8 Reasons WordPress Sites Get Hacked And What To Do About Them

Hacking is a bigger problem now than it has ever been. As the sophistication of our technology and software has grown so have the techniques employed by hackers.

By the same token we have better security for websites now than ever before. You can never make your WordPress site 100% safe from hackers, but there are certain proactive steps you can take to make it harder for them.

***Check out my post on 10 important things do after installing WordPress***

If Hackers Are Targeting WordPress Should I Use Another Platform?

Let me be clear, ALL websites are vulnerable to hacking, not just WordPress. The most secure websites on earth such as Google, The Department of Defense and the National Security Agency (NSA) have all been hacked.

The reason WordPress is a common target of Hackers is because of it’s widespread use. WordPress is the most popular website platform in the world. It powers a staggering 31% of all websites on the Internet. Therefore, it’s not surprising it would be a popular target for those with bad intentions.

To its credit, WordPress takes security very serious. Even right out of the box WordPress it’s pretty secure.

What I want to share with you today are the 8 most common reasons WordPress sites get hacked and what you can do to better protect yourself.

1. Cheap And Unsecure Web Hosting

All websites must be hosted somewhere. The analogy I like to use is your domain is like a house. Your hosting provider is the neighborhood where you’re buying land to put your house. Is it a good neighborhood? Does it flood? That information is important when deciding where you want to live, right?

The same thing applies to your website. Choosing a cheap and unsecure hosting company for your website is putting it at risk.

As tempting as it is to buy that GoDaddy or HostGator hosting plan for $4 a month I highly recommend you don’t. I used those plans for years early in my career and it was fine for a while, but eventually all my sites got hacked at one time or another.

True story:

A year ago I launched a news magazine site built on WordPress just to test the waters and see if it would be viable longterm in such a crowded niche.

I went with a cheap hosting company at first thinking I would just upgrade to a good host later if it worked out.

I even enhanced the security as much as possible through a variety of plugins.

Not even 2 months after launch the site was brought down by hackers and Google suspended it until I fixed it. I went through the code and discovered a hacking collective out of Kazakhstan (not making this up) were the culprits.

Long story short I eventually scrapped the news site, but vowed to never again waste my time with crappy unsecure hosting. It was HostGator I used by the way, not to blame them just to say the old saying “you get what you pay for” is truer than ever before.

I only use premium managed WordPress hosting now. This site is hosted by WP Engine and I cannot say enough good things about them. The security and customer service they provide is top notch.

Recommended hosting companies:

  1. WP Engine
  2. Flywheel
  3. Siteground
  4. Kinsta

2. Easy Passwords

This one is as old as computers themselves. I won’t bore you with you all the stuff you’ve heard before on this. Don’t use a weak passwords. You should also have unique passwords for all the accounts related to your website.

Use a unique password for the following:

  • WordPress admin account
  • Web host control panel account
  • FTP accounts
  • MySQL database
  • Email accounts used for WordPress admin or hosting account

3. Wrong File Permissions

I know this is probably getting into the weeds a little bit for some of you so bear with me. File permissions are rules used by your server that control access to the files on your site.

If your file permissions are set wrong hackers can exploit it and access files on your site and change them.

They can inject malware and other harmful code into your site designed to do a variety of malicious things.

In most cases, all your WordPress files should have 644 value as file permission. All folders on your WordPress site should have 755 as their file permission.

4. Not Keeping WordPress Updated

This is an extremely common issue. Many WordPress users neglect to update their WordPress install to the latest version out of fear that something may go wrong.

If you have automatic backups setup (and you should) then you don’t need to worry about that, because you can easily restore your WordPress site in minutes.

One of the main reasons WordPress releases periodic updates is to fix security flaws discovered by users. The updates patch those vulnerabilities.

If you use one of the premium hosting companies mentioned above this issue is moot, because they automatically keep your site updated to the latest version. They also automatically backup your entire website daily.

5. Not Updating Plugins And Themes

Not updating your themes and plugins is another security vulnerability you are leaving yourself open to. They need to be updated just like WordPress itself.

6. Keeping Admin As Default Username

The default admin username in WordPress is “admin.” It always has been. Every hacker on the planet knows this. So if your username is admin you have already given hackers half of your login. Now they just need to work on figuring out your password — which I pray is not “password.”  🙄 

7. Using Pirated Themes And Plugins

I totally get that some of the premium WordPress themes and plugins can be expensive. So there’s a temptation to use a “nulled” (meaning pirated) copy of a WordPress theme or plugin.

Resist that temptation.

This is a no sanctimony zone. So my argument against nulled plugins has nothing do with the ethics of pirating other people’s work. Think what you want about that.

The reason I’m against using pirated theme and plugins is because they’re a HUGE security liability for your website. Nulled themes can’t be updated and can have back backdoors or malware in them that can be used to steal information and compromise your site.

Be sure to read my post from last week on how to choose a WordPress theme.

8. Unsecured WordPress Configuration File (wp-config.php)

The wp-config.php file is a critical component of your WordPress site. It contains your database login credentials. This is one file you definitely don’t want compromised. It could give a hacker complete control of your WordPress site.

To fix this all you need to do is add a little line of code to your .htaccess file.


I realize some of this can get pretty technical. Fortunately, there are some great plugins that will take care of most security issues on your WordPress site.

The plugin I highly recommend and that I use on this site is is SecuPress. It’s very user-friendly and will scan your site and show you each vulnerability and will fix it for you.

I know firsthand what a nightmare it is when you’re WordPress site gets hacked. I hope this post will help you to better secure your website.

For more on how to discover and recover from WordPress hacks check out this excellent post from our good friends at WP City.

Was your website hacked? Tell me about in the comments below.

Facebook Comments