11 Top Reasons Why WordPress Sites Get Hacked (and How to Prevent it)
Recently, one of our readers asked us why do WordPress sites get hacked? It is frustrating to find out that your WordPress site has been hacked. In this article, we will share the top reasons why WordPress site gets hacked, so you can avoid these mistakes and protect your site.
Why is WordPress Targeted by Hackers?
First, it is not just WordPress. All websites on the internet are vulnerable to hacking attempts.
The reason why WordPress sites are a common target is because WordPress is world’s most popular website builder. It powers over 31% of all websites meaning hundreds of millions of websites across the globe.
This immense popularity gives hackers an easy way to find websites that are less secure, so they can exploit it.
Hackers have different kind of motives to hack a website. Some are beginners who are just learning to exploit less secure sites.
Some hackers have malicious intents like distributing malware, using a site to attack other websites, or spamming the internet.
With that said, let’s take a look at some of the top causes of WordPress sites getting hacked, and how to prevent your website from getting hacked.
1. Insecure Web Hosting
Like all websites, WordPress sites are hosted on a web server. Some hosting companies do not properly secure their hosting platform. This makes all websites hosted on their servers vulnerable to hacking attempts.
This can be easily avoided by choosing the best WordPress hosting provider for your website. It ensures that your site is hosted on a safe platform. Properly secure servers can block many of the most common attacks on WordPress sites.
If you want to take extra pre-caution, then we recommend using a managed WordPress hosting provider.
2. Using Weak Passwords
Passwords are the keys to your WordPress site. You need to make sure that you’re using a strong unique password for each of the following accounts because they can all provide a hacker complete access to your website.
- Your WordPress admin account
- Web hosting control panel account
- FTP accounts
- MySQL database used for your WordPress site
- Email accounts used for WordPress admin or hosting account
All these accounts are protected by passwords. Using weak passwords makes it easier for hackers to crack the passwords using some basic hacking tools.
You can easily avoid this by using unique and strong passwords for each account. See our guide on the best way to manage passwords for WordPress beginners to learn how to manage all those strong passwords.
3. Unprotected Access to WordPress Admin (wp-admin Directory)
The WordPress admin area gives a user access to perform different actions on your WordPress site. It is also the most commonly attacked area of a WordPress site.
Leaving it unprotected allows hackers to try different approaches to crack your website. You can make it difficult for them by adding layers of authentication to your WordPress admin directory.
First you should password protect your WordPress admin area. This adds an extra security layer, and anyone trying to access WordPress admin will have to provide an extra password.
If you run a multi-author or multi-user WordPress site, then you can enforce strong passwords for all users on your site. You can also add two factor authentication to make it even more difficult for hackers to enter your WordPress admin area.
4. Incorrect File Permissions
File permissions are a set of rules used by your web server. These permissions help your web server control access to files on your site. Incorrect file permissions can give a hacker access to write and change these files.
All your WordPress files should have 644 value as file permission. All folders on your WordPress site should have 755 as their file permission.
See our guide on how to fix image upload issue in WordPress to learn how to apply these file permissions.
5. Not Updating WordPress
Some WordPress users are afraid of updating their WordPress sites. They fear that doing so would break their website.
Each new version of WordPress fixes bugs and security vulnerabilities. If you’re not updating WordPress, then you are intentionally leaving your site vulnerable.
If you are afraid that an update will break your website, then you can create a complete WordPress backup before running an update. This way, if something doesn’t work, then you can easily revert back to previous version.
6. Not Updating Plugins or Theme
Just like the core WordPress software, updating your theme and plugins is equally important. Using an outdated plugin or theme can make your site vulnerable.
Security flaws and bugs are often discovered in WordPress plugins and themes. Usually, theme and plugin authors are quick to fix them up. However, if a user does not update their theme or plugin, then there is nothing they can do about it.
Make sure you keep your WordPress theme and plugins up to date.
7. Using Plain FTP instead of SFTP/SSH
FTP accounts are used to upload files to your web server using an FTP client. Most hosting providers support FTP connections using different protocols. You can connect using plain FTP, SFTP, or SSH.
When you connect to your site using plain FTP, your password is sent to the server unencrypted. It can be spied upon and easily stolen. Instead of using FTP, you should always use SFTP or SSH.
You wouldn’t need to change your FTP client. Most FTP clients can connect to your website on SFTP as well as SSH. You just need to change the protocol to ‘SFTP – SSH’ when connecting to your website.
8. Using Admin as WordPress Username
Using ‘admin’ as your WordPress username is not recommended. If your administrator username is admin, then you should immediately change that to a different username.
For detailed instructions check out our tutorial on how to change your WordPress username.
9. Nulled Themes and Plugins
There are many websites on the internet that distribute paid WordPress plugins and themes for free. Sometimes it’s easy to get tempted to use those nulled plugins and themes on your site.
Downloading WordPress themes and plugins from unreliable sources is very dangerous. Not only they can compromise the security of your website, but they can also be used to steal sensitive information.
You should always download WordPress plugins and themes from reliable sources such as the plugin/theme developers website or official WordPress repositories.
If you cannot afford or don’t want to buy a premium plugin or theme, then there are always free alternatives available for those products. These free plugins may not be as good as their paid counterparts, but they will get the job done and most importantly keep your website safe.
You can also find discounts for many of the popular WordPress products in the deals section on our website.
10. Not Securing WordPress Configuration wp-config.php File
WordPress configuration file wp-config.php contains your WordPress database login credentials. If it is compromised, then it will reveal information that could give a hacker complete access to your website.
You can add an extra layer of protection by denying access to wp-config file using .htaccess. Simply add this little code to your .htaccess file.
<files wp-config.php> order allow,deny deny from all </files>
11. Not Changing WordPress Table Prefix
Many experts recommend that you should change the default WordPress table prefix. By default, WordPress uses wp_ as a prefix for the tables it creates in your database. You get an option to change it during the installation.
It is recommended that you use a prefix that is a little more complicated. This will make it harder for hackers to guess your database table names.
For detailed instructions, see our guide on how to change the WordPress database prefix to improve security.
Cleaning up a Hacked WordPress Site
Cleaning up a hacked WordPress site can be really painful. However, it can be done.
Here are some resources to get you started on cleaning up a hacked WordPress site:
- Beginner’s guide to fixing your hacked WordPress site
- How to scan your WordPress site for potentially malicious code
- how to find a backdoor in a hacked WordPress site and fix it
- What to do when you are locked out of WordPress admin (wp-admin)
- Beginner’s guide: how to restore WordPress from backup
For rock solid security, we use Sucuri on all our WordPress sites. Sucuri provides malware detection and removal services as well as a website firewall that will protect your website against the most common threats.
We hope this article helped you learn the top reasons why WordPress site gets hacked. You may also want to see our ultimate WordPress security guide to protect your WordPress site.