Link Building with WordPress Vulnerabilities

In the following guest post from Chris Dyson you’re going to learn several methods of using WordPress vulnerabilities to build links. This will help you build relationships with bloggers and site owners while also teaching you a few things about WordPress security issues.

In a recent episode on Linkbuilding.TV, Zach Russell of ProTechIG chatted with Anthony Pensabene about using WordPress security vulnerabilities as a way to build relationships with bloggers and webmasters who may have glaring security holes in their WordPress sites.

And with over 75 million websites using WordPress as their CMS of choice there’s no doubt there will be a more than a handful of bloggers in every niche who’ve left their website open to hackers or content thieves. In the video Zach gives us 3 examples we can use to see if there are any security issues with a site:

Helping bloggers is a great way to get links and I have covered similar tactics before when helping webmasters clean up malware issues or with pointing out broken links on their sites. In this post I am going to give you 4 more WordPress security vulnerabilities that you can check for quickly and easily and give you the quickest ways to fix them.

1. wp-config.php is accessible

Simply add /wp-config.php to the root domain and if it returns a blank page then it is insecure, if it returns a 404 then great the file is not accessible. The wp-config.php file is the most important file on your site as it contains the username, password, and database name (among other things). The best thing to do is move the wp-config.php fi le up one level in the directory and if this isn’t possible then modify the .htaccess file with following few lines of code:

# Deny public access to wp-config.php
<Files wp-config.php>

Order allow,deny

Deny from all


2. WordPress Install file not modified

There have been a number of reported incidents of WordPress being hacked via the install.php file. This file does not need to exist once WordPress has been installed for the first time. Simply add wp-admin/install.php to the root domain and if it shows the following page it needs editing.

Link building with WordPress vulnerabilities

In order to fix this error you can either delete the file altogether or rename it.

3. Uploads are accessible

The “uploads” directory is where WordPress puts all your uploaded content images, pdfs, videos etc. With this unprotected it means that anyone can see your files and therefore people can easily steal any sensitive data you might have uploaded or you might be selling. Simply add wp-content/uploads/ to the root domain and if the following shows they have a problem.

WP Uploads - WordPress Link Building

The quickest and easiest way to fix this is to add a blank index.php file into the directory, alternatively you could modify the .htaccess file to prevent indices been returned.

4. Check the WordPress Version

Hackers deliberately look for out of date versions because they know how easy it is to exploit an issue on an old version, it’s very easy to remedy too. Just remember to backup your site before hitting the big WordPress update button.

There are two places you can find which version of WordPress a site is using. In the source code you will find the meta tag generator or in the read me file located at /readme.html

Link building with WordPress Vulnerabilities - WP Version

Once you have found a hole in your link prospect’s site it’s time to contact them and offer your assistance;

Subject: WordPress Security Issues with [Site Name]

Hi [First Name],

I was just visiting your website, [Site Name],  and I spotted a security vulnerability with your WordPress installation

Currently there is an issue with [wp-config.php/uploads/WordPress Version out of Date] and this leaves your site vulnerable to [attack from hackers/content theft].

If you need any help fixing the issue please contact me and I will send you a link with details to fix the issue.



As you can see I don’t ask for a link during this initial conversation but focus on building up some good karma, after all we are all bound — even driven — to repay our debts. If someone does something for you, then you feel obligated to repay them in kind.

I hope these quick and easy WordPress security checks and fixes have given even the least tech focused link builder another way to start a conversation with a blog owner in their niche.

Further reading:

The following two tabs change content below.

Chris Dyson

Chris Dyson is an independent SEO consultant and co-founder of Link Club. You can learn more about Chris on his blog or on Twitter.

Latest posts by Chris Dyson (see all)

Leave a Comment

Your email address will not be published. Required fields are marked *