11 Prime Causes Why WordPress Websites Get Hacked (and The right way to Stop it)

  • January 12, 2023
  • elkenz
  • 8 min read

Lately, considered one of our readers requested us why WordPress websites get hacked.

It’s irritating to find your WordPress website has been hacked. Whereas hackers goal all web sites, you may be making some errors that depart your web site susceptible to assault.

On this article, we are going to share the highest the explanation why WordPress website will get hacked, so you possibly can keep away from these errors and shield your website.

Why WordPress sites get hacked?

Why Is WordPress Focused by Hackers?

First, it’s not simply WordPress. All web sites on the web are susceptible to hacking makes an attempt.

The rationale that WordPress web sites are a standard goal is that WordPress is the world’s hottest web site builder. It powers over 43% of all web sites, that means tons of of thousands and thousands of internet sites throughout the globe.

This immense reputation provides hackers a simple technique to discover web sites which can be much less safe, to allow them to exploit them.

Hackers have varied motives to hack a web site. Some are learners who’re simply studying to take advantage of much less safe websites. Others have malicious intentions comparable to distributing malware, attacking different web sites, and sending spam.

With that stated, let’s check out a number of the prime causes of WordPress websites getting hacked so you possibly can learn to forestall your web site from getting hacked.

1. Insecure Internet Internet hosting

Like all web sites, WordPress websites are hosted on an internet server. Some internet hosting corporations don’t correctly safe their internet hosting platform. This makes all web sites hosted on their servers susceptible to hacking makes an attempt.

This may be simply averted by selecting the very best WordPress internet hosting supplier to your web site. Correctly safe servers can block most of the most typical assaults on WordPress websites.

If you wish to take further precautions, then we suggest utilizing a managed WordPress internet hosting supplier.

2. Utilizing Weak Passwords

Using weak passwords

Passwords are the keys to your WordPress website. You have to just remember to’re utilizing a robust distinctive password for every of the next accounts as a result of they’ll all present a hacker full entry to your web site.

  • Your WordPress admin account
  • Your webhosting management panel account
  • Your FTP accounts
  • The MySQL database used to your WordPress website
  • All e-mail accounts used for WordPress admin and internet hosting

All these accounts are protected by passwords. Utilizing weak passwords makes it simpler for hackers to crack the passwords utilizing some fundamental hacking instruments.

You may simply keep away from this by utilizing distinctive and powerful passwords for every account. See our information on one of the best ways to handle passwords for WordPress learners to learn to handle all these robust passwords.

3. Unprotected Entry to WordPress Admin (wp-admin)

The WordPress admin space provides a consumer entry to carry out completely different actions in your WordPress website. It’s also probably the most generally attacked space of a WordPress website.

Leaving it unprotected permits hackers to strive completely different approaches to crack your web site. You may make it tough for them by including layers of authentication to your admin listing.

First, it’s best to password shield your WordPress admin space. This provides an additional safety layer, and anybody making an attempt to entry WordPress admin must present an additional password.

For those who run a multi-author or multi-user WordPress website, then you possibly can implement robust passwords for all customers in your website. You can even add two issue authentication to make it much more tough for hackers to enter your WordPress admin space.

4. Incorrect File Permissions

File permissions

File permissions are a algorithm utilized by your internet server. These permissions assist your internet server management entry to recordsdata in your website. Incorrect file permissions may give a hacker entry to jot down and alter these recordsdata.

All of your WordPress recordsdata ought to have 644 worth as file permission. All folders in your WordPress website ought to have 755 as their file permission.

See our information on the best way to repair the picture add challenge in WordPress to learn to apply these file permissions.

5. Not Holding WordPress As much as Date

Some WordPress customers are afraid to updating their WordPress web sites. They worry that doing so would break their web site.

Every new model of WordPress fixes bugs and safety vulnerabilities. For those who’re not updating WordPress, then you’re deliberately leaving your website susceptible.

If you’re afraid that an replace will break your web site, then you possibly can create an entire WordPress backup earlier than working an replace. This manner, if one thing doesn’t work, then you possibly can simply revert again to the earlier model.

You may be taught extra in our newbie’s information on the best way to safely replace WordPress.

6. Not Updating Plugins or Theme

Similar to the core WordPress software program, updating your theme and plugins is equally vital. Utilizing an outdated plugin or theme could make your website susceptible.

Safety flaws and bugs are sometimes found in WordPress plugins and themes. Often, theme and plugin authors are fast to repair them up. Nonetheless, if a consumer doesn’t replace their theme or plugin, then there may be nothing they’ll do about it.

Be sure to hold your WordPress theme and plugins updated. You may learn the way in our information on the correct replace order for WordPress, plugins, and themes.

7. Utilizing Plain FTP as a substitute of SFTP/SSH

SFTP instead of FTP

FTP accounts are used to add recordsdata to your internet server utilizing an FTP shopper. Most internet hosting suppliers help FTP connections utilizing completely different protocols. You may join utilizing plain FTP, SFTP, or SSH.

Whenever you connect with your website utilizing plain FTP, your password is shipped to the server unencrypted. Meaning it may be spied upon and simply stolen. As a substitute of utilizing FTP, it’s best to at all times use SFTP or SSH.

You don’t want to vary your FTP shopper. Most FTP purchasers can connect with your web site on SFTP in addition to SSH. You simply want to vary the protocol to ‘SFTP – SSH’ when connecting to your web site.

8. Utilizing Admin as WordPress Username

Utilizing ‘admin’ as your WordPress username will not be really helpful. In case your administrator username is ‘admin’, then it’s best to instantly change that to a distinct username.

For detailed directions try our tutorial on the best way to change your WordPress username.

9. Nulled Themes and Plugins


There are lots of web sites on the web that distribute paid WordPress plugins and themes without spending a dime. You might really feel tempted to make use of these nulled plugins and themes in your website.

Downloading WordPress themes and plugins from unreliable sources may be very harmful. Not solely they’ll compromise the safety of your web site, however they can be used to steal delicate info.

You must at all times obtain WordPress plugins and themes from dependable sources such because the developer’s web site or official WordPress repositories.

For those who can’t afford to purchase a premium plugin or theme, then there are at all times free alternate options obtainable for these merchandise. These free plugins will not be nearly as good as their paid counterparts, however they are going to get the job achieved and most significantly hold your web site secure.

You can even discover reductions for most of the common WordPress merchandise within the offers part on our web site.

10. Not Securing wp-config.php WordPress Configuration File

The wp-config.php WordPress configuration file comprises your WordPress database login credentials. Whether it is compromised, then it can reveal info that would give a hacker full entry to your web site.

You may add an additional layer of safety by denying entry to wp-config file utilizing .htaccess. Merely add this little code to your .htaccess file.

<recordsdata wp-config.php>
order enable,deny
deny from all

11. Not Altering WordPress Desk Prefix

Many consultants suggest that it’s best to change the default WordPress desk prefix. By default, WordPress makes use of wp_ as a prefix for the tables it creates in your database. You get an possibility to vary it in the course of the set up.

It’s endorsed that you just use a extra complicated prefix. This may make it tougher for hackers to guess your database desk names.

For detailed directions, see our information on the best way to change the WordPress database prefix to enhance safety.

Cleansing up a Hacked WordPress Website

Cleansing up a hacked WordPress website might be painful. Nonetheless, it may be achieved.

Listed here are some sources to get you began on cleansing up a hacked WordPress website:

Bonus Tip

For rock strong safety, we use Sucuri on all our WordPress websites. Sucuri supplies malware detection and removing providers in addition to a web site firewall that may shield your web site in opposition to the most typical threats.

Learn the story of how Sucuri helped us block 450,000 WordPress assaults in 3 months.

We hope this text helped you be taught the highest the explanation why WordPress website will get hacked. You may additionally wish to learn to improve your weblog visitors, or see our listing of tricks to pace up WordPress efficiency.

For those who preferred this text, then please subscribe to our YouTube Channel for WordPress video tutorials. You can even discover us on Twitter and Fb.