DEV Community

Mittal Technologies
Mittal Technologies

Posted on

I Ran a 2026 Security Audit on a Fresh WordPress + WooCommerce Site: Here's Everything That Broke


I spun up a brand new WordPress install last week, added WooCommerce, a handful of the most commonly recommended plugins, and did basically nothing custom. No weird theme hacks, no sketchy nulled plugins, just a standard setup like thousands of small businesses launch every single day. Then I ran a full 2026 security audit on this fresh WordPress and WooCommerce site, expecting maybe two or three minor flags.
I found eleven issues. On a site that was, by all appearances, doing everything "right."

Setting Up the Baseline

Stack was simple: WordPress core (latest version), WooCommerce, a popular free theme, and five plugins covering SEO, caching, contact forms, backups, and a security plugin because irony demanded it. Fresh install, no content beyond placeholder products, default settings left mostly untouched, basically the exact starting point a new client site looks like on day one.

wp core version
# 6.8.1

wp plugin list --status=active
Enter fullscreen mode Exit fullscreen mode

I ran the audit using a mix of manual checks and automated scanning, then verified anything the scanner flagged by hand before trusting it.

Issue 1: Default Login URL, No Rate Limiting

The obvious one, but still worth stating plainly: /wp-login.php was wide open with zero rate limiting on failed attempts. I simulated repeated login attempts and got no lockout, no CAPTCHA trigger, nothing.

for i in {1..20}; do
  curl -s -X POST https://freshsite.test/wp-login.php \
    -d "log=admin&pwd=wrongpass$i" -o /dev/null -w "%{http_code}\n"
done
Enter fullscreen mode Exit fullscreen mode

All twenty attempts returned 200. On a live site, that's an open invitation for credential stuffing.

Issue 2: WooCommerce REST API Exposing More Than It Should

This one surprised me more than it probably should have. The WooCommerce REST API, even without generated keys, leaked product and category data through publicly accessible endpoints that weren't properly scoped.

curl https://freshsite.test/wp-json/wc/store/v1/products
Enter fullscreen mode Exit fullscreen mode

Returned full product listings including internal SKUs, which isn't catastrophic on its own, but it's the kind of data leak that becomes ubiquitous across default WooCommerce installs simply because almost nobody checks REST API scope during setup.

Issue 3: XML-RPC Still Enabled by Default

I genuinely thought this had mostly died out as a concern, but XML-RPC was active and responding, which still gets used for brute-force amplification attacks via system.multicall.

curl -X POST https://freshsite.test/xmlrpc.php \
  -d '<?xml version="1.0"?><methodCall><methodName>system.listMethods</methodName></methodCall>'
Enter fullscreen mode Exit fullscreen mode

Got a full method list back, no restrictions. Disabling this outright, unless something specifically depends on it, is basically free security.

Issue 4: File Permissions Looser Than They Should Be

Default install left wp-config.php at 644 permissions instead of the tighter 600 recommended for anything holding database credentials.

ls -la wp-config.php
# -rw-r--r-- 1 www-data www-data
Enter fullscreen mode Exit fullscreen mode

Not a critical flaw by itself, but combined with any other vulnerability giving read access to the filesystem, this turns into a much bigger problem fast. Small fix, meaningful risk reduction.

Issue 5 Through 8: The Plugin Pile-Up

This is where things got genuinely uncomfortable. Two of the five plugins had unpatched vulnerabilities listed in public CVE databases from earlier in the year, both still showing as "up to date" according to the plugin's own version number, because the vulnerability was in a version range that technically wasn't the newest release yet, just recent.

wp plugin list --update=available
Enter fullscreen mode Exit fullscreen mode

This is exactly the kind of gap a scheduled cybersecurity audit catches that a one-time setup check never will, since plugin vulnerabilities get disclosed on an ongoing basis, not in a single batch.

Issue 9: Checkout Page Missing Additional Transport Security

SSL was active, which is table stakes at this point, but the checkout page wasn't setting HSTS headers, meaning a user's first visit over HTTP before any redirect could theoretically be intercepted.

app.use((req, res, next) => {
  res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
  next();
});
Enter fullscreen mode Exit fullscreen mode

WordPress doesn't handle this by default, it needs to be added at the server config level, which is easy to forget on a standard shared hosting setup.

Issue 10 and 11: Admin Account Sprawl and Weak Password Policy

The install had two admin accounts left over from the setup process, one of which was a leftover default account nobody had bothered removing. Password policy was also essentially nonexistent, accepting anything over six characters with no complexity requirement.

This is honestly the most common finding across every WordPress site I've personally audited, fresh or otherwise. Access control keeps losing to convenience, every single time, on every kind of project.

What This Means If You're Launching WooCommerce in 2026

None of these eleven issues were exotic. Nothing here required advanced exploitation skills, just patience and a checklist. That's honestly the scary part. A fresh, "default" WordPress and WooCommerce site, set up by someone following standard documentation, ships with real exposure baked in from day one.

If you're running an online store, this is exactly the kind of gap that gets caught by pairing development with a proper cyber security company in Ludhiana or equivalent, someone whose entire job is watching for exactly this stuff rather than treating it as a one-time launch checkbox. A website development company Ludhiana businesses actually trust for ongoing WooCommerce projects should be running audits like this as standard practice, not as an upsell.

I'll be re-running this same audit on the same install again in three months just to see how much drifts back open on its own. My guess is at least half of it.

Top comments (0)