WordPress runs roughly 40% of the web. That popularity makes it a high-value target for automated attacks. Most compromises are not sophisticated: they exploit known vulnerabilities in outdated plugins, weak credentials, or unnecessarily exposed endpoints. Here are the seven gaps we see most often on South African agency-built sites.
1. Outdated WordPress core, themes, and plugins
This is the most common entry point. Attackers scan for sites running known-vulnerable plugin versions and exploit them automatically. A plugin last updated two years ago is not just unsupported, it is a liability.
Enable auto-updates for WordPress core minor releases. For plugins and themes, review updates weekly, or use a service that does it for you. Before updating on a live site, test on a staging environment. The few minutes this takes is far less than recovering from a compromise.
2. XML-RPC enabled unnecessarily
XML-RPC is a remote procedure call interface built into WordPress. Legitimate uses are limited: Jetpack and some mobile apps use it. Attackers use it for brute-force login attempts because a single XML-RPC request can attempt hundreds of password combinations.
If you are not using Jetpack and your clients do not post via the WordPress mobile app, disable it. Add this to your .htaccess:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
Our scanner checks for this. See the poor score sample to see what an exposed XML-RPC looks like in a report.
3. User enumeration via the author archive
Visiting /?author=1 on most WordPress sites redirects to /author/admin/ or similar, revealing the admin username. Combined with XML-RPC or the login page, this halves the work for a brute-force attack.
Block author enumeration with this rule in functions.php:
add_action('init', function() {
if (!is_admin() && isset($_GET['author'])) {
wp_redirect(home_url('/'), 301);
exit;
}
});
Or use a security plugin like Wordfence or iThemes Security, both of which block this by default.
4. Missing security headers
Security headers are HTTP response headers that instruct browsers on how to handle your content. Missing headers are not a direct attack vector, but they make successful attacks easier to exploit. The headers most commonly absent on South African sites:
- Content-Security-Policy: limits where scripts, styles, and images can be loaded from, reducing XSS risk.
- X-Frame-Options: prevents your site from being embedded in an iframe on another site (clickjacking).
- X-Content-Type-Options: prevents browsers from MIME-sniffing responses.
- Referrer-Policy: controls how much referrer information is passed when users click links.
Add these in your .htaccess or via your server's virtual host configuration. Most security plugins include a headers module.
5. Default admin username
If your WordPress admin account is still named admin, change it. Create a new administrator account with a different username, log in as that account, and delete the original admin user (reassigning its posts to the new account). This alone eliminates a large fraction of targeted brute-force attempts.
6. No login attempt limiting
By default, WordPress allows unlimited login attempts. An attacker can try thousands of password combinations without triggering any lockout. Install Limit Login Attempts Reloaded (free) or enable the equivalent in Wordfence. Three failed attempts in 20 minutes is a reasonable threshold for most sites.
7. Exposed configuration and debug files
Files like wp-config.php.bak, debug.log, .env, and phpinfo.php are sometimes left in publicly accessible directories. These can expose database credentials, API keys, and internal server information.
Protect key files in .htaccess:
<FilesMatch "(wp-config\.php|\.env|debug\.log|phpinfo\.php)">
Order Allow,Deny
Deny from all
</FilesMatch>
Our scanner checks for exposed files as part of the standard 20-check report. Run a scan to see whether any of your client sites have this issue. The Agency plan lets you monitor up to 50 sites and get alerted immediately when new issues appear.
A note on security plugins
A good security plugin (Wordfence, Solid Security, iThemes Security) handles most of the items above. They are not a substitute for keeping software updated, but they reduce the surface area significantly. The free tiers of Wordfence and Solid Security cover the basics for most sites. If you manage client sites at scale, the paid tiers add centralized dashboards and malware scanning.
Security is not a one-time task. The poor score sample report shows what a site looks like when these gaps accumulate. Most of them started with one or two issues that were never followed up on.