11 Ways Your WordPress Sites is Vulnerable (And What You Can Do About It?)

how do websites get hacked

Wordfence reported blocking 159 billion credential-stuffing attacks in 2022. 

That’s just one WordPress security plugin. 

You can imagine the number (and intensity) of attacks on WordPress websites. These numbers also indicate how WordPress websites get hacked. WordPress is a favorite target of cyber criminals because it powers around 30% of the websites on the Internet. 

One of the main challenges in WordPress security is that most WordPress users are often unaware of attacks on their websites. Generally, a typical security incident starts with a brute-force attack where bots try hundreds of thousands of username/password combinations on the WordPress login URL (generally, wp-login.php) to discover a working combination. In most cases, WordPress security plugins block these attacks but don’t raise any alarms. 

WordPress security incidents are on the rise as the market share of the CMS increases. A related factor is the plummeting costs of mounting attacks on WordPress websites. For instance, executing a DDoS attack on a website takes a simple script. If the attack is successful, the hacker can gain significant monetary benefits by selling the data to the highest bidder.

The good news for WordPress website owners and administrators is that protecting a WordPress website is a matter of paying close attention to specific website areas and following an action plan. 

In this WordPress security guide, we’ll discuss how WordPress websites get hacked and how you can apply simple fixes to prevent these attacks.

Table Of Contents

  1. How Do Websites Get Hacked (And How To Protect Your Website)
    1. Insecure Passwords
    2. Insecure Web Hosting
    3. Unprotected Access to WordPress Admin (wp-admin)
    4. Improper File Permissions
    5. Keeping the Older Versions of the WordPress Core, Themes, or Plugins
    6. Outdated PHP Version(s) on the Server
    7. Using Plain FTP instead of SFTP/SSH
    8. Retaining the username Admin
    9. Using Nulled Plugins and Themes
    10. Not Securing the wp-config.php File
    11. Keeping the Default WordPress Table Prefix
  2. How To Prevent Your Website From Hacking Incidents
  3. Conclusion
  4. FAQ’s

How Do Websites Get Hacked (And How To Protect Your Website)

website hacked

When it comes to website security, you should understand that out-of-the-box WordPress is insecure. That’s why hackers can exploit several entry points to gain access to your website. 

Another critical aspect of WordPress security is that hackers attack websites, regardless of the size and traffic. The most prominent sites are often the first to get attacked, but the automated tools that hackers use will eventually come to small websites. 

Let’s discuss some common WordPress website security aspects that hackers exploit and what you can do to protect your website. 

Insecure Passwords

The brute-force and dictionary attacks are frequently used against WordPress websites. Let’s quickly go through how these attacks progress and then see how you can protect your websites. 

A hacker first searches your website for usernames or email addresses of registered users (the author archive pages are a great source for these addresses). Hackers then guess the website login URL and a username like admin, administrator, or root.

In the second phase, the attacker initiates a brute-force attack where the script tries random character, numeric, and special character combinations to find the password.

In a similar attack, the attackers use multiple dictionaries (each with millions of words) in text format. The script tries each term in these files for a specified username to guess the password.

How can you protect your website?

WordPress offers several plugins that bring brute-force attack protection to website security. All popular security plugins force login rate limiting that locks the login page after a certain number of failed attempts. This nullifies the impact of the attack. 

Insecure Web Hosting

The hosting provider is an essential player in WordPress website security. If the server hosting the website is insecure, the website-level security measures are not enough. Hackers can exploit one or more server vulnerabilities to gain access to the server and directory structure. 

How can you protect your website?

Website owners should opt for a dedicated hosting provider that takes security seriously. When the underlying hosting infrastructure is secure, the hosted website has significantly better security than other websites. 

At the minimum, the provider should support server-level firewalls and SSL certificates for basic server and website protection. 

Unprotected Access to WordPress Admin (wp-admin)

The WordPress Admin (wp-admin) is the gateway to your WordPress website. Anyone who can successfully pass this URL has direct access to the website. 

The core challenge here is that most WordPress websites use the standard URL structure for the web pages. Hackers already know that most of their targets have a valid wp-admin URL.

As you can guess, this is a WordPress website’s most frequently attacked URL. Hackers use brute force and similar attacks to crack this URL. A user can access the WordPress admin area to take various activities on your WordPress website. It is also the most frequently attacked part of a WordPress site.

How can you protect your website?

You should first redirect the URL to a different one so the hackers cannot apply automated attacks against the standard URL. 

You should also apply login throttling so the attack fails after three or five attempts. You can also add a security question to trip attackers with valid login credentials.

Finally, ensure you have MFA (at minimum 2FA) for better protection. 

Improper File Permissions

Your web server uses a set of rules called file permissions for files and directories. The server OS and WordPress core files use these permissions to determine who can access files and whether the files are read-only. 

Hackers can exploit incorrectly set file permissions to set up attacks on websites. 

How can you protect your website?

Most hosting panels allow you to change file permissions through a GUI-based process. Your WordPress files should all have a file permission value of 644. Similarly, the website’s folders should all have a file permission value of 755.

file attributes

Keeping the Older Versions of the WordPress Core, Themes, or Plugins

Using outdated plugins, themes, or WordPress versions on your website is one of the simplest ways websites get hacked

Users and security experts regularly point out security flaws and loopholes in the current and older versions of the WordPress core, themes, and plugins. As time passes, hackers build exploits to take advantage of these vulnerabilities. 

So, if you’re using older versions, you leave the doors open for the criminals. In fact, hackers regularly scan their targets for known vulnerabilities and set up attacks because exploiting these vulnerabilities is quick and cost-effective. 

How can you protect your website?

We suggest updating to the latest version of the WordPress core files and any installed plugins and themes. These updates close off known vulnerabilities and enhance the overall website security.

The WordPress Dashboard offers alerts whenever developers release an update to the WordPress core, themes, and plugins. 

WordPress has an automated update process that takes care of the update part. We strongly recommend testing the updates first in staging so you have complete confidence that the updates don’t break your live website. 

Outdated PHP Version(s) on the Server

PHP powers WordPress and the underlying server software infrastructure. In most cases, PHP is installed on the server as part of the LAMP stack that WordPress uses for its operations. 

So, if you have an outdated PHP version on the server, you will see the impact on the WordPress website’s performance. You’ll often see strange errors and problems with plugin and theme operations. 

Outdated PHP versions can also cause unanticipated security issues, as hackers can use known vulnerabilities in older PHP versions to compromise your website. 

How can you protect your website?

Resolving this situation is easy – just update the PHP version to the latest stable one

You can often simply contact your hosting provider and ask the support team to update it on your server. You’ll see an immediate improvement in website performance. 

Using Plain FTP instead of SFTP/SSH

SSH file transfer protocol

FTP accounts are used to upload content and files to your web server via an FTP client. However, FTP is an unencrypted and not very secure way of connecting to the server and transferring data. In most cases, FTP connections move data in cleartext that hackers can divert and use without difficulty. 

How can you protect your website?

We recommend switching to SFTP or SSH for better protection when using an FTP client. All popular FTP clients support these protocols, and you only need to make minor modifications to the settings of your current FTP client.

Retaining the username Admin

Admin is perhaps the easiest username to guess on any system. That is one of the reasons why websites get hacked so easily. 

An account with this username removes 50% of the challenge for the hackers. They only have to guess the password for this account and gain entry. 

How can you protect your website?

If you haven’t already, remove the account with the username Admin. Ideally, the admin account should have a random string as both username and password for maximum security. 

Using Nulled Plugins and Themes

malware alert

A simple Google search will reveal many websites offering “free” versions of premium WordPress themes and plugins. Business owners who are considering saving on website operational expenses usually fall prey to these websites and download plugins and themes. 

Once they install and activate the product, the hidden malicious code kicks in and starts the security incident. This could range from website defacement to the theft of essential data. 

In fact, these fake plugins and themes are hackers’ favorite attack tactics because the target does all the work in this case and lets them in. 

How can you protect your website?

If you are looking for a specific functionality or look, there is always a free product by a reputable WordPress development agency. While there wouldn’t be a 100% match between the product functionality and your requirements, you will not create a vulnerability in your website’s defenses. 

WordPress products go on sale several times a year. We recommend waiting for a sale and getting your desired theme or plugin at a discount from the original developer.

Not Securing the wp-config.php File

Your WordPress database login information is in the wp-config.php, the WordPress configuration file. It is another favorite target of cyber criminals because the contents of this file can grant access to the entire site. 

How can you protect your website?

We strongly recommend increasing the security for the wp-config. php file by restricting access to it in the .htaccess file. 

Open the .htaccess file in your preferred code editor and add the following lines: 

<files wp-config. php>

order allow,deny

deny from all


This code snippet denies access to the wp-config. php file to all users. 

Keeping the Default WordPress Table Prefix

All tables in WordPress have a default wp_ prefix. If you don’t pay attention to the table structure and naming convention, chances are hackers can easily guess table names and use this information to attack your website. 

How can you protect your website?

During installation, WordPress asks for a custom table prefix to add a layer of protection against SQL injection attacks. We recommend generating a random character string and using it as the table prefix to make it almost impossible to guess WordPress table names. This simple fix protects your website from SQL injection and XSS attacks that exploit malicious SQL queries. 

How To Prevent Your Website From Hacking Incidents

Now that you know the security challenges your WordPress website faces, let’s see how you can create a comprehensive security strategy that ensures all-around protection for your WordPress websites. 

We suggest you incorporate the following pointers in your website security plan. This plan should be executed as a weekly, monthly, and quarterly checklist. 

  • Make sure all users use secure passwords (16-character alphanumeric strings). WordPress offers a dedicated password generator that you can use to create passwords for the users. 
  • Invest in secure hosting, and request that your host upgrade PHP to 8.2 or higher. 
  • Install any pending updates at least once every week. 
  • Audit user roles and permissions every month. Unused user accounts should be backed up and deleted. Similarly, file permission should be revoked once they are no longer needed.
  • Remove any plugins and themes you aren’t using anymore. While there, check plugins to see if you can replace them with a secure alternative. 
  • Install and properly configure a security plugin. This may require technical expertise, but the benefits far outweigh the costs. You should review the logs every week to optimize website security processes.
  • Make sure your website is always backed up. We recommend starting with the free plans of popular plugins like UpdraftPlus and BackWPUp. You can opt for a paid plan if you need more control over the backup process


Even if you’re not tech-savvy, understanding how WordPress sites might be vulnerable is crucial for website owners. Security is a critical consideration for WordPress websites such as WooCommerce stores and business websites. 

You can take preventive measures more effectively if you understand the techniques hackers use to access your websites. Regular updates, strong passwords, secure hosting, and reliable plugins are some of the ways to protect your WordPress site from potential dangers.

Keep in mind that maintaining security requires continuous dedication. Website owners need to ensure education, vigilance, and close attention to protect their websites.

Ready to Enhance Your Hosting Experience?

With RedSwitches, a leader in hosting solutions worldwide, explore the world of dedicated hosting. No matter what level of customization, security, or performance you require, our dedicated hosting services can meet your needs. Discover the power of a focused setting designed specifically for you. RedSwitches can help you improve your internet presence right now.

If you’re looking for a robust server for your WordPress projects, RedSwitches offers the best dedicated server pricing and delivers instant dedicated servers, usually on the same day the order gets approved. Whether you need a dedicated servers, a traffic-friendly 10Gbps dedicated server, or a powerful bare metal server, we are your trusted hosting partner.


Q. What are the most common ways hackers target WordPress sites?

A: Hackers commonly exploit outdated software, weak passwords, malicious plugins/themes, and vulnerabilities in third-party components to gain unauthorized access.

Q. How do I secure my WordPress site if I’m not tech-savvy?

Regularly update your WordPress core, themes, and plugins. Use strong, unique passwords, opt for reliable hosting, and only install plugins/themes from trusted sources.

Q. Are there security plugins I can use to enhance protection?

Yes, security plugins are designed to add a layer of defense to your site. Some popular options include Wordfence, Sucuri Security, and iThemes Security.

Q. Can a hacked site be recovered?

In many cases, you can recover a hacked site by restoring a backup or seeking professional help. Regular backups are crucial to minimizing potential data loss.

Q. How can I prevent my site from getting hacked in the first place?

Stay informed about the latest security best practices, keep software up to date, use secure hosting, and implement additional security measures like two-factor authentication.