How WordPress Sites Get Hacked (Solved)

Is your WordPress site getting hacked all the time? Here are the top reasons how, why and what to do to secure and fix your site.

Having your WordPress site hacked once feels like being run over by a truck.

When your site gets hacked multiple times it feels as if the truck driver is putting that truck into reverse to have another go.

Why Do WordPress Sites Get Hacked?

WordPress is the most popular CMS and powers over 33% of all websites.

This coverage makes WordPress a huge glowing bullseye for wannabe hackers to target.

Snipers target

Most new site owners don’t invest time in regularly updating and taking care of their sites.

Backups are usually an after thought.

With bugs and vulnerabilities in old versions of WordPress core, themes and plugins widely documented, an out-of-date site is easily compromised.

Why Do Hackers Want My Website?

There are a number of reasons that a hacker might want to compromise your website.

Hacker in a hoodie writing code

However, the vast majority of attacks on WordPress sites are automated by botnets, programmed to look for known vulnerabilites or just do some brute force password guessing.

Once a website has been breached, a hacker can:

  • steal customer information and sell it
  • add clickbait to generate revenue from clicks
  • load up malware to infect your customers’ machines
  • redirect to another site (drugs or porn usually)
  • use the server resources to become part of the botnet to attack other sites
  • install cryptocurrency miners and use your customer’s machine resources to generate money for the hackers

The opportunities are endless and with the exception of getting access to your customer base, a website hack is usually impersonal.

How Do WordPress Sites Get Hacked?

According to a 2016 infographic by WP Template, the most common ways that sites are hacked are as follows.

  • 41% get hacked through vulnerabilities in their hosting platform
  • 29% by means of an insecure theme
  • 22% via a vulnerable plugin
  • 8% because of weak passwords

You can see that the vast majority of hacks, 51%, are not from updating themes and plugins.

Forty one percent is from choosing a bad hosting provider and 8% due to poor passwords.

How Not to Get Your Site Hacked in the First Place

Let’s look at the the issues.

Keeping Your Site Updated

I cannot stress how important it is to perform regular updates of WordPress core, themes and plugins.

Regular is a relative word. I mean at least weekly.

Yes, you heard me right!

Weekly updates will ensure that you are updating to the most current versions which contain necessary security patches.

If you are running a complex site, or just for best practices, you should update a copy of your website on a staging server first to work out any issues, before applying to the live site.

Make sure to remove or at the very least update themes and plugins that are deactivated.

Even though a theme or plugin is deactivated, the files can still be accessed through your website!

Regular WordPress site care is critical to keep your site updated with security patches to stop the hackers getting control of your site.

Choose a Good Hosting Provider

This can be a difficult choice especially when you ask others for their opinions.

You can be assured that somebody will have had a bad experience with pretty much every hosting provider at some point for some reason.

From my experience you get what you pay for.

If you are paying USD $5 per month for a hosting platform, then expect $5 worth of security, investment and support.

In general, WordPress managed hosting providers such as WP Engine, Flywheel, Kinsta and Conetix, I have found very good to work with and have not had any security issues with their platforms.

Again, just from my experience, Siteground have been hit and miss for their WordPress support but I have had no security issues with their platform.

If you can afford it, please stay away from shared hosting plans.

Shared hosting crams as many as 200 sites on the same server.

If just one of those sites compromised the underlying server file system then it’s game over for every site, including yours.

Using a Secure Password

I’ll cut to the chase here as this article is already longer than I had planned.

The top hacked/guessed passwords from 2016 to current are “123456” and “password”.

Poor Password

If you are using those – stop now!

You should be using a complex password; a set of random numbers, letters (uppercase and lowercase) as well as symbols, perhaps 20 characters in length.

e.g. “anwcv9z%jS7$Y*R649P1D4

Or you can use three or more random proper case words put together.

e.g. “ClockworkBananaMechanicDinosaur

Use a different password for each site.

Remembering these complex passwords can be very hard – that’s good because it makes them also very hard to guess.

So, use a password manager such as LastPass or 1Password.

They cost less than USD $50 per year to keep all your passwords safe, secure and at hand via browser and desktop extensions.


Out-of-date WordPress core, themes and plugins make up the biggest opportunity for hackers to compromise your site.

Update your site regularly to apply necessary security passes.

Choose a good website hosting provider.

Use a password managet to store and generare secure passwords.

If you don’t have time to keep your site updated regularly, let WP Wingman take care of your site, securing it from hackers.

Let me know if you have any questions on the article or if you found it useful in the comments below.

Posted in


Wil is a dad, consultant, developer, conference organiser, speaker and business mentor. He co-organizes the WordPress Sydney meetup group and has been on the organising committee for WordCamp Sydney since 2014. He speaks at many special events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.
Scroll to Top