WordPress is one of the most used and most popular content management systems used by millions across the globe. More than 40 percent of the top million websites on the internet run on WordPress. Being an open-source content management system, WordPress makes it easy for anyone to create a website. Be it, beginners or advanced users, WordPress is used by everyone and is one of the most used platforms for building a website.

With several businesses trying to build an online presence, they are also looking for ways to build professional websites. E-commerce, banking, healthcare, insurance, education, etc., are among the industries that have built and are building an online presence. As much as technology is emerging, threats of cyber attacks are also increasing. It is becoming more and more crucial to secure websites from cyber criminals who are looking to gain access to websites for monetary benefits.

This article explains the possible vulnerabilities in WordPress websites that can be exploited by cybercriminals and how to prevent your WordPress website from being hacked.

Why Do Hackers Target WordPress Websites?

Hackers target all websites on the internet and WordPress websites are among the websites they commonly hack, as it is one of the most popular content management systems. As it is more popular and used by many, hackers easily find WordPress sites that fail to implement the required security measures and exploit vulnerabilities. WordPress’s widespread usage is one of the reasons why it is targeted by hackers.

Cybercriminals hack websites for several reasons. While beginners attack small websites that are less secure when compared to the rest, some hackers attack websites to distribute malware, disrupt services and shut down a website to steal money or valuable information.

In most cases, hackers do not target specific WordPress websites, but they look for known vulnerabilities they can exploit. They target many websites at a time and finally end up hacking a certain number of websites. Most of the time, small businesses happen to become victims of such attacks.

Most hackers hack websites for monetary benefits. With that said, by now, you must have understood that you will need to prioritize security if your website has sensitive user information and involves financial transactions. It doesn’t mean you need not secure your website because it does not involve financial or other sensitive information. Hackers might find something else on your website useful and hack it for other reasons. However, it is not that WordPress is an unsafe platform, but like every other platform, it does have vulnerabilities. All you need to do to keep your website safe is to identify vulnerabilities and fix issues if any.

Below are the top causes of WordPress websites getting hacked.

Vulnerabilities in WordPress Sites Exploited by Hackers

Using Weak Passwords

week password

One of the most common vulnerabilities in WordPress websites is poor passwords. Still, many users are found to use weak and easy-to-guess passwords. Hackers can easily guess simple passwords like 12345, password, admin, etc. When they guess the password, they will be able to compromise your website and access your admin accounts.

The best way to prevent hackers from guessing your password is by using a strong password. A strong password is something that includes special characters, numbers, letters, and more. Secure your Database Access, FTP account, etc., with strong passwords that aren’t easy to guess. If you wish to keep your password secure, you can also go for a password manager, a tool to automatically generate high-strength passwords and store them. This way, you can strengthen the security of your WordPress site and also prevent hackers from gaining access to your passwords and causing damage to your site.

Outdated WordPress Version

outdated wordpress version

Like many think, creating a WordPress website is not a one-time process. WordPress websites have to be regularly updated and maintained. WordPress website owners fail to apply software updates, as a result of which, their websites get hacked. Most updates are free to download, but website owners think that their websites could crash if they are updated and fail to update their websites to the newest version. They continue to use older versions that could have vulnerabilities or bugs. Hackers take advantage of such known vulnerabilities and carry out SQL injections and other malware attacks. Updating your website regularly will help you stay away from cyber attacks. New updates to WordPress will include patches for new malware threats. When you update your website to the latest version, your website’s cybersecurity will increase.

To make sure your website does not become a victim of attacks, it is important to keep your website updated. Update your website to the latest version when you receive a notification about an update. You can install the update on your staging site to test it before you update your live website to the newest version.

Outdated WP Plugins and Themes

outdated wordpress themes and plugins

Just like the point mentioned above about updating WordPress software, outdated plugins and themes can make your site vulnerable to attacks. Hackers can easily take advantage of vulnerabilities in outdated themes, unused plugins, etc. installed on your website, to infect your website. There are thousands of plugins available for WordPress websites and one can easily install a theme or plugin from any website. Many website owners forget about the installed themes and plugins and fail to update them to the latest version. Here is where the problem starts, as keeping an outdated version of themes or plugins on their websites will make it very easy for criminals to attack the website.

In order to avoid this problem, make sure you update every plugin and theme installed on your site regularly. Remove unused plugins and check if there are alternatives you can use. Checking them on a weekly basis or once every fortnight will help ensure there are no problem-causing plugins or themes on your website. Update plugins and themes with patched versions to make sure your website cannot be attacked.

SSL Certificate

SSL certificates are mandatory for websites to encrypt data transmissions. Websites with SSL certificates will have HTTPS and not HTTP. When a website is encrypted with an SSL certificate, an encrypted connection will be enabled and it will make it almost impossible for third parties like hackers to read the data that is transmitted between the web server and the browser by assigning random values to the data. A website that has an SSL certificate will have HTTPS in the address bar, which means the website is secured. Websites without an SSL certificate can be easily hacked and may not rank on Google, resulting in receiving only a few visitors.

If your website is not encrypted, you can quickly migrate to HTTPS by getting an SSL certificate for your website. When your website is encrypted with an SSL certificate, hackers and other cybercriminals will not be able to intercept data that is transmitted. You can almost secure your website instantly with an SSL certificate from a trusted certificate authority like DigiCert, Comodo or RapidSSL. As soon as your website is issued an SSL certificate, you will see HTTPS on the address bar.

Web Hosting

web hosting

Many website owners do not pay much attention to web hosting. If you are one among them, your website could become vulnerable to hacking attempts. Just like any other website, WordPress websites are also hosted on a web server. Many go for free web hosting services or cheap hosting providers. Remember, such hosting platforms will not be secure, thus making the websites hosted on their servers vulnerable to attacks.

To secure your website and prevent hackers from attacking your website, your website has to be hosted on a safe platform and not a free or shared hosting platform. When your website is hosted on a shared hosting plan, your website will share resources with several other websites. So when one website hosted on the shared server is hacked, all the other websites hosted on the server can be hacked, as well.

If your website is hosted on a shared server, it is time to consider switching to a secure hosting plan. Go for a web host that offers best-in-class security features to keep hackers at bay and improve the performance of your website.

Common Admin Usernames

common admin usernames

Just like weak passwords that make your website vulnerable to attacks, simple and common usernames for admin accounts that are easy to guess will also let hackers gain access to admin accounts. Common admin usernames include admin, admin123, etc. Some admin accounts have the same username and password. If your website has one such user name, it is high time to consider changing it to something unique.

When a hacker gets into your admin account, he/she will be able to gain control of your backend files and cause damage to your website. To avoid this problem, change common usernames to unique names. You can start with changing the default username of your admin account and see to it that only the users who really need access to it have access to it and limit access to other users.

Access to the WordPress Admin Folder

wordpress access denied

In most cases, hackers gain access to a website’s admin area/folder to hack a WordPress website and crack it. Hackers generally target the admin folder, as they can easily extract all sensitive data by accessing the admin area.

Hackers use different methods to get into a website’s admin folder. The best way to prevent your website’s admin folder from being hacked is by adding an extra layer of security, i.e., by using multi-factor authentication. You can secure the admin folder with a strong password and also enable two-factor authentication to make it more secure and hard for hackers to get into your admin folder.

Firewall Protection

A Firewall will identify cyber threats and help protect your website from attacks online. It will identify and block requests from malicious websites. You can use a firewall along with a malware scanner for increased security. Firewalls will look for anomalies in the web traffic and alert website owners of attacks.

When a website does not have firewall protection, hackers can easily get around website security measures and gain access to the website’s backend resources. Firewalls can prevent attacks like SQL injections, DDoS attacks, brute force attacks, etc.

Using FTP


Three types of protocols, namely, FTP, SSH, and SFTP, are used to transfer data between the server and the client. When compared, SFTP and SSH are more secure than FTP. Many use FTP to upload files, which makes them vulnerable to attacks as their passwords will be sent unencrypted to the server when they use FTP. In this case, hackers can easily access your password.

So, it is wise to use SSH or SFTP, as the files sent using these protocols will be encrypted and hackers may not be able to intercept the data transmitted. If your website uses the FTP client, you just need to change the protocol to SFTP – SSH, as most hosting providers allow FTP connections using SFTP or SSH. So, this way, you can switch to SSH/SFTP without changing your FTP client.

Unsecure WordPress Config File

unsecure wordpress config file

wp-config.php is the WordPress configuration file that contains important information. This file contains information like database login details, user data, login details, and more. Websites need this file to run and the importance of this file makes it one of the most favorite files and primary targets for hackers. If at all any third-party compromises this file, they can gain complete access to your website. So, it is important to add an additional layer of security to this file.

One of the best ways to secure this file is by denying access to it, which is by using .htaccess.

Here is the code you need to add to your .htaccess file to secure it.

<files wp-config.php>
order allow,deny
deny from all

Quick Tips to Prevent WordPress Sites from Getting Hacked

Here are a few methods to prevent hackers from attacking your website.

  • Update WordPress, themes, plugins, etc., whenever there is a new update available.
  • Use complex passwords to secure your admin account and other important files.
  • Use multi-factor authentication wherever required, for added security. 
  • Enable HTTPS by securing your website with an SSL certificate. This will help secure your website and your website visitors, as well.
  • Make sure to install plugins and themes only from known sources.
  • Regularly scan your website for viruses and malware.
  • Clean up WordPress by removing unwanted and unused files you no longer need.

Avoid free hosting providers and spend a few bucks and go for a secure hosting service that offers firewalls, DDoS protection, network monitoring, etc.

The Bottom Line

WordPress is used by millions across the globe to build websites and to build an online presence. It comes with plenty of features and a few drawbacks, as well. You can easily secure your website and keep hackers at bay by implementing the required security measures and by keeping your website updated. We hope this article helped you understand what are the top causes of WordPress sites getting hacked and how to prevent your website from getting hacked.


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.