Why WordPress Sites Get Hacked and How to Prevent It

Last updated - July 8, 2021

WordPress is a popular Content Management System (CMS), used for creating websites or blogs. One of the things that make WordPress so popular is how simple it is—users can use WordPress to easily create, modify, and manage content on their websites with no coding experience. This drives many companies and individuals to use WordPress to build their site. 

A recent report by W3techs says that WordPress is used in 34.5% of all websites. That means every third website you use, was built with WordPress. Among CMS solutions, the market share of WordPress is even higher, with more than 60% of all websites running on WordPress. Joomla takes second place, but by a huge margin—it is used by 5-10% of the number of sites.

Why WordPress sites get hacked?

Even though they may not be more vulnerable to attacks than any other website on the internet, WordPress sites are more likely to get hacked because they are much more common. Given the enormous popularity of WordPress, attackers have more incentive to try and find ways to exploit vulnerabilities found in these sites. 

When attackers do find a vulnerability in WordPress, they have a lot more targets than almost any other system on the Internet. Additionally, as WordPress attracts many users with no experience in coding, they are much less likely to take the necessary measures to secure their websites from vulnerabilities that attackers can exploit. Another reason why WordPress sites get hacked is for “sport” and practice. Many beginners try to find sites with weaker security to practice their hacking skills and find ways to improve.

7 Ways WordPress Websites Get Hacked and How to Prevent It

You need to understand some of the common reasons for WordPress sites getting hacked and accordingly take precautions.

Weak passwords

Your passwords act as the keys to your WordPress website, which means you have to ensure they are strong enough to protect it. Studies show that around 80% of all data breaches occur because of weak passwords.

How to fix: Fixing this vulnerability is straightforward━use a strong password. You can also use a third-party password manager, such as LastPass, for example. 

Not changing your WordPress username

When you open your WordPress account, your username is ‘admin’, and everyone knows this. For this reason, this is the first username that threat actors will try when they try to hack your website. This account offers root privileges, and can be used to trash your site, access connected networks, and steal or delete or ransom data. 

How to fix: If your username is admin, change it as soon as possible to a different username.

Insecure web hosting

WordPress websites are hosted on servers like all other websites. Choosing the right provider is key to securing your website. Even if you implement all the other tips mentioned in this guide, if your provider offers weak protection, your website could still get hacked.

How to fix: Choose the best WordPress hosting provider within your budget, and ensure your website is hosted on a secure platform.

learn WordPress and WooCommerce
Kinsta offers managed WordPress hosting and a great resource to learn WordPress and WooCommerce.

Incorrect file permissions

File permissions are rules used by your hosting server to help your web server control access to the files stored and used by your website. Giving these files incorrect permissions might allow hackers to access and modify your files, which can lead to all sorts of problems for your website.

How to fix: Ensure that all your WordPress files are set to value permission of 644 and all your folders are set to 755.

Weak security against common cyber threats

Even if you have the strongest passwords and use the most secure host, you are still vulnerable to cyber attacks. SQL injections, for example, are a common attack used for infecting websites with malware. 

How to fix: Learn about the most common threats, and how to secure your website against these threats. A good place to start is the OWASP (Open Web Application Security Project) top 10━a list that details the 10 most pressing vulnerabilities. OWASP also provides educational resources, which you can use to improve your cyber security practices. 

Using outdated WordPress versions

Some WordPress users are afraid of updating their websites to the latest version of WordPress, because it might cause errors to their website. However, avoiding updates is a serious issue, as many of these updates are released to patch security holes.

How to fix: You should always update to the latest version to make sure you get the latest bug fixes and security patches. If you are afraid the update might mess up your website, creating a complete WordPress backup is always a good practice, especially before version updates. 

Using dated themes or plugins

WordPress themes and plugins are not so different from the core software they run, and keeping them updated is equally important━outdated versions might be exposed to vulnerabilities.

How to fix: Ensure that you have the most updated versions of all your themes and plugins.

Wrap Up

WordPress websites get hacked all the time. This is a fact, and needs to be addressed as such. E-commerce websites are especially vulnerable to attacks, because they offer more rewards than a regular site. A successful e-commerce platform that processes many transactions often stores sensitive information. 

If a website is breached, attackers could steal the information. This will put the website in a bad situation, especially if the website is serving users related to the European Union. This information is protected by the General Data Protection Regulation (EU GDPR), which protects the sensitive information of “all individual citizens of the European Union and the European Economic Area.” Non-compliance with GDPR may lead to financial and reputational losses.

Another compliance entity to keep in mind is the Payment Card Industry Data Security Standard (PCI DSS), which protects the sensitive and financial information of credit cardholders. PCI applies to any merchant that processes, stores, transmits, and comes into contact with credit card data. That means e-commerce platforms must comply with PCI. The PCI is maintained and regulated by major credit card companies, which enforce compliance by means of fines.


Please enter your comment!
Please enter your name here