What is ℹ️ Data breach (information disclosure) and How to prevent WordPress information disclosure

Information disclosure, also known as data breach is the unintentional exposure of sensitive information. This sensitive information can be anything from technical information such as plugin versions or hosting plan limits, to users information that should not be made public.

Information disclosure is not a hack but allows an attacker to obtain sensitive information that may help in launching further attacks.. It usually occurs as a result of a misconfiguration or a defect in the WordPress plugin that allows information to be released.

Sensitive information that can be unintentionally disclosed and lead to exploits:

backup filesComplete file backups can be exposed due to improper file permissions or storing them in the same folder as the website
database connection detailsLeftover configuration files such a copy of wp-config file named wp-config.php.old will contain sensitive information
user dataUser information such as email addresses, passwords or even credit card numbers can be exposed in database dumps
private filesPrivate files such as digital products in your WooCommerce store can still be publicly accessible due to improper file or folder permissions
wordpress infoNumber of WP users, posts, media files, and even IP addresses can be exposed using WP REST API
server informationin error messages due to WP_DEBUG option left on

? CVE-2021-39327 BulletProof Security WordPress plugin =<5.1 is vulnerable to sensitive information disclosure due to a file path disclosure in the publicly accessible files in which paths to database backup files is stored:


? CVE-2021-39341 The OptinMonster WordPress plugin =<2.6.4 is vulnerable to sensitive information disclosure via WP REST API which affected over 1M of WordPress websites.

The following URL is publicly accessible and reveals sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site.


Here are some simple methods to check if your WordPress website is vulnerable to information disclosure:

The simplest method to check if your WordPress website is vulnerable to information disclosure is to add /wp-json/wp/v2/users to the URL link:

If the website is vulnerable to information disclosure usign WP REST API then it will display all WordPress users:


WPScan is a tool that examines your site in the same way most attackers do: It enumerates details and checks them against its database of vulnerabilities and exploits.

After you’ve installed WPScan and registered to use their API, you can use your unique API token into a scan in order to access WPScan Vulnerability Database API:

wpscan --url yourwebsite.com -e vp --api-token YOUR_TOKEN

If you don’t have access to the terminal then you can use an online security scanner WPSEC.com that uses the same vulnerabilities database but offers less information in the free plan.

Another common method for an attacker to try to on sensitive information is a technique named Fuzzing, where semi-randomized data is sent to the website in the hope to uncover bugs or leftover files.

For example, a fuzzer can be configured to send multiple HTTP requests trying different URLs in the hope of uncovering a leftover backup file. In such a scenario, requests may look something like this:


Fuzzing can identify misconfigurations and leftover files, which can give attackers the information they need to find a way into your WordPress website.

A command-line-based tool called ffuf can be used along with a wordlist (a list of file names and file paths collected in plain text) to scan your website for such files:

Another simple solution to check if sensitive files are publicly available on your website is to search for them on Google.

#1 example: the following query will search only Google indexed pages of website wpxss.com that contain exactly matching word or filename containing .zip

site:wpxss.com “.zip”

#2 example: search Google for websites that have files named wp-config.php.bak

intitle:”index of” “wp-config.php.bak”

As always, update all WordPress plugins and themes that you are using, don’t use nulled/cracked plugins and choose a stable hosting provider.

Bugs in the code can potentially lead to the disclosure of sensitive information. Using reputable WordPress plugins and themes from WordPress.org or CodeCanyon.net ensures that the plugin has been thoroughly tested before being launched.

Detailed plugin guidelines for a plugin to be published on WordPress.org plugn repository are listed here.

WordPress plugin requirements that a plugin has to satisfy in order to be listed on the Envato Marketplace can be viewed here.

While no software is perfect, and some bugs may still exist, it significantly reduces the danger from information disclosure.

Aldo WP REST API can expose a lot of information, a lot of services and plugins such as jetpack or Gutenberg editor depend on it, so I don’t recommend disabling it completely but rather just limiting it’s usage.

WordPress plugin iThemes Security can restrict REST API to logged-in users only:

You can also disable WP REST API or limit it to localhost or logged-in users only directly inside .htaccess file without using a plugin.

Hosting providers such as GoDaddy offer great pricing on their WordPress managed hosting plans but due to the number of websites they are hosting, their servers are often targeted and multiple data breaches have already occurred in the past: GoDaddy Discloses Security Breach; Data of 1.2 Mn WordPress Users Exposed

Source: builtwith

While using a big hosting provider has it’s up sides, I don’t recommend hosting all your websites with the same provider. Here is a list of WordPress blog hosting compared ✍️

Was this post helpful?

Leave a Comment