are some tips for you to apply to generate strong WordPress passwords for better security.


To create a strong password, you should make it as long as possible (at least from 8-10 characters), avoid common phrases or known words, or anything related to you such as your name, date of birth, name of pets, friends, etc. Besides, a strong password should include a mix of lowercase and uppercase letters, symbols, and numbers. Another important note for you to prevent your website from hacking is that you need to keep your password fresh by changing it regularly (every two or three months) and do not use the same password for more than 2 accounts.


The second practice you can apply to detect WordPress login issue is using CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart), which determines whether the user is a real human or a spam robot.


The most common form of CAPTCHA is an image with some letters. It is also often to choose some images with the same theme from a variety of pictures. Whenever a visitor tries to get into a website, he/she will be required to enter a mix of lowercase or capital characters or/and numbers on a generated image. It seems silly but it is highly effective against brute force attacks.


Recently, Google has started a project “Google Invisible reCAPTCHA”, which is the advanced version of the previous form of CAPTCHA. By default, it’s invisible and only a visitor who is suspected not to be a real human sees it and has to type in the CAPTCHA to log in the website.

CAPTCHA is simple and great for administrators to secure their website against brute force attacks; however, most visitors don’t like that because it takes their time and interrupts them a lot. So implementing such a method may somehow have a bad effect on user experience on your WordPress site.

  • Employ Two-factor authentication (2FA)

The third tip to address WordPress security concerns about the weak password is enabling two-factor authentication that adds a second level of authentication to an account log-in.


The initial idea of this method is that password alone is not enough to secure a website and there needs to be other security layers during login. Then 2-factor authentication is born and reduces the risk of a potential data breach examples.

This means that even if you have very strong passwords, you should also enable two-factor authentication on your WordPress website. In case, your password gets stolen, hackers won’t be able to log in without the security code directly generated on your trusted device such as your mobile phone. It’s very simple for you to use, but does a great job of securing your website even if your password is guessed.

You can easily employ 2FA on your site with a WordPress Two-Factor Authentication plugin such as Shield, iThemes, Wordfence, etc. You can take a look at this collection of top best free WordPress security plugins to find the most suitable one for your site. Of course, having a secure password manager is also crucial to generating and storing strong, unique passwords across all your accounts.

3. Unlimited login attempts

The third popular problem in WordPress security issues list is unlimited login attempts. By default, there is no restriction on the login times of a visitor, which may cause unintentional user-caused WordPress login issues.


It is also the reason for a website being hacked when the hackers try to login to the website again and again until they crack the password. If you limit the times a person can attempt to log in within a specific period, you can significantly reduce the risk of brute-force attacks on your site.


To repair this WordPress security issue, there are 2 solutions you can use.

  • Two-factor authentication

You can use the measure mentioned earlier which is 2-step authentication. When the users enter the passwords, they are then required to complete the next security step to log in. Therefore, it will help to save your site from multiple times of login attempts.

  • Install a limit login attempts plugin

Another solution to such website security issues is installing a limit login attempts plugin. There are lots of useful plugins that protect your site from this WordPress login problem, such as WP Limit Login Attempts, and Limit Attempts by BestWebSoft, etc. Just download and install your desired extensions, making some settings, and getting it run automatically.

4. SQL Injections

Other security issues with WordPress is SQL injections. But the first question is:

What is an SQL? 

SQL is a query language designed to manage data stored in relational databases. You can use it to access, edit, and delete data. Many WordPress websites keep all the data in SQL databases. Besides, you can also use SQL commands to run operating system commands.

what is SQL injection?

WordPress SQL Injections are a common hack method in which attackers inject malicious code (like malware and spammy links) into existing SQL commands. Such malicious statements can attack the SQL database such as MySQL, Oracle, SQL Server, or others. Then, the hackers may use it to pass website security measures and get unauthorized access to sensitive and important data in your site, for example, customer information, personal data, trade secrets, and more.

That’s why it is seriously dangerous if an SQL injection successfully attacks your website.

There are some types of SQL injection attacks namely Union-Based SQL Injection (using database errors or UNION commands), blind SQLi, and out-of-band SQLi. You can take a look at this material to learn more about such SQL injections.

SQL injections are code-related WordPress security issues and do not leave traces on the server. Instead, they execute direct queries on the database. Hence, the majority of attacks are recognized after an attacker successfully performs malicious actions or gets administrative access. Therefore, it’s quite complicated and difficult to address them.


Generally, there are two main ways you can use to protect your site from SQL injection attacks, shown as follows:

  • Validate and sanitize all input

The first measure is to validate and sanitize all input. One of the most simple ways for hackers to attack your site with an SQL injection is through user-submitted data. Therefore, validating and sanitizing all input, as well as filtering for user-submitted data can help to prevent dangerous SQL injections. Input validation is a simple process that requires you to test any submitted data, which can then be filtered to prevent an SQL injection.

  • Use prepared statements with parameterize queries

The second method to prevent SQL injection is using prepared statements. Such statements help you ensure all of the dynamic variables you need in a query can not escape their initial position. The core statement is defined beforehand, with the arguments and their types afterward.

Because the query knows the types of expected data such as string or number, they know exactly how to integrate them into the query without causing any issues.

  • Use .htaccess Rules

The last but not least tip is applying .htaccess rules. This process is not so difficult. All you have to do is to add the following code to the .htaccess file to create a strong set of rules.

RewriteEngine On
RewriteBase /
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \\.\\.\\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\\:  [NC,OR]
RewriteCond %{QUERY_STRING} http\\:  [NC,OR]
RewriteCond %{QUERY_STRING} https\\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\\<|%3C).*script.*(\\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\\(.*\\) [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\\[|\\]|\\(|\\)|<|>|ê|"|;|\\?|\\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]

All such input is not treated as an SQL query statement but is considered a string. As a result, the risk of SQL injection attacks on your WordPress site is significantly reduced.

5. Issues with Themes and Plugins

The other WordPress security concerns that occur quite often is the problem with themes and plugin.

It’s undeniable that every WordPress site needs at least several plugins or extensions to extend with advanced functionalities. Despite the benefits such plugins offers, they bring in lots of unexpected issues.


Below are 5 tips for you to reduce the theme-and-plugin-related security problems.

  • Avoid untrusted sources

The first one is to avoid untrusted sources. It means that you should download/purchase themes or plugins from trustworthy suppliers and sources. Themes and plugins are from third parties and are considered open doors to your personal information. If the third parties are not reliable, you may get issues such as malware in WordPress site once installing their themes or plugins. In serious cases, your database can be stolen or your site will be successfully hacked.

  • Download the suitable themes or plugins, not the best ones.

Before downloading any themes or plugins, you need to carefully consider which one you really need and think of the benefits that you need. The more plugins installed on your WordPress site, the more security risks your site gets. Besides, any extension added to your site can make it load more slowly.

When choosing, carefully check every plugin and theme you install on your WordPress site by going to the WordPress official site where lists useful stats for almost all themes and plugins in their directory.


Keep in mind: Go for either reputable free themes and plugins or paid options that provide the features you desire. Normally, such verified options are likely to be better maintained, more secure, and better support than unverified ones.

Don’t choose any WordPress theme that just looks good. Only use themes that seamlessly integrates with your WordPress standards, and fit your requirements. To check whether a theme is safe with your WordPress site, you can use W3C’s validator. You can also check out the best WordPress eCommerce free themes and best free WordPress plugins which are filtered and verified by our experts.

  • Update themes and plugins to the latest version

Like WordPress core software, themes and plugins also need updating to the latest versions for security and smoothly integrating with WordPress environment.


You can easily identify the plugins that require updating by logging in the dashboard > Update. Setup automatic updates so that everything always keeps up to date.

  • Delete unnecessary Plugins or Themes correctly

Unused themes or plugins on a WordPress website tend to be ignored to update so they are the target of hackers to make your WordPress site vulnerable through such an unintentional issue. Therefore, you should delete permanently the themes or plugins that you don’t use any more, which can dramatically decrease security vulnerability. You need to delete them to ensure that there is no potential malicious entry to your site.

To correctly uninstall WordPress plugins or themes, you can follow this guide for detailed steps.

6. Issues with WordPress web hosting

The last WordPress security vulnerability mentioned in this list is issues caused by web hosting. Every website needs a web host to store its database. A secure web hosting will provide you with proven security processes and support you in case something goes wrong with your website.

The fact is that lots of users handling a single website often go for shared hosting to reduce annual recurring costs. But it can seem cost-ineffective and not save your budget as expected. Because it can cause more harm than its benefits. When you use shared hosting, you don’t know how secured other websites on the same server are. If a website is attacked, other ones on the same server will be easily assaulted. Since one loophole in any of these websites can act as a gateway to all the others.

In such cases, web hosts usually suspend a website that has been hacked to prevent it from spreading to other sites hosted on the same server; however, the server is not really protected due to just too many vulnerabilities. That’s why you should consider the alternatives and be smart when choosing your host service.

There are several hosting services that can alter shared hosting you may choose are shown as follows. The good news is that almost all providers below have an effective disaster recovery strategy that kicks if your website suffers a security concern.

Dedicated Hosting (or managed hosting service) gives you totally actual ownership over your server. Since only your WordPress website is hosted on the server, not shared with anyone else, the security of the server as well as your website will not relate to other websites but depends on your expertise. Some outstanding dedicated hosting providers are HostGator, Bluehost, Site Ground, etc.

VPS Hosting is generally considered the stepping stone between shared hosting and dedicated hosting setup in which your website runs on its own server. It allows you to access a virtual machine running its own copy of an operating system (OS), and use VPS hosting to experience similar capabilities and performance to a dedicated server for your sites. Like dedicated hosting, you have to take responsibility for your website’s and server’s security. Some best VPS hosting companies that must be mentioned are InMotion, Bluehost, A2 Hosting.

Cloud Hosting gives you ownership of a portion of a network of connected physical server machines. Cloud hosting solutions can be more security and flexibility by taking your website’s hosting up into the cloud. But as a dedicated server, you have to dedicate a lot of effort and time to secure your WordPress site. The highlight candidates are Hostinger and Dreamhost.

Managed Cloud Hosting is considered the advanced version of cloud hosting, helping you manage all aspects of your cloud server including security, performance, and updates. This hosting solution provides you with efficient data backup plans that save you much time and effort. The most outstanding managed cloud hosting provider is Cloudways that comes with multiple layers of security, resulting in a secure hosting environment so that you don’t have to be worried about the security of your server and your website.

How to find the right hosting provider

During selecting the right server for your eCommerce WordPress website, you should consider the key questions as below:

  • How will it help secure your website?
  • How will it tackle if your WordPress site is attacked?
  • Does it offer DOS (Denial of Service) protection and an uptime guarantee?
  • Does it handle backups? How is the backup process?
  • How fast speed it is? (should be under 300 ms)

With answers to those simple questions, you can get a better idea of how a potential host manages security and how they respond to security concerns of your website and your server.


Final thoughts on WordPress Security Issues

Generally, WordPress offers a basic security framework, but it needs to be updated regularly to reduce vulnerability risks. Along with it, there are some common WordPress security concerns such as brute force attacks, limit login attempts, SQL ịnections, issues with themes and plugins, and website hosting issues. In the article, we have also presented the best ways to fix such WordPress issues. Hopefully, you can learn somethings and apply them to protect your site and keep it up and running smoothly at all times.

If you have any questions or suggestions, please don’t hesitate to leave comments below!

Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x

stay informed!

Subscribe to receive exclusive content and notifications