11 Top Reasons Why WordPress Sites Get Hacked (& How to Prevent It)

As a WordPress site owner, you know how important it is to keep your site secure. But did you know that WordPress sites are the most commonly hacked types of websites? A staggering 43% of all web attacks target WordPress, according to the latest Sucuri Hacked Website Threat Report.

Navi.

If your WordPress site does get hacked, it can result in a major headache – costing you an average of $2,518 per attack to fix (GoDaddy). Your site may get blacklisted by Google, defaced with spam content, or even used to spread malware to your unsuspecting visitors.

But here‘s the good news: the majority of WordPress site hacks are completely preventable by following some security best practices. In this in-depth guide, we‘ll dig into the top reasons why WordPress sites get hacked and show you exactly how to protect your site from becoming a victim.

Reason #1: Outdated WordPress Software

One of the most common reasons hackers are able to compromise WordPress sites is outdated software with known vulnerabilities. In fact, 49% of hacked WordPress sites were found to be running an outdated version of WordPress core at the time of compromise (Sucuri).

WordPress is open-source software maintained by a community of thousands of developers. They work diligently to find and patch vulnerabilities, releasing updates on a regular basis to fix security issues and add new features. But if you don‘t promptly update your WordPress site, those vulnerabilities will remain, leaving the door wide open for hackers.

Security vulnerabilities in WordPress core, plugins, and themes are published in the Common Vulnerabilities and Exposures (CVE) database. Hackers use automated scanners to find sites running outdated software with these known, unpatched vulnerabilities. A single vulnerability can allow a hacker to compromise countless outdated WordPress sites.

Here are a few recent examples of major WordPress plugin vulnerabilities:

PluginVulnerabilityAffected VersionsSites Impacted
File ManagerRemote Code Execution< 6.9700,000+
ThemeGrill Demo ImporterUnauthenticated Database Wipe< 1.6.3200,000+
Ninja FormsArbitrary File Upload< 3.4.341,000,000+
WP Product ReviewStored XSS< 5.3.840,000+

Source: WPScan Vulnerability Database

Fortunately, preventing your site from being hacked due to outdated software is easy. Just follow these simple tips:

  • Enable automatic updates for WordPress core, plugins, and themes (if your host offers it)
  • Use a plugin like Easy Updates Manager to manage and schedule automatic updates
  • Install a security plugin that alerts you to available updates and newly discovered vulnerabilities
  • Check your site regularly and promptly install any available updates

Reason #2: Weak or Compromised Passwords

Brute force attacks are the leading cause of WordPress site hacks, accounting for up to 70% of all attacks according to Wordfence. In a brute force attack, hackers use automated scripts to repeatedly guess different username and password combinations until they find one that works.

If you‘re using a short, simple password like "123456" or "password", your site can be hacked in seconds by a brute force attack. Passwords that contain dictionary words or previously exposed in data breaches are also easy targets for hackers.

To protect your WordPress site from brute force attacks, it‘s important to:

  • Use a strong, unique password with at least 12 characters, mixing uppercase, lowercase, numbers and special characters
  • Require strong passwords for all user accounts on your site
  • Enable two-factor authentication (2FA) for an extra layer of login protection
  • Limit the number of failed login attempts to block brute force attacks
  • Change your login page URL from the default /wp-admin/ and /wp-login.php
  • Use a password manager to securely generate and store complex passwords

According to the 2020 Verizon Data Breach Investigations Report, 80% of hacking-related breaches involved brute force attacks or lost/stolen credentials. Using strong passwords and 2FA can go a long way in preventing your WordPress site from falling victim to this common hack.

Reason #3: Insecure or Shared Hosting

While most people focus on on-site WordPress security, your hosting environment is just as critical. It doesn‘t matter how many security measures you take on your WordPress site if your hosting environment is insecure or compromised.

Shared hosting plans, while budget-friendly, are inherently less secure as your site shares resources with hundreds or even thousands of other sites. If one site on the shared server gets hacked, it can easily spread to infect all the neighboring sites too.

23% of hacked sites are on shared hosting according to Sucuri. Compared to other types of hosting, shared hosting accounts had:

  • 2x more outdated WordPress installations
  • 3x more configuration issues
  • 2x more supply chain attacks (breaches that originate from a compromised third-party service provider)

Besides shared hosting, other hosting-related factors that can lead to a hacked site include:

  • Insecure control panel software with unpatched vulnerabilities
  • Weak FTP/SSH passwords that give hackers server access
  • Lack of server-side malware scanning and intrusion detection
  • Outdated server software (PHP, Apache, MySQL, etc.)
  • Improper file permissions allowing any user to modify files

To keep your hosting environment secure, choose a reputable managed WordPress host that takes a proactive, multi-layered approach to security. Managed WordPress hosts handle core updates, daily backups, malware scanning, and other security essentials for you.

At a minimum, make sure your web host:

  • Uses the latest versions of server software with prompt security patching
  • Offers SSH instead of FTP for more secure file transfers
  • Provides server-side malware scanning and firewalls
  • Has 24/7 security monitoring and incident response
  • Performs frequent backups stored in a remote location

Reason #4: No SSL/HTTPS Encryption

SSL (Secure Sockets Layer) creates an encrypted link between the visitor‘s web browser and your website. This protects data transmitted between the two, like login credentials or payment details, from being intercepted by hackers.

Enabling SSL and HTTPS (secure HTTP) on your WordPress site is a must for both security and SEO reasons. Search engines like Google now flag sites without SSL as "not secure" and give ranking boosts to HTTPS sites.

But according to a recent HTTPArchive survey, over 90% of WordPress sites don‘t have proper HTTPS enforced across the entire site. Reasons cited for not enabling SSL include the costs, technical challenges, and potential site speed impacts.

The risks of not securing your site with SSL include:

  • Hackers stealing login credentials and other sensitive user data
  • Getting flagged as "not secure" in browsers, eroding visitor trust
  • Losing organic search traffic and rankings to HTTPS competitors
  • Not qualifying for security badges and trust seals that boost conversions
  • Inability to use newer browser features that require secure contexts

Many web hosts now offer free SSL certificates through Let‘s Encrypt, making it easier than ever to switch your WordPress site to HTTPS. Follow our step-by-step WordPress HTTPS migration guide to configure SSL on your site.

Reason #5: No WordPress Security Plugin

WordPress security plugins handle a lot of the heavy lifting when it comes to protecting your site from hackers. But according to a survey by CodeinWP, only 52% of WordPress sites use a security plugin.

WordPress security plugins offer features like:

  • Web application firewall (WAF) protection against common threats
  • Malware scanning and automatic removal
  • Brute force attack protection and login security controls
  • Security hardening and configuration guides
  • Real-time alerts for suspicious activity and file changes

Popular free and paid WordPress security plugins include:

PluginActive InstallsNotable Features
Wordfence4+ millionEndpoint firewall, live traffic monitoring, login security
Sucuri Security800,000+Website firewall, malware scanning, security hardening
iThemes Security1+ millionTwo-factor authentication, password expiration, user logging
All In One WP Security & Firewall1+ millionBlacklist management, file change detection, DB backups
Jetpack5+ millionBrute force attack protection, downtime monitoring, spam filtering

Of course, installing a WordPress security plugin won‘t make your site hack-proof. But it will add an extra layer of protection and make it much harder for hackers to exploit common vulnerabilities.

When choosing a WordPress security plugin, look for one that:

  • Is actively maintained and receives regular updates
  • Offers real-time protection against current threats
  • Provides multiple layers of security (prevention, detection, recovery)
  • Has good reviews and a large install base
  • Includes comprehensive documentation and support

Reason #6: Lack of Security Hardening

Security hardening is the process of configuring your WordPress site and server for optimal security. It involves disabling unnecessary features, restricting access, and following security best practices to reduce the risk of a hack.

According to the WPScan Vulnerability Database, 73.2% of the most popular WordPress installations have at least one vulnerability. Many of these issues can be prevented with simple security hardening measures.

Some key security hardening best practices include:

  • Disabling the file editor in WordPress to prevent unwanted file modifications
  • Limiting or disabling PHP file execution in untrusted directories like /uploads/
  • Enabling automatic updates for WordPress core, plugins and themes
  • Setting proper file and directory permissions (755 for folders, 644 for files)
  • Disabling XML-RPC if not needed to prevent brute force amplification attacks
  • Implementing HTTP security headers like Content Security Policy and XSS Protection
  • Adding two-factor authentication for WordPress admin and hosting control panel access
  • Blocking access to license.txt, wp-config.php, install.php and other sensitive files

WordPress security plugins like iThemes Security and Sucuri offer guided wizards to implement many of these security hardening measures. Manual guides are also available, such as the WordPress Security Checklist by Kinsta.

Reason #7: Nulled or Compromised Themes/Plugins

We all love getting premium themes and plugins for free. But so-called "nulled" plugins and themes – pirated or cracked versions of paid themes and plugins – often contain backdoors that give hackers easy access to your site.

Malicious code was found in 47 nulled WordPress themes and plugins installed on over 24,000 sites according to a 2019 report by Avast. The malicious plugins were used to redirect visitors to spam sites, inject unwanted ads and affiliate links, and add the hacked sites to botnets.

Nulled plugins and themes may also contain vulnerabilities that were patched in later versions of the official software. Hackers exploit these vulnerabilities to compromise outdated versions still used on thousands of WordPress sites.

To stay safe, avoid using nulled WordPress plugins and themes, no matter how tempting the cost savings. Only download themes and plugins from reputable sources like the official WordPress.org directories or directly from the theme/plugin developer‘s site.

Also be wary of plugins that haven‘t been updated in a long time, have very few active installs, or aren‘t compatible with the latest version of WordPress. These plugins may contain unpatched vulnerabilities that put your site at risk.

Wrapping Up

WordPress security is an ongoing battle, but it‘s one you can win by staying vigilant and following security best practices. While no website is 100% hack-proof, taking a proactive, layered approach to security can greatly reduce your risk of becoming the next hacked site statistic.

To recap, the top reasons WordPress sites get hacked include:

  1. Outdated WordPress core, plugins and themes
  2. Weak or compromised passwords
  3. Insecure or shared hosting environments
  4. Lack of SSL/HTTPS encryption
  5. Not using a WordPress security plugin
  6. Failure to implement security hardening measures
  7. Using nulled or compromised themes and plugins

By keeping your WordPress site updated, using strong passwords and two-factor authentication, choosing a secure hosting provider, and implementing a security plugin and hardening measures, you can stop hackers in their tracks.

Staying on top of the latest WordPress security threats and learning from others‘ mistakes is also key. Subscribe to WordPress security blogs, join webinars, and follow experts to expand your knowledge.

If your WordPress site does get hacked, don‘t panic. Isolate the hacked site and hire a professional WordPress security service to perform malware removal and post-hack cleanup if needed. Then work to implement stronger security measures to prevent a repeat incident.

Remember, your WordPress site is a valuable asset – treat it like one by investing in security. By taking WordPress security seriously, you‘ll protect your site, your users, your reputation and your bottom line.

Did you like this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

The Ultimate Guide to Connecting AWeber to Your WordPress Site (2023)
How Fast PHP & MySQL Can Boost Website Speed (Beginner‘s Guide)
JavaScript: The Powerhouse Fueling Interactive WordPress Experiences
How to Add Advanced Gift Cards in WooCommerce (Easy Way)
The Ultimate Guide to Fixing the WordPress 500 Internal Server Error (2023)
The Ultimate Guide to Adding a Favicon to Your WordPress Blog
How to Add Amazon Ads to Your WordPress Site (3 Methods)
How to Create a Custom Archives Page in WordPress