Types of attack on WordPress

Last Revised: October 2, 2021

There are countless possible attacks on your site, since there are countless possible access points to them, either by WordPress itself, but also by the server, users, comments, script codes, etc. Some of the most common can be these:

  • Authentication Bypass: Security hole that allows you to skip the access form and access the site.
  • Brute Force: You try to log in by guessing the username and password of the administrator account (or a user).
  • Cross-Site Request Forgery (CSRF): The code is entered and executed from the URL.
  • Cross-site Scripting (XSS): You can inject code into a site, usually through a form field.
  • Denial of Service (DoS): A site goes down due to a constant traffic attack that usually comes from a network of controlled machines.
  • Path Traversal: Ability to list the directories of a site and execute commands outside the root directory of the server.
  • Distributed Denial of Service (DDoS): Similar to a DoS attack, except that machine networks have usually been infected.
  • File Upload: You can upload a file with malicious code on a server without restrictions.
  • Full Path Disclosure (FPD): The path to the root folder of the site is exposed; it is usually because the error messages that show them are active.
  • Local File Inclusion (LFI): An attacker is able to control which file runs at a scheduled time that was previously configured.
  • Malware: A malicious site or program for the purpose of infecting the user or other machine.
  • Open Redirect: The site redirects to another due to some vulnerability, often a spam or phishing site.
  • Phishing (Identity Theft): A site that looks like another known and trusted, but is used to collect login credentials, credit card numbers, etc., deceiving the user.
  • Remote Code Execution (RCE): Ability to execute code on a site from a different machine.
  • Remote File Inclusion (RFI): Ability to run an external script on a site that is usually loaded with malware, from a different site.
  • Security Bypass: Similar to the Authentication Bypass, but in this case it allows you to bypass some established security system.
  • Server-side Request Forgery (SSRF): Take control of a server, either partial or total, to force it to execute requests remotely.
  • SQL Injection (SQLI): Occurs when SQL queries can be entered and executed from a site’s URL.
  • User Enumeration: Possibility to find the list of users of a site from the public area, to later perform a Brute Force attack.
  • XML External Entity (XXE): An XML file that by generating errors leaves exposed some type of path, message or access to confidential information.

Seguir con Seguridad para WordPress


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.