How do WordPress sites get Hacked?

Before you design websites or using WordPress, you need to know limitations of the security for it. We will go over the most common ways that you can get hacked and how to avoid being hacked using WordPress.

How do WordPress sites get hacked? The most common way for WordPress to be hacked is poor passwords, no security plugins, not updating themes, not updating plugins and WordPress core. People also forget to keep a recent backup to help during any website hack or attack. A majority of hacks are automated and use exploits found in outdated items.

In this article we will talk about how WordPress websites get hacked and discuss something you can do to protect yourself. 

The basics of hacking a website


Websites being hacked are so common that it’s almost a joke that if you are not following these basic instructions you risk everything. Websites being hacked are very common and knowing how to handle a hack is something every website owner should know.

One of the most common website hacks is a brute force attack. This is when a website login is often attacked by a computer repeatedly in a way to crack the password. The idea behind it is that it will keep trying common passwords until it finds the right one.

Another common method is the injection method which uses a bot to search your website for plugins that have not been updated or themes that are not updated. The bot will search for holes in your security and then insert lines of code which allow it to access your website through an exploit.

While these methods are two of the most common methods for hacking a website, they are not the only way to hack a website. There are several additional methods that can get a hacker access to your site but by following these simple rules below you will learn how to avoid these attacks.

We will also talk about protecting your website and what to do after you have been hacked. So if you want to protect yourself, let’s spend sometime talking about what to do.

1. Most hacks are automated

Anyone who has installed Wordfence or other security plugins know that automated attacks are very common for security. Many of the people who are trying to hack websites use bots to search for vulnerabilities in the website in the form of outdated plugins and themes.

It is also common for these bots to check file permissions and try doing what we call “injections” where they inject tiny pieces of code into a plugin or theme to exploit your website. This piece of code will often run and collect things like user information and passwords of people logging onto the website.

Hackers rather than wasting their time searching hundreds or even thousands of websites just send out these tiny workers to ensure that they can hit a high number of websites over a certain time frame. Once they find one with an exploit, they will often focus on that website until it cracks security.

2. Weak Passwords

While this might be something that is common knowledge you should never use weak passwords. When passwords first started gaining ground people used things like numbers and symbols to increase the strength. 

Now we have learned that symbols and letters do not matter as much as the length of a password. The longer that a password is, the harder that password becomes to crack. Complexity of letters and numbers don’t matter as much as having something that is long.

There are several password checkers on the web which you can use to check your password but my favorite is right here. It breaks down the time it will take to break your password. And while I am sure much of this is subjective to things like how many computers are trying to break in or crack the password, it should give you a rough idea of how long your password needs to be.

This alone can protect you without doing any of the other things below on this list. Longer passwords are just as much more secure than the passwords that are short and clever.

3. Never used Admin for the WordPress Admin login


While this also may seem like a very common knowledge there are several people who will use default admin as their default login. Hackers will use bots to find your login but using admin gives them instant knowledge of what you used to login to your account.

While we are at it, never use your site name or domain name either. I would also recommend that you do not use any variation of admin such as login, boss, etc. These names leave you open to attack. 

I would recommend using names or logins that have nothing to do with you personally or your business. Something random will work great in making your security harder.

4. Insecure web hosting

Picking a web host which does not do their own security checks is a big problem. If you get emails that your host has been compromised then you need to find another host. 

But even without knowing this information how can someone check a web host to know what their security is? First look for all the security signs which should be posted on the website. Is the website running SSL and does it have any kind of lock on the front of the website? Next you can Google things like hacked and then the website name to find out if it’s been hacked anytime recently.

While this might seem like a small matter, it’s a big deal to most web hosting companies as hacks cost time and money. Once one website is hacked, it leads hackers down the road to other website which might be on that same server. Web hosts are not in the business of making sure that your website is secure but they should make sure their own servers are secure.

I enjoy using Blue Host, while it’s not the best hosting you can get, it’s fine for people just starting out.

5. Not updating WordPress

WordPress has so many updates that come out that for some business owners it might be hard to keep track of. Some updates are feature related but many updates that come out focus on security.

Hackers will focus on outdated websites since most people fear what happens when they update WordPress. Sometimes WordPress updates could break things which is why most web designers will recommend that you do a staging site. A staging site allows you to apply updates to your website and test to make sure these do not break the site.

There are several additional plugins that can help you find out what broke your website.

6. Not updating plugins and themes


More than WordPress itself which is more solid are plugins and themes which carry the greatest risk. It is so common that major plugins for WordPress have security problems that it’s a joke now. A plugin or theme may be updated by one person or may have a team behind it.

There are no standards that tell you how fast a theme or plugin needs to be updated. WordPress does a good job of compatibility issues and letting you know when it was last updated but a bad plugin can fly under the radar. In defense of WordPress as soon as a plugin is not secure they will remove it from the WordPress plugin directory but if they sell the plugin via a third party website, then this may never happen.

The point of this being plugins need updates and need to be secure. If you find a plugin that has a history of known exploits then you should probably avoid it. Use changelogs and Google to make sure that your plugins are secure and working correctly.

7. Downloading malware plugins and themes

Similar to not updating your plugins and themes you have another side of the coin. Plugins which are hacked or often sold in bundles could have code included which allow hackers to spy on you. This is often the case with plugins that have a license cost attached to them that is expensive. 

When in doubt, always purchase licenses from the developer website of the plugin or theme. Otherwise you open yourself up to the chance that a plugin could contain malware or other code which comprises your website.

If you ever find that a recent downloaded plugin or theme throws errors through Wordfence or other security program, stop using it immediately and contact the plugin or theme author. If you are willing downloaded something that could be hacked then you took your chance as soon as you bought that plugin.

8. Not using a firewall

The average hacker is using sniffing bots to search the web and find websites which are not secure because of the things listed above. Another thing that can give a hacker permission to your site is not running a firewall.

A firewall is often included with any security plugin that you pick as part of a package. WordPress does not have a built-in firewall which is why you will need a third party solution which can be paid or free.

The firewall is another layer of security which will help filter out things like bad requests and other attacks. Sometimes a firewall works so well that it filters out good requests too and you most create rules to allow that software to run. The purpose being that a firewall provides you will an additional level of security; you need this even if you think you don’t.

9. Not Checking for hacking attempts

So many website owners will build a website and then completely forget that the website exists. If you don’t login to your website daily, then you risk someone launches a major attack on your site. 

I had this happen to a client of mine, when I logged into the WordPress dashboard he had over 2,000 login attempts from an attacker who had tried to figure out his password. I backed up the website and then started blocking IP addresses which the attacks came from.

Things like this is not something you will know of but make it a habit to login to your website at least weekly. Spend a few minutes looking at logs and make sure your site is secure from hackers. 

10. File Permissions

Now that we have talked about some things that your website may be short on, it’s important to focus on technical details which can also cause several problems. File permissions is one place that you may require a little more help on but if you talk to your web host, they should provide you with the help you need.

File permissions refers to what a user can do with that file and are broken up into digits which show things such as read, write and execute. Even if you are not familiar with these terms, it’s important that you understand how these file’s permissions work because they can affect single pages and also folders.

  • First digit: Is what the user can do with that file.
  • Second digit: Is what the group can do with that file.
  • Third digit: Is what the user account of everyone else (visitor) can do with that file.

The second group of numbers corresponds to what can be done with the file by that user.

  • 4 Read: Read the names of the files or folders.
  • 2 Write: Change files or folder’s contents.
  • 1 Execute: run a file or execute access to a file or folder.

As a general rule of thumb all WordPress files should be set to 644. All WordPress folders should be set to 755. There are plenty of tutorials that will tell you how to change these files by Googling them.

11. Not Backing up your Site

Not backing up your site is asking for your website to have a problem and you have zero solution to solve it. I recently ran into a problem with Elementor not playing nice with Adsense of all things. A quick look at my backups and I realized I had a huge issue, they were backing up daily instead of weekly. Which means I only had backups for days instead of last month.

That is not helpful when you need to go back in time by weeks instead of days. Not having a backup is really rolling dice and taking a chance with your website. You need to back up your website for not just general reasons but peace of mind that you have a way to return your site to its previous content should something happen.

12. Not using Two-Step Authentication


Two-step authentication is a requirement in the year 2019. This often allows you to use some kind of third party application which will give you a code to access your site. The code is often random and changes every few minutes which allows a level of security that isn’t found with longer passwords. 

Basically, even if someone can crack your super long 24 letter password, the two-step authentication adds yet another layer which makes it close to impossible to break into your site. Many popular security plugins such as WordFence allow you to add this to your WordPress website.

13. Use a unique Table Prefix

When you first start creating your website you are allowed to create a table name which by default is often WP. Hackers will target this table prefix in hopes of you being lazy and not changing. It’s recommend that you use a table name which is random or involves a different naming scheme that what is given by default.

Related Questions

So if I do all the things above will I be safe? The things listed above are things you are do to proactively stop attacks and keep your site secure but it’s not 100%. If a plugin gets exploited and you don’t update it quick enough and the developers don’t find it, then you can easily be targeted. These just increase you odds of staying safe.

What’s the best security plugin? While I am sure and we might end up diving into security plugins, I believe there is enough data that it really doesn’t matter. It’s likely picking a cell phone provider, they all provide security. You just may want better bells and whistles that some have over others. I enjoy WordFence and it’s my go to choice.

Conclusion about hacking WordPress

I hope this article has helped you discover some flaws in your website. While this list could easily be double or triple the length, I wanted to make a simple solution someone could use today. Some people like bullet points they can use to make sure their website is safe.

If you enjoy WordPress articles and tutorials we also do tutorials about page builders which is one of our primary topics on the blog. Comment down below about anything we missed and good luck stopping those hackers!

Patrick McCoy
Patrick McCoy

Patrick is a web designer with over 20 years experience in websites and design. He spends most of his days writing content and enjoys tinkering with anything web or design related. When he isn't work he is often watching a good movie.

Articles: 86