How to Protect WordPress Site From Arbitrary Code Execution Attacks?

Bulletproof Backups for Your WordPress Website

Fortify your business continuity with foolproof WordPress backups. No data loss, no downtime — just secure, seamless operation.

arbitrary code execution

WordPress power over 60 million websites and this makes WordPress websites an obvious target for hack attempts. Threats on WordPress sites is compounded by vulnerable plugins, themes, and the core. Not too long ago, in February 2019 a security researcher found a major vulnerability called the arbitrary code execution vulnerability in the core of WordPress. The vulnerability affected millions of websites and had left them to be exploited in the wild. A security patch was quickly released by WordPress which rendered the vulnerability non-exploitable.

Although the issue was promptly resolved, arbitrary code execution attack still remains the common hack attacks made on WordPress websites. This type of attack can spell disaster on your website. You can end up losing complete access to your website. But you can take preventive measures to protect your website against arbitrary code execution exploits.

In this article, we’ll show you how such attacks are carried out, the impact it has on your site and what you can do to protect your website against arbitrary code execution attacks.


If you want to scan your website for arbitrary code execution vulnerability, use our WordPress malware scanning plugin – MalCare. Using its advanced security vulnerability scanning technology the plugin detects with pinpoint accuracy all malicious codes hidden anywhere on the website.

[lwptoc skipHeadingLevel=”h3,h4,h5,h6″ skipHeadingText=”In Conclusion”]

What Is Arbitrary Code Execution Attack? How Does It Impact Your Site?

Arbitrary Code Execution is a process that enables an attacker to execute arbitrary code on a WordPress website.

Hackers often break into a website by exploiting outdated plugins, themes, and even the WordPress core. They then upload a PHP file containing malicious codes. A hacker can execute arbitrary command codes to your website. This can prove to be disastrous for your site.

Once they have access to your website, they execute arbitrary codes to navigate and examine your files and find ways to gain complete access to your website (Recommended read – What Is Privilege Escalation?). Following which hackers can run commands that will delete files, they can steal sensitive data and sell them in the black market. They can send spam emails and launch hack attacks on other websites using your website resources.

If your website is a victim of malicious activities, Google will quickly blacklist your website to prevent Google users from visiting your website. Your web hosting provider will suspend your account and take your website offline to protect itself and its other clients from any impact from your hacked site. In a domino effect, it will spell disaster for your SEO. The site traffic will plummet and revenue will take a hit. Recovering from such hacks is expensive and tedious, and for many, next to impossible.

If you are already facing such security issues, we’d suggest you run a malware scan on your website. If it turns out that your site has malware, then you can go ahead and clean it.

timthumb example
An example that demonstrates how the TimThumb attack took place

How to Detect WordPress Arbitrary Code Execution Vulnerabilities?

You can manually scan a WordPress website for  vulnerabilities or you can use a plugin. Manual scans are very time-consuming, ineffective, and risky. Hackers are clever in hiding and disguising their attacks, so finding it manually is difficult. Plus, the smallest mistake made during the manual scan can lead to a completely broken website. We don’t recommend the manual method of scanning especially if you don’t have technical knowledge of WordPress.

Instead, we will use a scanning method we know is quick and effective – a WordPress security plugin. There are plenty of plugin options available and choosing a good one is a little tricky. Not all security plugins function in the same way. The approach to scanning and cleaning of malicious or attack codes differs from plugin to plugin.

We suggest using MalCare because of its effective scanning and cleaning process. Here’s why:

  • While most WordPress security plugins look for known malware, MalCare also detects new and complex malware. Moreover, when other plugins search for only known places, MalCare goes above and beyond, investigating every nook and corner to find injected codes. The plugin makes sure that it’s detecting every malware present on the website.
  • And while most other security plugins can take up to a few days to remove malware, MalCare offers an instant cleaner because it understands the gravity of the situation. Delay in cleaning the website can escalate the issue where Google can blacklist your site or your hosting πrovider can suspend your site.

Given the approach that MalCare takes, it does a significantly better job at scanning and cleaning WordPress websites.

Detect WordPress Arbitrary Code Execution Vulnerabilities With MalCare

Step 1: Install and activate the MalCare plugin and then add your WordPress website onto the MalCare dashboard. The plugin will begin scanning your website instantly.

Step 2: If it finds malware on your website, it’ll notify you. After that, you can clean your website by selecting the Auto-Clean button.

malcare auto clean
Click on Auto-Clean to remove malware on your website

Your website is now clean. MalCare security plugin will continue to protect your website from future hack attempts. In addition to that, there are a few more security measures that you can implement on your site.


How to Prevent Arbitrary Code Execution Attacks?

There are a few basic as well as advanced measures that you can take to prevent arbitrary code execution attacks in the future. They are:

1. Keep Your Website Updated

WordPress themes and plugins have made it extremely easy to design a website on your own. But the more plugins and themes you use, the more time you have to spend updating your website. Since updates are frequent and time-consuming, many site owners skip it without realizing that they are leaving their websites vulnerable.

When developers find security flaws in their plugins and themes they know that the software could be exploited to allow for arbitrary code execution on a WordPress website. Hence they release security updates to patch the vulnerability. When you skip update to are leaving the door open for hackers to launch attacks on your WordPress website. The bottom line is don’t skip updates. Recommended read: WordPress Security Updates.

2. Protect Your Login Page

Apart from outdated plugins and themes, another element on a WordPress website that is frequently exploited is the login page. It’s targeted more than any other page on your website and they are especially susceptible to SQL Injection attacks . Hackers program bots to guess the right combination of the username and password of your site. The bots can try out hundreds of combinations within a few minutes making it highly likely to crack your login credentials. This is a brute force attack.

To combat such attacks, you can use a security plugin like MalCare that pops a CAPTCHA after 3 failed login attempts. Since bots are unable to read CAPTCHA, it will fail to try out more combinations and would move on to their next target.

3. Use Strong Username & Password

Your username and password is the key to your WordPress dashboard. If you use easy credentials then anyone can guess it and gain access to your website. Hence use a unique username and a strong password.

Some of you may only change passwords and not the username. But if your username is easy to guess, then the hacker only needs to figure out the password. Hence we insist that you use a unique username to make the job of a hacker hard.

wordpress strong password
Use a long password with numbers and special characters

4. Set a Firewall

While it’s a good idea to protect your login page by implementing CAPTCHA or using a strong username or password, wouldn’t it be great if you could just prevent malicious traffic like bots from accessing your website? This is exactly what a firewall does.

A WordPress firewall will filter traffic coming to your website. It’ll block malicious traffic and enable good traffic to access your website. The firewall will help add a layer of protection to your entire WordPress website.

If you install MalCare on your website, the firewall will block malicious traffic.

5. Blocking Suspicious IP Addresses

Another way to prevent hackers who deploy bots to break into your website is to block their IP addresses. A firewall like the one MalCare not just helps filter bad traffic from the good but also shows you the IP addresses of people trying to log into your website. We have a guide that you can use – How to Ban IP Addresses From Accessing Your Website?

6. Implement Country Blocking

In addition to blocking suspicious IP addresses, another type of IP blocking you can resort to is country blocking. Using MalCare it’s easy to check the country of origin of the suspicious IP addresses. You may find a pattern because many hack attacks are launched from countries like Russia, Ukraine, Vietnam, etc.

If you don’t cater to these countries, to reduce the chances of a hack, you can block these countries from accessing your site. Here’s an article that can help you guide through the process – WordPress Country Blocking.

7. Employ Least Privileged Principles

Although you may block people with malicious intention from accessing your website, you should also ensure that people who already have access to your site dashboard don’t abuse the power.

WordPress offers six different roles to users. Those are Administrator, Editor, Author, Contributor, Subscriber, and Superadmin. Every user has a set of power and responsibilities. You are probably aware that admins are the most powerful of the lot which is why only trusted users should be alloted that role.

wordpress user roles
Assign user roles carefully

8. Harden Your Website

WordPress recommends certain website hardening measures to prevent hackers and bots from exploiting your website. You can take steps like disabling local file editor, preventing the installation of plugins, using SSL certificate among other things. Taking all these steps is going to add more and more security layers to your WordPress site.

To learn how to implement website hardening measures, take a look at this guide on WordPress hardening.

In Conclusion

Arbitrary code execution is one of the most common types of hack attacks. The consequences of such an attack can be devastating for you and your website. If you take good security measures, you can protect your website from such attacks.

A large number of security measures can be implemented using a security plugin like MalCare. Your website will be protected from all kinds of attacks. If a hacker manages to exploit any vulnerability, you’ll be alerted immediately. You can clean it up promptly and avert any major disaster.

Protect Your Website 24 x 7 With MalCare Security Plugin!

You may also like

How to Choose Your WordPress Hosting Provider?
How to Choose Your WordPress Hosting Provider?

You may wonder why you should choose a WordPress hosting provider when your website is ready to go live. Is there any need to choose a hosting provider? Aren’t all…

How to Limit Form Submissions with Droip in WordPress
How to Limit Form Submissions with Droip in WordPress

Forms are an indispensable part of any website because of their versatility, letting you collect information for various purposes! However, people with ill intentions often attempt to exploit these forms…

Manage Multiple WordPress Sites
How To Manage Multiple WordPress sites

Management tools help agencies become well-oiled machines. Each task is completed with the least amount of effort and highest rate of  accuracy.  For people managing multiple WordPress sites, the daily…

How do you update and backup your website?

Creating Backup and Updating website can be time consuming and error-prone. BlogVault will save you hours everyday while providing you complete peace of mind.

Updating Everything Manually?

But it’s too time consuming, complicated and stops you from achieving your full potential. You don’t want to put your business at risk with inefficient management.

Backup Your WordPress Site

Install the plugin on your website, let it sync and you’re done. Get automated, scheduled backups for your critical site data, and make sure your website never experiences downtime again.