How WordPress Sites Get Hacked [And What You Can Do]

Share this:

In one of our previous posts, we considered why WordPress is the best website builder. In this article, we will consider an issue that is of great concern to site owners, and that’s; ‘How WordPress sites get hacked.’

One of the biggest challenges website owners encounter is having their WordPress site hacked. Before you realize what’s happening, your website is offline. Traffic stops, and all the time, effort, and money you invested into creating your website are lost.

Detecting the problem and fixing it are not easy tasks. However, they are not as difficult as regaining the trust of your readers or removing your website from spam blacklists.

Although it is not new for websites to be hacked, it is common.  The wide popularity of WordPress and its huge features make it a target for hackers.

In 2012, over 170,000 WordPress sites were hacked. In this article, I will discuss why hackers hack WordPress sites, how they hack them, how to know if your site is at the risk of being hacked, and what you can do to prevent your site from being hacked.

If you are own a WordPress website, this is an important article that you should read to the end.

How To Know If Your WordPress Website Is At Risk

How do you know that your WordPress website is at the risk of being hacked? Here are some signs that you need to pay attention to:

1. You cannot log in

If you are not able to log in to your site, it may imply that your site has been hacked. You may also be unable to log in if you have forgotten your password. So before assuming that your site has been hacked, reset your password. If you’re unable to reset your password, that’s a warning. Even if you can reset your password, your site may still have been hacked, and you need to carry out more investigation.

Hackers often change user passwords to prevent them from having access to the site’s dashboard. If you cannot reset your password, your site could have been hacked.

2. Your website has changed

Another form of hacking is replacing the site’s homepage with a static page. If your site’s appearance is different and it’s not using your theme, then it has probably been hacked.

The changes may not be easily noticeable (for instance, adding links to some pages). If you notice that your footer contains links that you did not add (especially if the font size is small), your site could have been hacked.

Before concluding, confirm with other site administrators to ensure they did not make the changes by mistake.

If you’ve recently updated your theme and notice it is not from a reputable source, that could be the cause.

3. Your website is redirecting

Hackers can sometimes add a script that will redirect your website when people visit it. This may be a website that you don’t want your audience to visit.

Before you conclude that your site has been hacked, check to see if your server is not having issues because it could also be a result of insecurity on your server. This is why it is important to use high-quality hosting. If the issue is from the server, change your hosting provider quickly and you will be able to fix the problem.

4. You’re getting warnings from your browser

If your browser keeps warning you that your site is compromised, then it could be a sign that hackers have hacked your website. It could also be a sign that some codes in one of the themes or plugins need to be removed. The issue may also stem from SSL or domains.

Go through the warning given by your browser and pay attention to the advice in the warning to know what to do.

5. Warnings from search engines

When you search for a particular site, you may get a warning from Google. This may mean that hackers have hacked the website’s sitemap, thereby affecting the way Google crawls the site.

Why Do WordPress Websites Get Hacked?

There are many reasons why WordPress sites get hacked. Listed below are some of the commonest reasons:

1. Unfixed issues

There is something known as a vulnerability scan in your PC’s anti-virus software. This is an application that is designed to find the different ways hackers can use to corrupt the files or systems on your computer. The application also suggests the fixes that need to be done when the issues are found.

Unfortunately, hackers can also use the same method to scan for possible ways they can use to hack your site. As a result, ensure you always check your website for vulnerabilities and fix them once you find them.

2. Poor security

Most business owners do not know how easy it is for their site to be hacked. That is why most site owners do not bother to make their access codes to their servers difficult to guess. This can make you vulnerable to hackers who create a series of passwords for your website until they find the right one within seconds if the password is easy to guess.

3. Issues with plugins

Hackers spend lots of time on the internet looking for loopholes in the makeup of websites that they can use to gain access. A common way that hackers use is to gain access through faulty plugins. This is why you need to have plugins that are reliable and updated with the most recent patch on your site.

4. Exposure to automatic attack

Although it is user-friendly and convenient to have your website run on WordPress since it makes it easy to make updates and changes and also creates new content to make your site relevant in the search engines, this exposes your site to automatic attacks referred to as bots. Although the bots are not malicious, however, they can easily infest your site if you don’t get rid of them immediately.

5. Increase in the size of the website

Popularity can sometimes harm your website. Some of the attacks on a website are a result of the users visiting the site, and the number of people the hacker can exploit through your site with the aid of malware and spam. As your site grows, you need to pay attention to what people are downloading from your site so that you can prevent them from tarnishing your company’s reputation.

How Do WordPress Sites Get Hacked?

Now that you know why WordPress sites get hacked, let’s move on and consider the ways hackers use in hacking websites.

According to WP Template’s infographic, hackers gain access to WordPress sites through these points of entry:

  • 8 percent of websites are hacked as a result of unsecured passwords.
  • 22 percent are through a faulty plugin.
  • 29 percent are through loopholes in a theme, and
  • 41 percent are through vulnerabilities in the hosting platform.

As you can see from the statistics above, poor hosting has the highest percentage. If your site was hacked through your hosting platform, that doesn’t mean your site was targeted directly. It may also be possible that another site using shared hosting was hacked and affected others in the process.

What’s disturbing is that over 50 percent of all successful hacks were done via plugins and themes. These are areas that you shouldn’t ignore.

The remaining websites were hacked as a result of weak passwords. Although 8 percent may seem insignificant, hundreds of thousands of websites could be affected in the process.

So, what can you do to prevent your site from being hacked?

How To Keep Your WordPress Site Secure

1. Ensure your passwords are secure

Ensure you reset all your website passwords and that they are strong. You can use a security plugin as this will force you and your users to use secure passwords. You can also include two-factor authentication on your website to make it more difficult for hackers to have access to it.

2. Update your site

It is important to ensure that your website is up to date. Whenever your theme, plugins, or WordPress software are due for updates, ensure you update them because the updates may also include security patches.

You can also install a plugin or edit your wp-config.php file to activate automatic updates. If you don’t want to do this because you want to test the updates, you will be notified by a security plugin when you need to run an update.

3. Don’t install insecure and outdated themes or plugins

When you are installing WordPress plugins, ensure you test them with your version of WordPress and that you download them from a reliable source. Install free themes and plugins from plugin and theme directories; don’t download them from third-party websites. You should also check a vendor’s reputation and request recommendations when you want to buy premium plugins or themes.

<< Read: 7 Great Page Builder Plugins For WordPress >>

4. Clean your WordPress installation

If you have installed any plugins or themes but you have not activated them, get rid of them. If you have any old WordPress installations in your hosting environment that you are not making use of, remove them. Delete all databases that you are not using as well.

These old databases and installations can be vulnerable since you’re not likely to update them.

5. Install SSL on your website

SSL makes your website secure. It is free to use on your website. You can use the SSL Zen plugin to add SSL if your hosting provider does not provide free SSL.

6. Don’t buy cheap hosting

When you buy cheap hosting, it simply means that you will be sharing server space with lots of other websites. This not only slows down websites, but it will also increase your exposure to attack since any attack on one of the sites you’re sharing server space with will also affect you.

Providers of cheap hosting will not effectively monitor server security. They will also not assist you if your site is hacked. Purchasing high-quality hosting, like Bluehost, will protect you from attack and also keep your website secure.

<< Read: Best Web Hosting Services For High Traffic That Generate Results >>

7. Set up a firewall

Cloudflare or Sucuri will allow you to configure a firewall for your website. This adds an extra layer of security to reduce the chances of your website being hacked or affected by DDoS attacks.

8. Install a security plugin

It is important to install a security plugin on your website. It will notify you whenever it suspects any suspicious activity such as the addition of suspicious files or unauthorized logins.


1. What are the common reasons for a WordPress website to get hacked?

The main reasons why a WordPress site gets hacked include the following:

  • Outdated site.
  • Weak passwords.
  • Lack of SSL certificate.
  • Faulty themes.
  • A loophole in the wp-admin directory.
  • Cheap hosting.

2. Can a WordPress website be hacked?

Yes, WordPress sites can be hacked. Apart from exploiting their codes, WordPress sites also get hacked by exploiting their users.

3. How many WordPress sites are hacked per day?

An average of 30,000 new sites are hacked daily. Hackers do all they can to exploit loopholes in popular plugins and search for websites that are using plugins with loopholes.

4. How do WordPress sites get hacked?

Hackers usually attack websites by building phishing pages aimed at tricking people to enter their IDs or usernames and passwords. They can also intercept user credentials on their browser through Cross-Site Request Forgery (CSRF) or Cross-Site Scripting (XSS).


This article has tried to answer the question; ‘How do WordPress sites get hacked?’ Apart from that, we also discussed the basic steps you can take to prevent attacks on your site. You can approach the experts if you need more security.

Since WordPress is open-source in nature, it implies that you can get cybersecurity expertise for your WordPress site.