Top reasons why WordPress websites get hacked (and how you can stop it)

Last updated on October 03rd, 2019 by Mark Grima. Filed under WordPress Security

Hacking is the process of finding flaws in a system, and exploiting them to bypass security controls. ‘Ethical’ hackers use this process to learn about a system and find its weaknesses. However, malicious or ‘black hat’ hacking is also common. It is often used to break into websites.

There are a lot of reasons why hackers target WordPress sites. One of them is the platform’s sheer popularity. By knowing what these reasons are, you’ll gain a better understanding of how to protect your website.

In this article, we’re going to break down the reasons people hack websites. Then we’ll talk about why WordPress itself gets so much heat. Let’s talk WordPress security!

Why people hack websites

Every day, thousands of websites get hacked. WordPress sites make up a disproportionate percentage of those sites, since it powers over 30% of the web.

A lot of people think their sites are safe from attacks because they don’t contain valuable and sensitive business information. However, there are plenty of other reasons why sites get hacked, such as:

  • to spread malware,
  • adding bandwidth to bot networks, which are often used for Denial of Service (DDoS) attacks,
  • black-hat Search Engine Optimization (SEO),
  • activism / hacktivism,
  • just for practice and fun.

The point is, no website is 100% exempt from the possibility of being targeted. Once it is online, it will be attacked.

4 reasons why WordPress websites get targeted

As if all the reasons we listed before weren’t enough, WordPress sites get some extra attention from attackers. Let’s talk about why this is.

1. WordPress is the most popular CMS

As we mentioned before, WordPress powers over 30% of the web. As of 2018, there were over 1.5 billion websites on the internet (although not all of them active). This means a little less than a third of those use WordPress.

This is excellent news in some aspects. It means WordPress development isn’t likely to halt soon and you’ll always have a great community to help you out. The problem is, this same popularity also means WordPress is the equivalent of a jackpot for hackers.

Imagine, for a second, that someone found a vulnerability in a popular WordPress plugin. As already happened in the past, such exploit could affect millions of websites. Of course, plugins themselves aren’t the only issue, which brings us to our next point.

2. Many WordPress websites lack basic security

There are a lot of things you can do to protect your website from attacks. The good news is that many security best practices aren’t as hard to implement as you’d imagine.

No two-factor authentication

Take Two-Factor Authentication (2FA). Using a WordPress plugin, it can be implemented in minutes. Plus, it drastically reduces the chances of attackers gaining access to your website, even if they’ve stolen user credentials.

Two-Factor Authentication for WordPress

No security hardening and protection

Likewise, it doesn’t take long to install and configure a WordPress security plugin. Two of our favorites, MalCare and Sucuri, include all sorts of functionality, from firewall to malware scanning.

No records and activity logs

Another simple WordPress security best practice is to keep a WordPress activity log. This lets you track practically everything that happens on your website, from unsuccessful login attempts to changes in your site’s files:

WordPress audit trial (activity log)

The problem is, most people don’t take the time to learn about basic WordPress security measures. They don’t consider their website to be at risk. If you don’t want your website to be a part of the prominent hacking statistics, implementing the security best practices above.

3. Weak password use is endemic

When it comes to WordPress security, your WordPress users’ passwords are the first line of defense. If someone guesses your admin credentials, they gain full admin privileges on your website – not a good place to be.

The situation is more imminent than you think – users always use weak passwords. Educate your users on what makes a strong password. For example, focus on length rather than complex mix of characters. Lengthy passwords are much harder to guess and crack. And always use a password manager so you and your users do not have to remember the long passwords.

Implement strong WordPress passwords policies

Likewise, it’s also smart to implement strong password policies for your website’s users. Do this with the Password Policy Manager plugin, which enables you to configure password expiry, password history, password complexity and several other policies.

Password Policy Manager plugin

Strong password policies are an effective way to keep your website safe and teach your visitors to use secure passwords.

4. Use of outdated WordPress core, plugins & other software

Quite often, outdated software has vulnerabilities. So when WordPress administrators use outdated core, plugins, themes and other software they expose security holes for hackers to exploit. Unfortunately they do so quite often; outdated vulnerable software is one of the most common causes of hacked WordPress websites.

Attackers know this. In fact they have a plethora of free scanning tools and scripts which they often use to mass identify and exploit vulnerable WordPress websites.

Summing it up

WordPress is incredibly popular. It’s easy to use, highly versatile, and you can create amazing websites with it. However, the downside is that because of these positives, WordPress becomes a target for malicious intent. Basic security practices can mitigate this negative immensely.

Let’s recap the four main reasons why WordPress websites come under attack so often:

  1. It’s the most popular CMS in the world.
  2. A lot of WordPress websites don’t follow basic security practices.
  3. Weak password use is endemic.
  4. Outdated software is often used.

How you can stop it

To close on a positive note, here are a few tips you should follow to counter the above problems:

  1. use a WordPress website firewall / security plugin,
  2. keep a log of everything that happens on your WordPress,
  3. install a plugin to enforce strong password policies,
  4. run a WordPress file integrity monitor,
  5. backup your WordPress website.

WordPress Hosting, Firewall and Backup

This Website is:

One comment

Prajwol 23/02/2017

Thanks, Robert, for your useful and informative post. I still didn’t know about this now I am updating my site to WordPress version 4.7.2.

Leave a Reply

Your email address will not be published. Required fields are marked *