10 Top Reasons Why WordPress Sites Get Attacked

  • Guides, Opinions

There may be many content management systems around, but none of them can be in the same league as WordPress. Used by more than 60 million websites on the Internet, it gives you an idea of how immensely exceptional and admired WordPress is. It is this extensive popularity that gives hackers an easy way to find WordPress websites that are less secure so that they can exploit it. 

Once they make entry to your website, they perform all sorts of malignant activities like stealing personal information, deceiving customers, and displaying illegal content. This will make you blacklisted by Google, or even get suspended by your web host. Consequently, all this leads to a loss of visitors and income.

Though WordPress developers keep the platform secure as much as they can, the WordPress users also need to do their bit. For that, you should know the risks and the ways you can guard your site against ordinary sources of vulnerability. We really wish to help you secure your website from hackers. So, in this article, we will discuss the main reasons why WordPress sites get hacked, so you can stay away from these mistakes and save your sites So make sure you note these tips since prevention is better than cure.

1. Outdated Plugins or theme

The main factor responsible for WordPress site attacks is the susceptibility with the plugins and themes. There are many plugins and themes, created by thousands of developers, so it is a fact that they are the biggest risk.

Image credit: wpbeginner.com

Security defects and bugs are often discovered in WordPress plugins and themes. But the theme and plugin developers are quick to clear them up. Anyhow, if a user does not update their theme or plugin, then no one can save him from site attacks. 

The plugins are the greatest strength of WordPress. So it is not possible to fully avoid plugins. But, if you aren’t using an installed plugin, then remove it.

So, make sure that the plugins and themes running on your site are regularly updated. If a plugin/theme hasn’t been updated for a long time, it may have been dropped by its developer. Such plugins or themes are an encouragement to a compromise. If you are unsure that a plugin isn’t actively developed, find a substitute. 

The plugins are the greatest strength of WordPress. So it is not possible to fully avoid plugins. But, if you aren’t using an installed plugin, then remove it. Consider a plugin only if you need the functionality it provides. Keeping the number of plugins close to the ground reduces the chances of threats. 

2. Installing nulled themes and Plugins

In WordPress, it is always suggested to download free plugins from the WordPress repository. But, there are many third parties on the internet that provide paid WordPress plugins and themes for free. So every now and then users tend to use those nulled plugins and themes on your site. Downloading WordPress themes and plugins from inaccurate sources is very harmful. Not only can they weaken the security of your website, but they also steal sensitive information.

You should always get WordPress plugins and themes from trustworthy sources such as the plugin/theme developers website or official WordPress directory.

If you cannot manage to pay for a premium plugin or theme, then there are many free substitutes available for those products. Though these free plugins/themes may not be as good as the paid ones, they will get the job done and will never compromise on the security of your site. 

3. Insecure Hosting

All hosting providers are not the same. Some are very earnest and implement regular security updates and malware scans. These companies also make sure that their fundamental software is up to date. Whereas some web hosting companies  choose the wrong or outdated software to depend upon. The best way to avoid such inefficient web hosting is to choose a web host with a good security reputation and ability to safeguard their clients.

Perfectly secure servers can obstruct the majority of the most common attacks on WordPress sites. A standard provider offers features such as daily backups to recover your data, the latest cybersecurity software to save your website from malfunctions, SSLs to secure payment transactions, and more. 

If you want to take additional precautions, then we suggest you opt for a managed WordPress hosting provider. The unique security feature of a managed host is its ability to remove malware. If your site gets hacked, usually a managed WordPress host’s support team can help you to clear it up.

4. Incorrect file permissions

File permissions are a group of rules used by your web server. These permissions assist your webserver to control access to the files on your site. False file permissions can give a hacker access to write and change these files. All your WordPress files must have 644 value as file permission and all folders on your WordPress site must have 755 as their file permission.

5. Use of out-of-date WordPress version

Some WordPress users are not interested in updating their WordPress sites because they believe that doing so would break their website. Every latest version of WordPress removes bugs and security flaws. So, if you are not updating WordPress, then you are deliberately leaving your site open to attack.

If you are nervous that an update will crash your website, then you can generate a full WordPress backup before running an update.

In most cases, websites break mainly due to the bugs in older WordPress versions. Core alterations are never recommended by the WordPress team and professional developers who know the dangers involved. And WordPress updates mostly include must-have security patches along with the added features required to run the latest plugins. If you are nervous that an update will crash your website, then you can generate a full WordPress backup before running an update. This way, if something doesn’t work, then you can easily go back to the former version.

6. PHP version

PHP is the backbone of your website and if you are not using its newest version, your site can get attacked easily. Every major release of PHP is completely supported for two years after its release. Bugs and security problems are solved and patched on a routine basis during this time. At present, anyone working on version PHP 7.1 or below doesn’t have security support and is disclosed to unpatched security vulnerabilities.

Usually, businesses and developers take time to test and ensure compatibility with their code, but it cannot be considered as a reason to run on something without security support no matter how huge the performance of the older version is.

7. Not hardening wp-config.php file

WordPress configuration file wp-config.php consists of your WordPress database login authorization. It is in fact the most crucial file on your website in terms of security. It has your database login information and security keys which control the encryption of information in cookies. If it is not taken care of properly, then it will expose all the information that could give a hacker entire access to your website. 

In order to harden the wp-config.php, you can move the file to a non-accessible directory from the root directory of WordPress where it resides by default. Also, you can update the WordPress security keys(set of random variables) that improve the encryption of information stored in the user’s cookies.  It is suggested that the permission on the wp-config.php file should be kept to 440 or 400 so that you can avoid other users on the server from reading it. This can be easily performed with your FTP client.

8. Brute Force

A strong password is your primary barricade against brute force attacks that try a different combo of usernames and passwords until they get the right one. A weak password never stands a chance against a brute force invasion. The solution here is to use strong usernames and passwords that cannot be speculated easily. In fact, passwords should be over one’s head to guess and must have punctuation, case-sensitive alphabets, and numbers. Professionals also recommend using different passwords for each website such as social media accounts and email accounts.

In WordPress, you should never use the default “admin” username. Create one of a kind WordPress username for the administrator profile and remove the “admin” user if it prevails. You can do this by including a new user in the “Users” section of the dashboard and accrediting it as the “Administrator” profile. Once you designate a new account for the administrator role you can go back and delete the original “Admin” user. Remember to choose the “Attribute all content to” option and select your new administrator profile when deleting the “Admin’’ user. This will assign the person as the owner of those posts.

You can also integrate two-factor authentication to make it even more complicated for hackers to enter your WordPress admin area.

9. Use of plain FTP

FTP accounts help to upload files to your web server using an FTP client. Most hosting providers back FTP connections using different codes. You can connect to your server using plain FTP, SSH, or SFTP. If you select pain FTP for this purpose,  your password is sent to the server unencrypted. It can be easily snooped upon and stolen in a few minutes. Therefore, instead of using FTP, you should always opt for SFTP or SSH. 

For this, you don’t have to resolve your FTP client. Most FTP clients provide a connection to your website on SSH and SFTP besides FTP.  All you need is to change the protocol to ‘SFTP – SSH’ when connecting to your website.

10. Exposing the WordPress version

WordPress automatically includes the current version number to the header section of the theme by default. A considerable security tip is to never show the WordPress version openly because attackers can initiate attacks against all known vulnerabilities of the version mentioned in the header. The fewer other people know about your WordPress site configuration the better. If they see your site functioning on an out of date WordPress installation, this could be a pleasing sign to invaders. 

Altering the default WordPress Prefix for Database is also a great way to prevent the attack.  All tables in a WordPress database have names that start with the prefix “wp_”. While this seems to be a strong feature, for WordPress hackers, this greatly cuts down things by eliminating some of the guesswork. A user can edge this predictability by modifying the default WordPress prefix of user database tables while installing WordPress. 


Many people forget that protecting a WordPress website is an ongoing process that needs regular attention in the face of new tools and frauds emerging in cyberspace. We hope that this article helped you to understand the top reasons why your WordPress site gets attacked. These security tips ensure an efficient and safe website. Also, feel free to tell us if you think we have missed out on something by commenting below. 

The WP Week Newsletter

A weekly newsletter covering updates from the WordPress ecosystem that are relevant and helpful for WordPress agencies, developers, and enthusiasts

Leave your comment

Your email address will not be published. Required fields are marked *