IS WORDPRESS SAFE?
WordPress powers over 40% of the web, making it the most targeted CMS by attackers. Outdated plugins, exposed admin panels, and misconfigured defaults create an enormous attack surface. This guide covers the critical hardening steps most WordPress sites skip.
TOP SECURITY RISKS
Outdated Plugins with Known CVEs
Vulnerable plugins are the most common WordPress attack vector. Attackers actively scan for sites running plugins with published CVEs and exploit them within hours of disclosure. A single outdated plugin can compromise your entire site.
Exposed wp-config.php
The wp-config.php file contains database credentials, authentication keys, and table prefixes. Server misconfigurations can make this file publicly readable, giving attackers everything they need to take over your database.
XML-RPC Brute Force Attacks
The XML-RPC interface allows attackers to attempt thousands of login combinations in a single request using the system.multicall method. This bypasses most login rate limiting and lockout plugins entirely.
User Enumeration via REST API
The WordPress REST API exposes usernames at /wp-json/wp/v2/users by default. Attackers harvest these usernames to build targeted brute force and credential stuffing attacks against your login page.
Unprotected wp-admin Without 2FA
The /wp-admin panel is accessible to anyone by default with only a password standing between an attacker and full site control. Without two-factor authentication, a single compromised or weak password means total takeover.
SQL Injection in Vulnerable Plugins
Many WordPress plugins build database queries using unsanitized user input. Attackers exploit these injection points to dump your database, steal user data, or inject malicious content into your pages.
SECURITY CHECKLIST
SCAN YOUR WORDPRESS APP
700+ security checks. AI-powered fix prompts. Results in under 2 minutes. Free, no credit card required.
Run free security scanFREQUENTLY ASKED QUESTIONS
What is the biggest security risk for WordPress sites?
Outdated plugins with known vulnerabilities. Over 90% of WordPress hacks exploit vulnerable plugins, not WordPress core. UNPWNED scans your site for known CVEs in your plugins and themes, flagging the exact versions that need updating.
Should I disable XML-RPC on WordPress?
Yes, unless you specifically need it for Jetpack or the WordPress mobile app. XML-RPC allows attackers to brute force thousands of passwords in a single request. UNPWNED detects whether your xmlrpc.php is accessible and flags it as a risk.
How do I prevent user enumeration on WordPress?
Block the /wp-json/wp/v2/users endpoint for unauthenticated requests using a security plugin or custom code. Also block ?author=N URL patterns. UNPWNED tests for user enumeration during scans and alerts you if usernames are exposed.
Is hiding wp-admin enough to secure WordPress?
No. Security through obscurity is not real protection. Attackers can still find your login page through XML-RPC, REST API, or common redirect patterns. Add 2FA, rate limiting, and a WAF instead. UNPWNED tests your login endpoints and checks for brute force protection.
How often should I scan my WordPress site for vulnerabilities?
At minimum after every plugin update and weekly for ongoing monitoring. New plugin CVEs are published daily, and attackers exploit them within hours. UNPWNED Pro includes continuous monitoring that alerts you the moment a new vulnerability affects your site.
Data based on 447+ website scans. Last updated: 2026-04-06. Statistics reflect aggregate findings across all scanned websites, not WordPress exclusively.