WordPress is the most used CMS for creating sites very easily but I think the developers team doesn’t care about securing it enough, there are a lot of bots that very often in a single day that try to find WordPress installations to exploit them.
Here’s what I think should be fixed:

  1. No 2FA: In 2023 there isn’t a core option to enable 2FA to protect users accounts (like administrators). 2FA is useful to prevent unauthorized access from who guesses or finds your password (for example from a data breach) by asking you a code or a security key.

  2. No Password Policies: There are no options to enforce the use of complex passwords for signed up users but it allows you to use 1234 by ticking “Confirm use of weak password”. Seriously‽

    WordPress weak password

  3. No additional security options: If You want to edit some default WordPress behaviours like cookies validity, logo change etc.. You need to modify functions.php of your theme but if you do this then every theme update resets your modifications unless you use child themes.

  4. Login errors: By default in the login page if you try to login with incorrect credentials it shows if the user exists or not, allowing an attacker to use some techniques like user enumeration.

    WordPress user exists error

    WordPress user doesn’t exists

  5. Plugins over plugins: For every feature you want you need to install Plugins but some of them are really invasive. I think a lot of options should be included in the core like SEO, security etc.. Instead of installing a lot of plugins which can lead to vulnerabilities on your site and may reduce performance.
    For example, WordPress doesn’t allow adding the description meta tag or maybe it’s a theme problem I have encountered?

  6. xmlrpc.php: This is the script in the WordPress’s directory which most attacks comes from it. For example it allows you to connect to your site with the WordPress’s app for smartphones.
    It should be disabled on functions.php or even better, on the web server by denying public access to it.

  7. Awareness of the users: Users and admins should know how WordPress works. I had seen a lot of sites with the “Author: admin” and the user “admin” exists!

  8. Difficult CSP: It’s quite impossible to add this security header. Unfortunately If I configure it, the site would be really broken and I never found a fix for having a valid csp.


I used WordPress some time ago, I like it and the problems elencated can be fixed by editing functions.php but is not for all peoples and requires a bit of troubleshooting because an incorrect modification can lead to a broken site!
Do not trust code taken from internet if you don’t know what it does!