One of our readers recently asked us why WordPress websites are being hacked? It is frustrating to find out that you have hacked your WordPress site. In this article, we will share the main reasons why WordPress site is hacked, so that you can avoid such errors and protect your site.
Why is hackers targeting WordPress?
It’s not only WordPress first. All Internet websites are vulnerable to hacking.
The reason why WordPress sites are a common goal is that WordPress is the most popular website builder worldwide. It controls over 31% of all websites, which means hundreds of millions of websites worldwide.
- This huge popularity makes it easy for hackers to find less secure websites so they can exploit it.
- Hackers have different types of website hacking motives. Some are beginners who learn to use less secure sites.
- Some hackers try to spread malware, use a site to attack other websites or spam the internet.
Let’s look at some of the top causes of hacking WordPress websites, and how to prevent hacking of your website.
1. Like all websites, WordPress sites are hosted on a web server
Incredible web hosting Some hosting firms do not secure their hosting platform properly. All websites on their servers are therefore vulnerable to hacking.
You can easily avoid this by selecting the best WordPress hosting provider for your website. It ensures your website is hosted on a secure platform. Properly secure servers can block many of WordPress’s most common attacks.
We recommend the use of a managed WordPress hosting provider if you want extra precaution.
2. The key to your WordPress site is the use of weak passwords.
You must ensure that for each of the following accounts you use a strong, unique password, because they are able to provide full access to a hacker on your website.
Your web hosting control FTP account MySQL database for your WordPress site Email accounts used for WordPress admin or hosting accounts All these accounts are password-protected. Weak passwords help hackers crack passwords with some basic hacking tools.
By using unique and strong passwords for each account, you can easily avoid this. See our guide on the best way to manage WordPress beginners ‘ passwords to learn how to manage all the powerful passwords.
3. WordPress Admin Unprotected Access Admin (wp-administration directory)
The WordPress Admin area allows the user to take action on your WordPress site. It is also the area of a WordPress site most frequently attacked.
Leaving it unprotected enables hackers to try and break your website with different approaches. You can complicate it by adding authentication layers to your WordPress directory.
You should first protect your WordPress admin area with your password. This adds an additional security layer and anyone seeking WordPress admin should provide an additional password.
You can enforce strong passwords for all the users on your site when you run a multi-author or multi-user WordPress site. You can also add two authentication factors to make it even harder for hackers to enter your WordPress administration area.
4. Incorrect permission file permissions are a set of rules that your web server uses.
These permissions help to control access to files on your website on your web server. Failure to write and modify these files can give a hacker access to incorrect files.
All WordPress files should have a file permission value of 644. The file authorization of all folders on your WordPress site should be 755.
See our guide on how to fix the WordPress image upload problem to learn how to apply these file licenses.
5. Some WordPress users are afraid to update their WordPress sites
You fear it would break your website.
Each new version of WordPress fixes vulnerabilities and bugs. If you don’t update WordPress, then you leave your site vulnerable deliberately.
If you fear an update will break your website, then a full WordPress backup can be created before an update is launched. If something doesn’t work, you can return to the previous version easily.
6. Don’t update plugins or theme
Just as WordPress ‘ core software is also important to update your theme and plugins. An outdated plugin or theme can vulnerable your site.
Security defects and bugs are often found in plugins and themes of WordPress. Theme and plugin authors usually fix them quickly. However, if a user doesn’t update their theme or plugin, he can’t do anything.
Make sure you keep your theme and plugins up to date with WordPress.
7. Using FTP client instead of SFTP / SSH SFTP accounts
Plain FTP is used to upload files to your web server using an FTP client instead of SFTP / SSH SFTP accounts. Most hosting providers support FTP connections with various protocols. You can connect with FTP, SFTP or SSH in plain form.
When connecting to your site with plain FTP, your password is sent unencrypted to the server. It can be spied on and stolen easily. You should always use SFTP or SSH instead of using FTP.
You don’t have to change your FTP client. Most FTP clients can connect both SFTP and SSH to your website. When you connect to your website, you just need to change the protocol to’ SFTP-SSH.’
8. Use of Admin as WordPress username
It is not recommended to use’ admin’ as your WordPress username. If your username admin is your administrator, you should switch it to another username immediately.
Check our tutorial on how to change your WordPress username for detailed instructions.
9. Null themes and plugins Malware
Many internet sites distribute paid WordPress plugins and themes free of charge. It’s sometimes easy to be tempted to use null plugins and themes on your site.
Downloading WordPress themes and plugins is very dangerous from unreliable sources. Not only can the security of your website be compromised, it can also be used to rob sensitive information.
You always need to download WordPress plugins and themes from reliable sources such as the Website of plugin / theme developers or official WordPress repositories.
If you can not or do not want to buy a premium plugin or subject, free alternatives are always available. These free plugins may not be as good as their paying counterparts, but they will do the job and keep your website safe most importantly.
In the deal section of our website you can find discounts for many of the popular WordPress products.
10. Not Securing the wp-config.php
WordPress file configuration file wp-config.php does include the login credentials to your WordPress database. If compromised, information will be revealed, which could provide a hacker with full access to your website.
By denying access to the wp-config file using.htaccess, you can add an extra protection layer. Just add this little code to your file.htaccess.
Cleaning a hacked WordPress
Cleaning a hacked WordPress site can be very painful to clean up the hacked WordPress site. It can be done, however.