How Do WordPress Sites Get Hacked?

There are dire warnings everywhere you turn warning of dangerous hackers afoot. What do these hackers do, and why would they want to hack your WordPress site?  You have come to the right place. We will tell you why hackers are interested in your WordPress site, and how to keep them away. 

Why Do Hackers Hack? 

Hacking is the process of gaining unauthorized entry into a computer system or network by exploiting vulnerabilities within the system to bypass security protocols. There are two main types of hackers, white hat and black hat hackers.  

White hat hackers are the good guys. They are skilled hackers who use their expertise to find the exploitable vulnerabilities within a system and create solutions, known as patches, that can be used to correct the problem. 

Black hat hackers are equally skilled hackers who are also looking for exploitable vulnerabilities in the system. However, the black hat hacker aims to exploit the vulnerability for personal or professional gain, not to provide a solution. 


Why Do Hackers Hack WordPress Sites? 

There is a lot of buzz about WordPress sites being favorite targets for hackers.  The reality is, that it is all but impossible to know the true scope of cybercrime because the vast majority of sites never report being hacked.  

We do know that WordPress holds 60.8% of the content management system market share so it is indisputably, the most popular content management system on the web. WordPress powers approximately 40% of the world’s websites, and more than 500 new websites are launched using WordPress every single day.  

This massive popularity and the sheer volume of users make WordPress sites a natural target for hackers. That does not reflect poorly on WordPress security, it is merely a natural consequence of success.  


How Do WordPress Sites Get Hacked? 

WordPress sites are a big red bulls-eye for hackers due to the system’s popularity and widespread distribution.  According to one industry report, WordPress websites record upwards of 90,000 attacks each minute. Many website owners underestimate the risk because they believe that their site is too small, and gets too little traffic to be of interest to hackers. There is no such thing as a website too small, or a website with too little traffic because modern hacking attacks are generally carried out by automated bots.  

Hackers create bots that are programmed to seek out WordPress sites running outdated or unpatched plug-ins with a specific known vulnerability. The bot is designed to execute a particular action whenever it encounters the correct target.  If your WordPress site has a known vulnerability your website will be hacked as soon as the bot encounters it. 

The frequency of the hacking attempts on WordPress sites makes it even more important that website owners practice good security habits and stay up to date on the latest vulnerabilities. First we have to know where the danger is coming from. Let’s have a look at the most common ways that hackers have gained entry into WordPress sites.  


Shared Web Hosting Vulnerability 

The majority of shared hosting providers are very secure. There are still some that do not go far enough in their efforts to insulate each hosted site from its neighbors. When one website on a shared hosting platform becomes infected it can easily infect the other websites hosted on the same platform if strong security protocols are not used to prevent cross-infection.  

Denial-of-Service (DOS) attacks or Distributed-Denial-of-Service (DDOS) occur when hackers use bots to flood a website’s servers with spam until the site’s hosting platform is overwhelmed and the site and hosting servers crash. A successful DOS or DDOS attack will take down the target site and the hosting server causing all other websites on the same hosting platform to crash as well. 

To protect your WordPress site from being caught up in a DOS, DDOS attack, or other web hosting vulnerability be careful to check the security record and reputation of any web hosting platform you are considering. Strong web hosting platforms will have security protocols in place to mitigate against these types of attacks.    


Outdated WordPress Core 

The WordPress core system has come a long way in security since its 2003 launch date.  Today WordPress employs a team of experts working around the clock to monitor the security of the WordPress core and immediately address any security holes they discover.  However, according to WordPress, only 39% of  WordPress websites have installed the updated version software. 

When vulnerabilities are discovered, the team mitigates them by patching the security holes and releasing an updated version of the WordPress core software. The website owner has the responsibility to stay informed of WordPress core updates. If the website owner does not update their site to the newest WordPress core version when the update is released, their website will remain vulnerable to the security flaw. 

WordPress now offers website owners the option to have updates installed automatically to ensure that they are always using the very latest version of the WordPress core. The downside of this is the possibility that an update may break your current website configuration and you would not know until the next time you log in to your website.  Having a website that is not-operational for any length of time is guaranteed to cost you customers and sales.  

As a general rule WordPress core updates are released every 4-5 months 


Third-Party Plug-Ins And Themes 

WordPress core software is updated constantly, and the overall security has been hardened significantly since the early days of WordPress.  WordPress itself is very secure. However, WordPress sites rely on utilities known as plug-ins that are developed by third-party developers independently from the WordPress core.   

Plug-ins give WordPress its unique flexibility, ease of use, and infinite scalability. In short, plug-ins are what makes WordPress so widely popular with so many people. Third-party plug-ins are also the biggest source of vulnerability for WordPress sites.    

The official WordPress website offered 57,979 plug-ins at the time of publishing. The massive number of plug-ins makes vetting each one for security an impractically large task. This puts the responsibility on the website owner to vet each plug-in before introducing it to their site. Many website owners are unaware of this added responsibility.  

Hackers count on the fact that most WordPress website owners will install the plug-ins they need and never think about them again. The following practices will go a long way towards keeping your WordPress site safe from hackers seeking vulnerable plug-ins to exploit. 

  • Check the date of the plug-in’s last update and install only plug-ins that have been updated regularly 
  • Make sure you are familiar with the developer’s reputation and trust their work before installing 
  • Look for plug-ins with many previous downloads 
  • Be wary of plug-ins with few active users regardless of download count 
  • Be wary of installing plug-ins with less than 3.5 stars 
  • Completely remove any obsolete, outdated, or unused plug-ins and themes from your website 

Weak Or Recycled Passwords 

In 2020, WordPress security provider, Wordfence, reported  90 billion malicious login attempts.on the WordPress websites they monitor. To put that into perspective, that breaks down to roughly 2,800 attacks per second targeting WordPress sites. These log-in attempts are known as brute force attacks. 

Hackers create bots that attempt to log-in to your website repeatedly using billions of username-password combinations. They use sheer numbers to increase the odds that they will eventually hit upon the right combination to gain access to your website’s administrator controls.  

Once they have gained administrator access they can completely hijack your website by changing passwords, locking you out of your own website. Perhaps even more frightening, they can stay under the radar and simply insert snippets of code into the backend commands that direct your website to perform criminal acts without your knowledge.  

The best way to avoid becoming a victim of a brute-force hacking attack is to be diligent about following all safe password guidelines. Using the following rules when choosing a password will dramatically reduce the odds that a brute-force attack will be successful. 

  • Choose a long password that is at least 8 characters long. The longer the better, 12 characters is ideal 
  • Use a combination of uppercase and lowercase letters, numbers, and symbols 
  • Avoid using personal details that can be easily discovered like your name, birthday, or email 
  • Don’t use the same password on multiple sites  

For complete security, consider using a password manager to generate long complex passwords for each unique log-in. The password manager stores your passwords securely so there is no need to remember them.  

The gold standard in password log-in protection is 2-factor authentication. Each time you log-in to your website, you will be asked to confirm your log-in on another device or using an authentication app on the same device. When asked, hackers cited 2-factor authentication as the single biggest barrier to gaining access to a secure website.  


Cybercrime is not going to abate any time soon. In fact, Sucuri reported that 94% of the infected websites, in the latest Hacked Website Threat Report, were WordPress websites. Regular monitoring and maintenance to mitigate security risks is more crucial than ever with the FBI reporting a whopping 300% increase in cyber attacks in 2020. Fortunately, there are tools and experts at your disposal should you need help. Consider managed hosting for the greatest peace of mind. A managed hosting provider will handle all aspects of your WordPress website from updates, to user complaints so you can concentrate on running your business. 

Posted in
Click to access the login or register cheese