Hacking is the process of finding flaws in a system, and exploiting them to bypass security controls. ‘Ethical’ hackers use this process to learn about a system and find its weaknesses. However, malicious or ‘black hat’ hacking is also common. It is often used to break into websites.
There are a lot of reasons why hackers target WordPress sites. One of them is the platform’s sheer popularity. By knowing what these reasons are, you’ll gain a better understanding of how to protect your website.
In this article, we’re going to break down the reasons people hack websites. Then we’ll talk about why WordPress itself gets so much heat. Let’s talk WordPress security!
Why people hack websites
Every day, thousands of websites get hacked. WordPress sites make up a disproportionate percentage of those sites, since it powers over 30% of the web.
A lot of people think their sites are safe from attacks because they don’t contain valuable and sensitive business information. However, there are plenty of other reasons why sites get hacked, such as:
- to spread malware,
- adding bandwidth to bot networks, which are often used for Denial of Service (DDoS) attacks,
- black-hat Search Engine Optimization (SEO),
- activism / hacktivism,
- just for practice and fun.
The point is, no website is 100% exempt from the possibility of being targeted. Once it is online, it will be attacked.
4 reasons why WordPress websites get targeted
As if all the reasons we listed before weren’t enough, WordPress sites get some extra attention from attackers. Let’s talk about why this is.
1. WordPress is the most popular CMS
As we mentioned before, WordPress powers over 30% of the web. As of 2018, there were over 1.5 billion websites on the internet (although not all of them active). This means a little less than a third of those use WordPress.
This is excellent news in some aspects. It means WordPress development isn’t likely to halt soon and you’ll always have a great community to help you out. The problem is, this same popularity also means WordPress is the equivalent of a jackpot for hackers.
Imagine, for a second, that someone found a vulnerability in a popular WordPress plugin. As already happened in the past, such exploit could affect millions of websites. Of course, plugins themselves aren’t the only issue, which brings us to our next point.
2. Many WordPress websites lack basic security
There are a lot of things you can do to protect your website from attacks. The good news is that many security best practices aren’t as hard to implement as you’d imagine.
No two-factor authentication
Take Two-Factor Authentication (2FA). Using a WordPress two-factor authentication plugin, it can be implemented in minutes. Plus, it drastically reduces the chances of attackers gaining access to your website, even if they’ve stolen user credentials.
Not familiar with 2FA? Refer to our introduction to two-factor authentication for WordPress.
No security hardening and protection
Likewise, it doesn’t take long to install and configure a WordPress security plugin. Two of our favorites, MalCare and Sucuri, include all sorts of functionality, from firewall to malware scanning.
No records and activity logs
Another simple WordPress security best practice is to keep a WordPress activity log. This lets you track practically everything that happens on your website, from unsuccessful login attempts to changes in your site’s files:
The problem is, most people don’t take the time to learn about basic WordPress security measures. They don’t consider their website to be at risk. If you don’t want your website to be a part of the prominent hacking statistics, implementing the security best practices above.
3. Weak password use is endemic
When it comes to maintaining a secure WordPress website, your WordPress users’ passwords are the first line of defense. If someone guesses your admin credentials, they gain full admin privileges on your website – not a good place to be.
The situation is more imminent than you think – users always use weak passwords. Educate your users on what makes a strong password. For example, focus on length rather than complex mix of characters. Lengthy passwords are much harder to guess and crack. And always use a password manager so you and your users do not have to remember the long passwords.
Implement strong WordPress passwords policies
Likewise, it’s also smart to implement strong password policies for your website’s users. Do this with the MelaPress Login Security plugin, which enables you to configure password expiry, password history, password complexity and several other policies.
Strong password policies are an effective way to keep your website safe and teach your visitors to use secure passwords.
4. Use of outdated WordPress core, plugins & other software
Quite often, outdated software has vulnerabilities. So when WordPress administrators use outdated core, plugins, themes and other software they expose security holes for hackers to exploit. Unfortunately they do so quite often; outdated vulnerable software is one of the most common causes of hacked WordPress websites.
Attackers know this. In fact they have a plethora of free scanning tools and scripts which they often use to mass identify and exploit vulnerable WordPress websites.
Summing it up
WordPress is incredibly popular. It’s easy to use, highly versatile, and you can create amazing websites with it. However, the downside is that because of these positives, WordPress becomes a target for malicious intent. Basic security practices can mitigate this negative immensely.
Let’s recap the four main reasons why WordPress websites come under attack so often:
- It’s the most popular CMS in the world.
- A lot of WordPress websites don’t follow basic security practices.
- Weak password use is endemic.
- Outdated software is often used.
How you can stop it
To close on a positive note, here are a few tips you should follow to counter the above problems:
- Use a WordPress website firewall / security plugin,
- Install a two-factor authentication (2FA) plugin,
- Keep a log of everything that happens on your WordPress,
- Install a plugin to enforce strong password policies,
- Run a WordPress file integrity monitor,
- Backup your WordPress website.
Thanks, Robert, for your useful and informative post. I still didn’t know about this now I am updating my site to WordPress version 4.7.2.
When I got my site hacked, should I continue to use the hosting or move to another?
It depends. Was your website hacked via a security issue that the hosting provider had and that they did not fix? If so, then yes. Otherwise, I wouldn’t bother.
Thank you so much for this article! I’m just getting started with WordPress and this should be a tremendous help.
Thanks for detailed information. A quick question: My website was hacked, i had changed passwords. I still feel like somebody else is accessing it or making changes in it. Shall i remove this website all over? Or is there any way to find the actual problem and fix it?
If you think somebody else is accessing your website, installing WP Activity Log will provide you with a clear picture of who is accessing what. This can help you determine whether someone is in fact accessing your website without authorization. I would also recommend installing Website File Changes Monitor. This plugin basically takes a hash of your WordPress files and alerts you should something change.
Moving forward, consider installing WP 2FA. 2FA has been proven time and again to stop different types of attacks – including unauthorized access. Should you have more questions about any of these plugins or need help installing them, our support team is more than happy to help.
You might also want to take a look at your current user accounts and disable those who are inactive or you do not recognize. Keep an eye on the logs, including web server logs, and ensure everything is up to date at all times.