Link Building with WordPress Vulnerabilities

WordPress Vulnerabilities Link Building Learn These Several Methods

In the following guest post from Chris Dyson you’re going to learn several methods of using WordPress vulnerabilities to build links. This will help you build relationships with bloggers and site owners while also teaching you a few things about WordPress security issues.

In a recent episode on Linkbuilding.TV, Zach Russell of ProTechIG chatted with Anthony Pensabene about using WordPress security vulnerabilities as a way to build relationships with bloggers and webmasters who may have glaring security holes in their WordPress sites.

And with over 75 million websites using WordPress as their CMS of choice there’s no doubt there will be a more than a handful of bloggers in every niche who’ve left their website open to hackers or content thieves. In the video Zach gives us 3 examples we can use to see if there are any security issues with a site:

Helping bloggers is a great way to get links and I have covered similar tactics before when helping webmasters clean up malware issues or with pointing out broken links on their sites. In this post I am going to give you 4 more WordPress security vulnerabilities that you can check for quickly and easily and give you the quickest ways to fix them.

1. wp-config.php is accessible

Simply add /wp-config.php to the root domain and if it returns a blank page then it is insecure, if it returns a 404 then great the file is not accessible. The wp-config.php file is the most important file on your site as it contains the username, password, and database name (among other things). The best thing to do is move the wp-config.php fi le up one level in the directory and if this isn’t possible then modify the .htaccess file with following few lines of code:

# Deny public access to wp-config.php
<Files wp-config.php>

Order allow,deny

Deny from all


2. WordPress Install file not modified

There have been a number of reported incidents of WordPress being hacked via the install.php file. This file does not need to exist once WordPress has been installed for the first time. Simply add wp-admin/install.php to the root domain and if it shows the following page it needs editing.

Link building with WordPress vulnerabilities

In order to fix this error you can either delete the file altogether or rename it.

3. Uploads are accessible

The “uploads” directory is where WordPress puts all your uploaded content images, pdfs, videos etc. With this unprotected it means that anyone can see your files and therefore people can easily steal any sensitive data you might have uploaded or you might be selling. Simply add wp-content/uploads/ to the root domain and if the following shows they have a problem.

WP Uploads - WordPress Link Building

The quickest and easiest way to fix this is to add a blank index.php file into the directory, alternatively you could modify the .htaccess file to prevent indices been returned.

4. Check the WordPress Version

Hackers deliberately look for out of date versions because they know how easy it is to exploit an issue on an old version, it’s very easy to remedy too. Just remember to backup your site before hitting the big WordPress update button.

There are two places you can find which version of WordPress a site is using. In the source code you will find the meta tag generator or in the read me file located at /readme.html

Link building with WordPress Vulnerabilities - WP Version

Once you have found a hole in your link prospect’s site it’s time to contact them and offer your assistance;

Subject: WordPress Security Issues with [Site Name]

Hi [First Name],

I was just visiting your website, [Site Name],  and I spotted a security vulnerability with your WordPress installation

Currently there is an issue with [wp-config.php/uploads/WordPress Version out of Date] and this leaves your site vulnerable to [attack from hackers/content theft].

If you need any help fixing the issue please contact me and I will send you a link with details to fix the issue.



As you can see I don’t ask for a link during this initial conversation but focus on building up some good karma, after all we are all bound — even driven — to repay our debts. If someone does something for you, then you feel obligated to repay them in kind.

I hope these quick and easy WordPress security checks and fixes have given even the least tech focused link builder another way to start a conversation with a blog owner in their niche.

Further reading:

Chris Dyson

Chris Dyson

Chris Dyson is an independent SEO consultant and co-founder of Link Club. You can learn more about Chris on his blog or on Twitter.
Chris Dyson

Latest posts by Chris Dyson (see all)

  • Good stuff Mr Dyson, also useful to make sure your own site is secure!

    Regarding point 1, you say the best solution is to move the wp-config.php file up one level in the directory. Is this file referenced in it’s current location? If so how do you move the file without breaking the whole site?

  • Hi Patrick

    If you’re worried about moving the file from it’s current location (e.g. you might have add on domains) then simply adding

    # Deny public access to wp-config.php

    Order allow,deny

    Deny from all

    to .htaccess (if you are on apache) will prevent it being accessed by people who might have nefarious intentions, it’s also a good idea while you are in there to make sure all the file and directory permissions are ok too.

  • Thanks Chris. Our site is now secure as per your suggestions. Our site isn’t built in WordPress by we have a WordPress blog, and everything you suggest works on /blog/ as opposed to the root domain. I did the wp-config.php fix by editing the .htaccess file within the blog directory.

    Thanks for the heads-up, will try this as an outreach method too.

  • mike

    excuse me, why do you say if wp-config.php returns a blank page it’s insecure??
    I don’t get it, if they can’t see nothing and it’s not showing no information, how can it be insecure??


  • Mike

    If the wp-config.php returns a blank page then it is accessible to external requests, by securing it with your .htaccess it prevents people from calling that page.

    A lot of WP users have incorrect file permissions setup on their servers and therefore limiting external access to these important files can help but it does not mean you should be lazy about security by any means. Strong passwords, correct file permissions, regular backups, perhaps move login pages to an alternative location etc.

    All we are try to do is make an amateur hackers life a little more difficult, if someone really wants to target your site and cause disruptions they can and will.

    At the end of the day these are just a few tips for people to use to start a conversation with a blogger – I’m not suggesting the link builder do a full site security audit, there are lots of people who do that professionally.