One of the most frustrating and stressful situations you could ever run into as a WordPress site owner is finding out that your site has been hacked. One minute your site is humming along, bringing in traffic and, hopefully, revenue. And then, next thing you know, you discover something is very wrong with your WordPress site.
Unfortunately, the reality that your WordPress site could be hacked needs to be dealt with as efficiently and effectively as possible to make sure it never happens. Because if you find yourself facing a hacked website, you’ll probably be asking yourself why your site, in particular, was the target of a malicious attack and how to get it back as quickly as possible.
WordPress hacks come in many forms, shapes, and sizes. This means, as WordPress site owners, it’s important to know all of the common reasons why WordPress sites can be successfully hacked. In this guide, we’ll discuss the common reasons WordPress sites get hacked along with simple steps you can take to secure your site.
Why Do Hackers Target WordPress Sites?
First, it’s important to understand that hackers aren’t only coming after sites that are built on the WordPress CMS (content management system) platform. In fact, it’s safe to say that every site on the Internet, whether built with WordPress or not, has its own vulnerabilities and is open to the potential for hacking and other malicious attacks.
However, WordPress websites are the most common hacking target for one simple reason: WordPress is far and away the most used website building tool in the world. In fact, WordPress is currently powering 40% of all known websites.
This means that there are hundreds of millions of WordPress-powered websites currently flooding the Internet. The immense popularity of the WordPress platform gives hackers with evil intent a simple way to locate websites that lack proper security protocols, then exploit them for their own gain.
Hackers tend to have various different motives when they decide to hack into websites. Some hackers are just learning “the trade” and target websites that are the least secure and most vulnerable. Other hackers approach their efforts with highly malicious intent, such as distributing WordPress malware on your site or using your site to attack other unsuspecting websites.
Still other hackers use their efforts to spam unwanted information all over the Internet. Most of us have seen these kinds of spam messages in blog comment sections, or in our email boxes after a successful hack has exploited a site’s user email list.
By being able to get a hold of sensitive and private information, hackers can then sell it for an income or even hold the data ransom, essentially making people pay to get their information back in safe hands.
So, what’s the primary motivation of hackers? To create cash flow for themselves. The internet is a lucrative place that offers all walks of life the opportunity to generate a living wage. However, that doesn’t mean everybody goes about this in a legal, moralistic manner. A multitude of hackers are making high profits off of even the smallest website.
Money is all the motivation they need, but some enjoy the feeling of power they get when they successfully breach a website, but the vast majority are in the business solely for the cash.
What is a WordPress Vulnerability?
A WordPress vulnerability is a weakness or flaw in a theme, plugin, or WordPress core that can be exploited by a hacker. In other words, WordPress vulnerabilities create a point of entry that a hacker can use to pull off malicious activity.
Keep in mind that website hacking is almost all automated. Because of this, hackers can easily break into a large number of websites in virtually no time at all. Hackers use special tools that scan the internet, looking for known vulnerabilities.
Hackers like easy targets, and having a website that is running software with known vulnerabilities is like handing a hacker the step-by-step instructions to break into your WordPress website, server, computer, or any other internet-connected device.
Our weekly WordPress Vulnerability Report covers all of the publicly disclosed WordPress core, WordPress plugin, and WordPress theme vulnerabilities. In these roundups, we share the name of the vulnerable plugin or theme, the affected versions, and the vulnerability type.
Common Methods Used to Hack into WordPress Websites
Hackers use vulnerable entry points to gain access to websites. These entry points include weak hosting servers, backdoors and even the WordPress login page via brute force attacks.
- Backdoors – Hackers can also create a backdoor entry to your WordPress site. This means they create an entry point without needing to go through the standard WordPress login page. There are various ways to create a backdoor entry to gain unauthorized access to a WordPress site.
- Brute force attacks – This form of attack exploits the simplest method of gaining access to a site: by trying to guess usernames and passwords, over and over again, until they’re successful. WordPress sites are especially susceptible to brute force attacks by default because the system allows unlimited login attempts.
- Cross-site scripting – Cross-site scripting (XSS) is a type of malware attack that’s executed by exploiting cross-site vulnerabilities on any WordPress site. In fact, it’s the most common way for WordPress sites to be hacked because there are so many WordPress plugins that have XSS vulnerabilities.
- Remote code execution – The term remote code execution (RCE) refers to several different hacking techniques and cyberattacks, but they all have one major thing in common. RCE, sometimes referred to as code injection, is an increasingly common way for hackers to compromise websites of all kinds, including sites that run WordPress as their content management system.
- SQL injections – An SQL injection (SQLi) is an attack that allows a hacker to take advantage of a vulnerable SQL query to run their own query. SQL injections occur when an attacker is able to run their own SQL on a server.
Why Do WordPress Sites Get Hacked?
Several common reasons exist for why WordPress websites get hacked. Let’s upack each of them.
1. Poor-Quality Hosting
Not all web hosts are created equal and choosing one solely on price can end up costing you way more in the long run with security issues. Most shared hosting environments are secure, but some do not properly separate users accounts.
Your host should be vigilant about applying the latest security patches and following other important hosting security best practices related to server and file security.
Just like with every other website in the world, sites running on the WordPress platform are all hosted on web servers. There are some hosting companies you may come across that don’t properly, or fully, secure their platform from malicious attacks.
If your site is hosted with an insecure hosting company, not only is your site open to the potential of hacks, but so is every other site hosted on their servers.
Choosing a quality WordPress hosting provider will help ensure that your website is safe and not open to hacking attempts that are out of your control. In fact, a server that has been properly secured will be able to block a lot of the most common WordPress hacking attempts before they ever become visible to you.
To get as much protection from hacks as you can get from your hosting provider, you may want to consider using a provider that offers a reliable Managed WordPress hosting plan.
Choose a reputable host for your website with a solid security record. Finding WordPress hosting that you can trust is the first of the WordPress security vulnerabilities you should try to mitigate.
2. Weak Passwords
Weak passwords are a hacker’s dream come true. That’s why secure passwords are one of the biggest keys to keeping your WordPress site free of hacking success.
It’s critically important that you use very unique and strong passwords for each of the accounts below. Any one of them could allow a hacker with bad intentions to gain access to your site and cause harm to your reputation and brand:
- Any and all WordPress administrator accounts
- Your website hosting control panel, or cPanel, account
- All FTP accounts
- The WordPress database that’s used to power your website
- All email accounts that are used for your hosting account or WordPress admin
Every single one of these key accounts is password-protected and needs to have a unique and unbreakable password applied.
When you use weak passwords that can easily be guessed, it makes it quite simple for malicious hackers to crack your passwords wide open using very basic hacking tools available to almost everybody with an Internet connection.
This major problem can be easily avoided simply by using strong passwords that are completely unique for each one of these account logins.
If you don’t already have one, consider installing a reliable password manager that can help you keep all of your passwords up-to-date without needing to write them all down in a notebook. Of course, if you’re struggling to come up with strong and unique passwords, you can also use a built-in strong password generator or Google the term “unbreakable password generator” to find various free online tools that can help you out.
Keep in mind that your WordPress login is the most commonly attacked WordPress security vulnerability because it provides the easiest access to your site’s admin page. Brute force attacks are the most common method of exploiting your WordPress login.
A brute force attack is an attempt to correctly guess username and password combinations to gain access to the backend of your WordPress site. Brute force attacks can be effective because WordPress doesn’t limit the number of login attempts someone can make.
You can strengthen the security of your WordPress login by using a WordPress security plugin like iThemes Security Pro to limit the number of login attempts. Limiting login attempts is just the first step in WordPress brute force protection.
Being mindful of your WordPress password security is also essential in securing your WordPress login, and this is why you should use a password manager to generate random strong passwords and securely store them. Forcing every WordPress user on your site to use a strong password will greatly decrease the effectiveness of a brute force attack.
3. Not Updating WordPress Core, Themes & Plugins
When your WordPress site is running outdated versions of plugins, themes or WordPress, you run the risk of having known exploits on your site. Updates are not just for new features or bug fixes; they can also include security patches for known exploits. Even though this is the easiest of the WordPress security vulnerabilities to prevent, most successful hacks use exploits that are found in outdated software.
There’s a strange fear in the world of WordPress development among many site owners. For some reason, a lot of WordPress users are afraid to update their sites to the most current version of WordPress. The fear, it seems, is that in running an update to WordPress core they run the risk of breaking their sites and losing all of their work.
The reality is that every new WordPress version is designed to fix bugs and further secure you from vulnerabilities and the potential for hacks. In fact, if you haven’t been keeping your WordPress software fully updated, you’re actually leaving your site far more vulnerable to trouble than you are by avoiding the updates.
If you have a fear that running an update will cause harm to your site or break it completely, it’s important to run a WordPress backup plugin that can instantly restore your site if the worst possible situation happens.
BackupBuddy is one of the best, and easiest, solutions for keeping your WordPress site fully backed up at all times. If anything goes wrong or your site breaks for any reason, you can quickly bring back the previous version and start over.
You can automate updates on your site Using the iThemes Security Pro WordPress version management feature. Automating your updates ensures you get the critical security patches that protect your site against WordPress security vulnerabilities and as a bonus, it reduces the amount of time you spend maintaining your WordPress site.
In a similar way as we just discussed with keeping your WordPress core software constantly updated to the current version, the same holds true for the themes and plugins that you’re running on your site.
In fact, keeping themes and plugins fully updated is equally important as updating WordPress. If you’re using a theme or plugin that’s outdated from current WordPress security fixes, your entire site is more vulnerable to malicious hacking attempts.
Security bugs and flaws are discovered in themes and plugins on a daily basis. Typically, the authors of the themes and plugins you use quickly release these fixes and make them available to you. However, if you choose not to update the software when you’re alerted that a change has been made available, there’s not a lot the developers can do for you.
It’s important to keep all of your WordPress plugins and themes up-to-date at all times. And again, if you’re worried that an update could cause an internal conflict and break your site, BackupBuddy has you fully covered.
4. Not Using Two-Factor Authentication
In addition to using strong passwords, adding WordPress two-factor authentication is one of the best methods to secure your site’s logins. Two-factor authentication requires users to use an authentication token in addition to their username and password to login to WordPress.
Even if a correct username and password are phished directly from a user’s email, the malicious login attempt can still be prevented if the user is using the mobile application to receive their authentication token. Two-factor authentication adds an incredibly strong layer of security to your WordPress site, and can easily be added using a plugin like iThemes Security.
In fact, recent research from Google confirms using two-factor authentication can stop 100% of automated bot attacks. I like those odds. iThemes Security Pro makes it easy to add two-factor authentication to WordPress websites.
5. Installing Software From Untrusted Sources
A quick Google search will uncover dozens of websites throughout the web that try to distribute premium or paid WordPress themes and plugins completely free of charge. Of course, it’s easy to be tempted to download and install those free “nulled” themes and plugins on your site to save some money.
But downloading plugins and themes from these highly unreliable sources is extremely dangerous to the health of your site. Not only will they likely compromise your site security, but they can easily be used by hackers to steal highly sensitive information.
Remember to only download themes and plugins from those most reliable sources, such as directly from the developers who created them or from the official WordPress repository.
If you’re not able to afford the cost of a premium product or simply don’t want to buy one, there are thousands of free and reliable themes and plugins that you can choose from. While the free versions may not pack as much of a punch as the paid versions, they can still help you accomplish what you want to do and keep your site safe from attack.
You may even be able to find discount codes on some popular (and safe) paid themes and plugins if you take a little time to look.
Only install WordPress plugins and themes from trusted sources. You should only install software that you get from WordPress.org, well-known commercial repositories or directly from reputable developers. You will want to avoid “nulled” version of commercial plugins because they can contain malicious code. It doesn’t matter how you lock down your WordPress site if you are the one installing malware.
If the WordPress plugin or theme isn’t being distributed on the developer’s website, you will want to do your due diligence before downloading the plugin. Reach out to the developers to see if they are in any way affiliated with the website that is offering their product at a free or discounted price.
In addition, avoid using abandoned WordPress plugins. If any plugin installed on your WordPress site has not received an update in six months or longer, you may want to make sure it hasn’t been abandoned. A plugin not having any recent updates doesn’t necessarily mean it has been abandoned, it could just mean it is feature complete and will only receive updates to ensure compatibility with the latest versions of WordPress and PHP.
Bonus: Running a Non-SSL Website
When someone visits your WordPress site, a line of communication between their device and your server begins. The communication isn’t a direct line, and the information passed between the visitor and your server makes several stops before being delivered to its final destination.
To better understand how encryption works, consider how your online purchases get delivered. If you’ve ever tracked delivery status, you have seen that your order made several stops before arriving at your home. If the seller didn’t properly package your purchase, it would be easy for people to see what you purchased.
When a visitor logs into your WordPress site and enters payment information, this information isn’t encrypted by default. So just like your unpackaged purchase, there is an opportunity for the login credentials and credit card details to be discovered at every stop between the visitor’s computer and your server.
Luckily, unencrypted communication is one of the easiest WordPress security vulnerabilities to mitigate. Adding an SSL certificate to your is a great way to encrypt and package the communication on your site to ensure that only the intended recipients can view the sensitive information being shared. Your host may provide a service to add an SSL certificate to your WordPress site or you can add the SSL certificate on your own.
If you decide to go the do-it-yourself route, I would recommend using certbot. Certbot makes it very easy to add a Let’s Encrypt certificate to your site as well as set it up to automatically renew your SSL certificate. You can also check out our WordPress HTTPS training to learn how to add an SSL certificate to your website.
5 Quick Tips to Protect and Secure Your Website
Knowing how dangerous it can be if your website is compromised can be the catalyst you need to start implementing your WordPress security strategy. Here are 5 tips to get you started.
- Update Everything – Updates aren’t just for cool new features and bug fixes. Plugin and them updates can include critical security patches for known vulnerabilities. Keep your site safe and updated.
- Use Two-Factor Authentication – In this blog post, New research: How effective is basic account hygiene at preventing hijacking, Google stated that using two-factor authentication can stop 100% of automated bot attacks. I like those odds. iThemes Security Pro makes it easy to add two-factor authentication to WordPress websites.
- Refuse Compromised Passwords – A data breach is typically a list of usernames, passwords, and often other personal data that was exposed after a site was compromised. Refusing to let your website’s users use passwords that have been known to be compromised can drastically increase the security of your site. You can easily refuse compromised passwords using iThemes Security Pro.
- Install Software From Trusted Sources – You should only install software that you get from WordPress.org, well known commercial repositories, or directly from reputable developers. You will want to avoid “nulled” versions of commercial plugins because they can contain malicious code. It doesn’t matter how you lock down your WordPress site if you are the one installing malware.
- Add WordPress Security Logging – WordPress security logs provide detailed data and insights about activity on your WordPress website. If you know what to look for in your logs, you can quickly identify and stop malicious behavior on your site. Learn how to add WordPress security logs to your website.
Protect Your Site Against the Top Reasons Why WordPress Sites Get Hacked
While WordPress vulnerabilities are scary, the good news is that most WordPress vulnerabilities are discovered and patched before bad guys have a chance to exploit them. You can help to protect your website against vulnerabilities by keeping WordPress core and your plugin and themes updated is the best way to ensure you are receiving the latest security patches.
For the most rock-solid site security you’ll find in a WordPress plugin, try using the powerful WordPress security plugin like iThemes Security Pro.
iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement and more, you can add an extra layer of security to your website.
Get iThemes Security Pro now
Each week, Michael puts together the WordPress Vulnerability Report to help keep your sites safe. As Product Manager at iThemes, he helps us continue to improve the iThemes product lineup. He’s a giant nerd & loves learning about all things tech, old & new. You can find Michael hanging out with his wife & daughter, reading or listening to music when not working.