Why Do WordPress Websites Get Hacked?

What causes security breaches in WordPress websites

Why WordPress Websites Get Hacked

WordPress is used by 35% of the websites on the internet. This figure includes websites powered by WordPress.Com. That said, 35% is still a very high figure. So guess, when it comes to hacking a website, who do hackers target? Drupal, Joomla… some other unknown CMS or WordPress? Well, their effort pays back best when they spend that time to target the CMS with widest usage — WordPress.

So how do you protect your WordPress website?

Is it about secure hosting, or is it about securing your passwords or is it about securing WordPress? Amongst the many layers of security, which one should you focus on the most?

The Major Cause of Security Breaches in WordPress

WordPress is pretty secure out-of-the-box. The core code get proper security audit etc. However this code has little effect on how plugins operate (which are pretty independent in their way of functioning). Plugins are contributed to the WordPress repo by independent parties and the onus of the security audit of their code doesn’t lie with WordPress. Only the initial version goes through the approval process. What’s introduced subsequently is all up to the plugin developer(s). That said, even then there are specific attack vectors responsible for the majority of the infections.

Major Attack: Cross-site Scripting & SQL Injection

Insecure or poor code in plugins can compromise the security of the website. If a plugin allows an unauthenticated user to save data then an attacker may be able to inject rogue data into WordPress. This translates into cross-site scripting or XSS. These form a majority of attacks and malware clean up requests on our support desk here.

SQL injection is the second most popular attack wherein an attacker can inject malicious SQL which gets executed on the database. As a result your database gets compromised.


A lot of security providers thrive in the concept of FUD: Fear, Uncertainty and Doubt. The common WordPress user knows little about security and they can be sold almost anything in the name of security. However, you don’t have to dig everything that you come across.

  • Most hosting providers are pretty secure else they don’t remain in business for too long.
  • The major cause of security breaches are plugins (and themes).
  • Don’t use nulled plugin and themes at any cost.
  • Security breaches also happen because of poor handling of credentials.
  • Regularly monitor your site, run security scan and always keep your plugins, themes (and WordPress) up-to-date.
  • Look for the signs of infection and act diligently if there is an indication that your site is compromised.
  • Make sure third-party plugins come from credible developer(s).
  • Follow the steps here to secure your WordPress website.
  • Don’t feel paranoid, don’t fret too much about everything security.

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.