Atomic Smash homepage splash

Common WordPress hacks to look out for

Words by Colin GoodmanJuly 24, 2017

Security is always an issue to consider when thinking about your website and should not be overlooked. WordPress is secure but by not following good practice, vulnerabilities can start to become apparent and potentially exploited by hackers.


In this post I will talk about the 3 most common hacks made on WordPress websites and some tips on preventing and protecting your website against such attacks.

Brute-Force attack

This attack consists of an attacker trying multiple different versions of usernames and passwords, in the hope of eventually guessing correctly and gaining access to your website. According to Wordfence they recorded an average of just under 35 million Brute-force attacks were made during March 2017, this really does show that Brute-force attacks are very frequent and a popular hack to use on WordPress websites.

The main problem with Brute-force attacks is while they’re being implemented your web server usually cant cope with all the attempts being made on the website, resulting in making the website unusable. As you don’t have control over the hack the only thing you can do is let the hack run for its duration which is not ideal, and could cause a substantial amount of downtime that cannot be prevented.

Some tips on protecting your website from a brute force attack:

  • use strong passwords
  • dont use admin as a username
  • implement maximum login attempts

File Inclusion Exploits

Vulnerabilities in your WordPress website’s PHP code is the next most common security issue that can be exploited by attackers, and is referred to as a file inclusion exploits. This type of attack is commonly found to affect web applications and there are two types of this attack which are Remote File Inclusion (RFI) and Local File Inclusion (LFI).

Remote File Inclusion occurs when the web application downloads and executes a remote file. These remote files are usually obtained in the form of an HTTP or FTP URI as a user-supplied parameter to the web application.

Local File Inclusion is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included for execution. This issue can still lead to remote code execution by including a file that contains attacker-controlled data such as the web server’s access logs.

This method of attack is one of the most common ways an attacker can gain access to your wp-config.php file so pretty scary stuff.

Some tips on protecting your website from a file inclusion exploit:

  • modify your WordPress site’s .htaccess file to prevent uploaded PHP files from being executed
  • add further security measures like a WordPress firewall or antivirus.
  • keep WordPress updated along with installed plugins

SQL Injection

SQL injections used by hackers are attacks that aim at getting access to your WordPress database, which is where all the website’s content is stored along with user login details. This kind of attack can be pretty catastrophic if implemented successfully as the attacker can manipulate the data stored in your database in any which way they see fit.

There are two types of SQL Injection. A ‘classic’ SQL injection is one where unfiltered user input allows an attacker to send commands to a database and retrieve the output.  The other type is refereed to as a ‘blind’ SQL inection which is where the attacker can send commands to a database but they don’t actually see the database output.

If you ever experience an SQL injection attack, a common thing you will notice is that there will have been a lot of random content and potentially harmful links that have been injected into your website’s content.

Some tips on protecting your website from a SQL injection attack:

  • sanitise and escape anything that you may need to send to the database
  • restrict database user privileges
  • regularly take encrypted backups of your database (may not be prevention but always good to implement in the case of an attack)

Hopefully after reading this post you would have obtained a better understanding of the types of attacks mentioned in this post. Unfortunately if you have a Worpdress website you will always be a target for a attacker, however if you follow good practice’s and keep on top of keeping your WordPress website up to date, you should keep the chance of your website getting attacked down.

Profile picture of Colin Goodman

Colin Goodman

Colin works very closely with David and Ben on the front end development aspects within projects. He has an exceptional eye for detail and is constantly looking at new ways to code websites with the latest technologies available.

Go back to top

Keep up to date with Atomic news