Why hackers try to break into WordPress

Table of contents

If you have ever owned a website built on WordPress you would have no doubt at some stage heard about how your website could be hacked. A lot developers will have you believe that it’s WordPress itself that is insecure, pushing other platforms or products as a ‘safe’ alternative. But is that really true? Why would a WordPress website be targeted over any other platform and what can you do to prevent it?

Why do they do it?

WordPress hackers are not targeting you specifically. 99.9% of the time a WordPress hack is a crime of opportunity. Much like how Google scans the web for sites to add to it’s search engine, hackers are constantly scanning for websites that might have a weak spot to break in.

They do it so that they can:

  • install malware that visitors of your website download
  • redirect visitors to other websites
  • use your website to send spam emails or perform other tasks

Is WordPress to blame?

According to leading security company Securi 78% of websites that were compromised in the first quarter of 2016 were built on WordPress but warn that this is not reflective of WordPress itself. Factors that influence this stat are WordPress’s popularity, web hosting configurations, plugins and themes used and lack of maintenance.

The vast majority of vulnerabilities in WordPress relate to extensible components. Extensible components are related to the integration of plugins, extensions, components, modules, templates, themes and other similar integrations. One of the beauties of the WordPress community is the vast array of plugins and themes that are freely available to download, use and modify. This is also it’s downfall.

Plugins are the number one offender for WordPress vulnerabilities, followed closely by themes. NOT WordPress itself. WordPress core itself is solid and is maintained frequently.

Use reputable plugins

Not all plugins are created equal, and just like a lot of websites, not all plugins are maintained on a regular basis. It’s extremely important to choose reputable plugins for your WordPress website. Now if you’re not building websites every day, it can be a challenge to identify what is reputable and what is not. Look for plugins that have a larger number of active installs, at least in comparison to your options. Also look at the last updated date. If a plugin hasn’t been updated in 12 months, it’s a good sign the developer has abandoned ship and you should stay clear.

Update your plugins

A lot of the time even good plugins are the cause of a website hack, because the plugin wasn’t up to date on the hacked website. The more popular plugins are often targeted the most for obvious reasons. They give hackers access to more websites. When an out of date plugin was the reason for a website being hacked, here are the three worst offenders:

  1. RevSlider (10%)
  2. Gravity Forms – A plugin I personally use on all websites (8.5%)
  3. TimThumb (6%)

These are some of the most popular and well maintained plugins in the WordPress repository, but left without updates they are the number one cause of intruders.

Use strong passwords

Another tactic employed by hackers is to run username and password combination lists against your login page. If you use a common word or phrase as your password, chances are that someone else has thought of that too. They use brute force to try as many passwords as possible in the hopes of eventually getting lucky.

Use a strong, complicated password. It can be annoying, you might need to store your password somewhere because you won’t be able to remember it easily, but it’s worth it. You should also change your password often. I do a yearly password purge myself but it should probably be more frequent than that.

Use a security plugin

There are quite a few WordPress security plugins available but my plugin of choice is iThemes Security. After installing this plugin you can ‘one click’ secure your website with some default settings, but dive a little deeper and you can really lock down your website.

One of the things you will notice straight away are the number of attempts to break into your website. You will be notified by email whenever a user is blocked from your website. You can turn this notification off, but I encourage you to get an idea first of just how many times it is happening.

Here are some of my favourite things to implement in iThemes Security:

  • Automatically ban anyone trying to login as ‘admin’. You should never use admin as your username for starters, and then anyone trying to use it will be instantly blocked from accessing your website.
  • Reduce the max login attempts per host. This is how many guesses a user gets at logging in to your website. Default is 5, I think 3 is enough.
  • Increase minutes to remember bad login. 3 guesses per hour is more than enough so set this to 60 minutes.
  • Enable’s blacklist feature. This is just a list of known hosts that are hacking websites.
  • Enable hide backend. You can move the admin login page from to any other address. This doesn’t stop login attempts completely unfortunately but it will stop some from poking around.

It’s not WordPress, it’s you

WordPress is like any piece of software needing regular updates whenever vulnerabilities are discovered. It’s popularity is it’s weakness, painting a target sign on it’s back for hackers. But if you ensure you use reputable plugins and themes that release frequent updates which you then actively monitor and install, your chances of being hacked are greatly reduced.

If doing all of that is not your game, go with a developer or website host that offers WordPress specific managed hosting where they take care of all of the security, updates and backups for you. It may cost you a little more per month, but you can sleep easy at night knowing your business won’t be effected by a random hacker trying to ransack your website.


If you like this post you’re gonna love…

post-button-prev post-button-next