Why do WordPress sites get hacked


· 14th December 2021·Wordpress, Wordpress Security

Estimated read time 7 minutes


In this article, we’ll go through the most common reasons why WordPress sites get hacked and why they are the number one target of attackers worldwide.

Why do WordPress sites get hacked

Initial Thoughts

In this article, we’ll go through the most common reasons why WordPress sites get hacked and why they are the number one target of attackers worldwide. While there’s a long discussion around wordpress security in general, we’ll go through the 5 most important ones that we believe are a game changer.


Let’s start by stating the obvious - WordPress is the most common CMS (content management system) out there and the most powerful one. People use it as it’s extremely easy nowadays to create websites. From a simple blog to a complex ecommerce site, WordPress has you covered.

To this date, WordPress powers over 30% of the active websites online. There’s some false information on the web about the number being higher but the most accurate answer to this according to our research is “about 30%”. 30% of the websites online translates to about 450 million websites online. Of course, being so popular makes it a target.

Open Source

WordPress is an open source software. What does open source software mean? The “per se” definition is a bit complex but to make things simpler, let’s say that Open Source means that the software is free for everyone to use, modify and distribute.

Why is this a problem you may ask? Well, while free software is great, it also means that people with malicious intentions can read the code of the software, find any potential vulnerabilities and attack them.

Vulnerabilities?! Well yes, any kind of human-developed software has vulnerabilities or the so called “security holes”. Some are major, some are minor. WordPress itself has had a very good reputation for pushing code with minor vulnerabilities to the public over the last few years. I cannot say the same though for the WordPress Plugins and Themes, which brings us to the next section.

3rd Party Plugins and Themes

With WordPress being so popular (and free), it also attracts the interest of developers and companies who develop various addons (Plugins). You can find tens of thousands of free plugins on the official WordPress repository. The major problem of these plugins is that they are developed by a single developer or company and pushed to the WordPress repository directly making them available to millions of wordpress websites.

While WordPress has a team that reviews plugins and themes before they are published to the repository, they usually check for bugs or incompatibility issues rather than vulnerabilities. Unfortunately, we've seen countless zero-day-vulnerabilities from 3rd party plugins over the last few years.

Poor Admin Authentication

Another interesting research shows that 60% of the wordpress owners use the username “admin” for their website administrator account. As you can imagine, this is a very bad practice as a potential attacker already knows your username. Knowing your username, using a “brute force attack”, they can find your password too in no time.

“Nulled” Plugins and Themes

There’s a few problems with installing “nulled” plugins or/and themes to your website. Let’s leave aside the ethical part for now and focus on the actual security issue. It’s almost a certainty that when you download a nulled component, it will contain a “backdoor” to your site. While this is not visible initially, it works in the background doing various malicious activities like stealing customer data, injecting ads to your site or even using your own site to attack other websites.

Best Practices and conclusion

So to sum things up and give you a brief conclusion with a few tips:

  • Make sure your WordPress core installation is always up to date. You can see the latest version of wordpress from here: https://wordpress.org/download/releases/
  • Make sure all your plugins and themes are up to date as well.
  • Do not acquire any themes or plugins from non-legit sources, especially from sites advertising them as “nulled”.
  • Change your administrator username to something different. Ideally add a plugin that limits the login attempts and ads a little bit of security like WordFence

As always, if you need help or professional security solutions for your site and business, drop us a message. We handle all kinds of websites from small blogs to high-end 7-figure revenue ecommerce wordpress websites.

In the meantime, please make sure to go through our article about WordPress Security - How to Harden Your Website

Panos Kesisis

Get 10% off your order


Enter UYD-772-MK5 at the checkout to get 10% off one-time tasks or any maintenance plan.

Get started