Home Blog WordPress Security Top reasons why WordPress websites get hacked (and how you can stop it)

Malicious Hacker

Top reasons why WordPress websites get hacked (and how you can stop it)

Hacking is the process of finding flaws in a system, and exploiting them to bypass security controls. ‘Ethical’ hackers use this process to learn about a system and find its weaknesses. However, malicious or ‘black hat’ hacking is also common. It is often used to break into websites.

There are a lot of reasons why hackers target WordPress sites. One of them is the platform’s sheer popularity. By knowing what these reasons are, you’ll gain a better understanding of how to protect your website.

In this article, we’re going to break down the reasons people hack websites. Then we’ll talk about why WordPress itself gets so much heat. Let’s talk WordPress security!

Why people hack websites

Every day, thousands of websites get hacked. WordPress sites make up a disproportionate percentage of those sites, since it powers over 30% of the web.

A lot of people think their sites are safe from attacks because they don’t contain valuable and sensitive business information. However, there are plenty of other reasons why sites get hacked, such as:

  • to spread malware,
  • adding bandwidth to bot networks, which are often used for Denial of Service (DDoS) attacks,
  • black-hat Search Engine Optimization (SEO),
  • activism / hacktivism,
  • just for practice and fun.

The point is, no website is 100% exempt from the possibility of being targeted. Once it is online, it will be attacked.

4 reasons why WordPress websites get targeted

As if all the reasons we listed before weren’t enough, WordPress sites get some extra attention from attackers. Let’s talk about why this is.

As we mentioned before, WordPress powers over 30% of the web. As of 2018, there were over 1.5 billion websites on the internet (although not all of them active). This means a little less than a third of those use WordPress.

This is excellent news in some aspects. It means WordPress development isn’t likely to halt soon and you’ll always have a great community to help you out. The problem is, this same popularity also means WordPress is the equivalent of a jackpot for hackers.

Imagine, for a second, that someone found a vulnerability in a popular WordPress plugin. As already happened in the past, such exploit could affect millions of websites. Of course, plugins themselves aren’t the only issue, which brings us to our next point.

2. Many WordPress websites lack basic security

There are a lot of things you can do to protect your website from attacks. The good news is that many security best practices aren’t as hard to implement as you’d imagine.

No two-factor authentication

Take Two-Factor Authentication (2FA). Using a WordPress two-factor authentication plugin, it can be implemented in minutes. Plus, it drastically reduces the chances of attackers gaining access to your website, even if they’ve stolen user credentials.

Not familiar with 2FA? Refer to our introduction to two-factor authentication for WordPress.

Two-Factor Authentication for WordPress

No security hardening and protection

Likewise, it doesn’t take long to install and configure a WordPress security plugin.

If you’d like to learn more about this subject and about protection specifically, we recommend you to also read the WordPress firewalls guide.

No records and activity logs

Another simple WordPress security best practice is to keep a WordPress activity log. This lets you track practically everything that happens on your website, from unsuccessful login attempts to changes in your site’s files:

WordPress audit trial (activity log)

The problem is, most people don’t take the time to learn about basic WordPress security measures. They don’t consider their website to be at risk. If you don’t want your website to be a part of the prominent hacking statistics, implementing the security best practices above.

3. Weak password use is endemic

When it comes to maintaining a secure WordPress website, your WordPress users’ passwords are the first line of defense. If someone guesses your admin credentials, they gain full admin privileges on your website – not a good place to be.

The situation is more imminent than you think – users use weak passwords. Educate your users on what makes a strong WordPress password. For example, focus on length rather than complex mix of characters. Lengthy passwords are much harder to guess and crack. And always use a password manager so you and your users do not have to remember the long passwords.

Implement strong WordPress passwords policies

Likewise, it’s also smart to implement strong password policies for your website’s users. Do this with the Melapress Login Security plugin, which enables you to configure password expiry, password history, password complexity and several other policies.

Strong password policies are an effective way to keep your website safe and teach your visitors to use secure passwords.

4. Use of outdated WordPress core, plugins & other software

Quite often, outdated software has vulnerabilities. So when WordPress administrators use outdated core, plugins, themes and other software they expose security holes for hackers to exploit. Unfortunately they do so quite often; outdated vulnerable software is one of the most common causes of hacked WordPress websites.

Attackers know this. In fact they have a plethora of free scanning tools and scripts which they often use to mass identify and exploit vulnerable WordPress websites.

Summing it up

WordPress is incredibly popular. It’s easy to use, highly versatile, and you can create amazing websites with it. However, the downside is that because of these positives, WordPress becomes a target for malicious intent. Basic security practices can mitigate this negative immensely.

Let’s recap the four main reasons why WordPress websites come under attack so often:

  1. It’s the most popular CMS in the world.
  2. A lot of WordPress websites don’t follow basic security practices.
  3. Weak password use is endemic.
  4. Outdated software is often used.

How you can stop it

To close on a positive note, here are a few tips you should follow to counter the above problems:

  1. Use a WordPress website firewall / security plugin,
  2. Install a two-factor authentication (2FA) plugin,
  3. Keep a log of everything that happens on your WordPress,
  4. Install a plugin to enforce strong password policies,
  5. Run a WordPress file integrity monitor,
  6. Backup your WordPress website.

6 thoughts on “Top reasons why WordPress websites get hacked (and how you can stop it)

  1. Thank you so much for this article! I’m just getting started with WordPress and this should be a tremendous help.

  2. Thanks for detailed information. A quick question: My website was hacked, i had changed passwords. I still feel like somebody else is accessing it or making changes in it. Shall i remove this website all over? Or is there any way to find the actual problem and fix it?

    1. Hello Adam,

      If you think somebody else is accessing your website, installing WP Activity Log will provide you with a clear picture of who is accessing what. This can help you determine whether someone is in fact accessing your website without authorization. I would also recommend installing Website File Changes Monitor. This plugin basically takes a hash of your WordPress files and alerts you should something change.

      Moving forward, consider installing WP 2FA. 2FA has been proven time and again to stop different types of attacks – including unauthorized access. Should you have more questions about any of these plugins or need help installing them, our support team is more than happy to help.

      You might also want to take a look at your current user accounts and disable those who are inactive or you do not recognize. Keep an eye on the logs, including web server logs, and ensure everything is up to date at all times.


Leave a Reply

Your email address will not be published. Required fields are marked *

Stay in the loop

Subscribe to the Melapress newsletter and receive curated WordPress management and security tips and content.

Newsletter icon

It’s free and you can unsubscribe whenever you want. Check our blog for a taste.

Envelope icon
newsletter-pop-up