Call + (44) 0843 289 4539

  • No products in the cart.

Why do WordPress websites always get hacked ?

Running a business, irrespective of size, getting your website hacked can be a real nuisance, and can quickly become a costly problem

Most business owners are probably aware of WordPress and how awesome it has proven to be as a Content Management System and why you should use WordPress for your Business Website.

If you frequent  business or start up forums, business networking events or any venue to discuss starting a web business using WordPress. You’ll often come across some know-it-all-web-guy,  who proclaims

Don’t use WordPress it always get hacked!’

What smarty pants often omits to tell you is that

Over 70% of WordPress websites are not actively maintained & therefore susceptible to attack

Here lies the true nub of the problem, it’s not that WordPress is at fault, on the contrary, it’s the unmaintained older versions of the platform that are mostly susceptible to attack.

Why are older versions of WordPress at risk ?

There is no denying the popularity of WordPress, as an all round Web Content Management system, after all it powers over 20% of all internet sites.  Its growth has been amazing,  starting out in 2003 as a purely blogging platform.  It has gradually evolved and improved with every release, gradually transforming into a general purpose web content management system.

The WordPress team has already fixed more than 2,450 security vulnerabilities since they first launched their application. In most cases, they fix vulnerabilities within a few days. The fastest response time for a WordPress vulnerability patch was just under 40 minutes.

At the time of writing (January 2019), the latest release is 5.0.3, which not only includes the new Gutenberg editor, but it also rolls in a number important security updates.

Due to the fact that WordPress is so widely used and constantly tested in real-world scenario’s, there is a constant feedback cycle!  So if there are any issues, they are acted upon fairly quickly.

Here comes the first Dilemma, when the WordPress community create and release a security patch, obviously they would want to communicate this to as many people within the community, in order to notify them so that they can update their systems.  Obviously people being people, would like to know more details about what’s in the security release and why they are at risk.  So this information is dutifully communicated in Blog Posts,  Email lists etc.

The trouble is the more nefarious members of the internet community, also look out for this information. Once they gain an understanding of what they issues are, and more importantly which versions the issues affect. They will go search for these older versions of WordPress, and orchestrate  an attack!

Why would you want to hack a WordPress site ?

This is a great question.  The average WordPress websites are either used blogs or websites, most of the time both.  However, it is becoming increasingly more common now, for people to run their entire business using WordPress, including e-commerce  and Social Media platforms.

Irrespective, of the type of website, most organisations and individuals will use them get User Information, i.e. Email Addresses, Names, Postcodes etc.  In the case of e-commerce or subscription-based sites, credit card information.

To your average hacker, this is a treasure trove of information as it can be sold for Bitcoins.  How else are they going to afford to buy all those Monster drinks and Fritto’s ?

The number of cyber attacks targeting WordPress has continued to increase at a rapid rate. Some data sources state that in 2017, there were nearly 100,000 attacks on WordPress websites happening per minute.

Typically these attacks use vulnerabilities in the WordPress core, plugins or themes. Hackers use these vulnerabilities to steal data, plant malware or launch a denial of service attack.

How to stop my WordPress site getting hacked ?

So the answer to that is, you need to ensure that your WordPress website is not in the 70% unmaintained instances.

You will need to carry out regular maintenance on your WordPress site,  also ensure your hosting provider has all the necessary security precautions on the server itself.

However, it is important to note, that not all hosting services contracts actually include coverage of your actual website, or maintaining the website. This is the responsibility of the Website Owner/Administrator.

Hosting providers usually only guarantee that the server your website is hosted on is secure and backed up regularly, but the software and warranty of the software you use to create your website is often your responsibility!

Ensure your hosting company provides Dedicated WordPress Hosting, with packages which are optimised to make WordPress websites and blogs as fast, secure and reliable as they can possibly be.

Fully managed packages typically include backstage chores like updates, security patches and daily backups. These will typically include multiple powerful software firewalls, sophisticated monitoring and custom rules and plugins to help defend your site from common WordPress threats like brute force attacks.

Common WordPress Vulnerabilities

The developers of WordPress take security seriously. They have extensive processes for their release cycles, security releases, and bug checking.

WordPress is also heavily involved with the Open Web Application Security Project (OWASP) — an online community that is focussed on improving web security.

There are thousands of WordPress developers working hard to address the top 10 security risks identified by OWASP including:

  • Injection attacks
  • Broken Authentication and Session Management
  • Cross-Site Scripting (XSS)
  • Insecure Direct Object Reference
  • Security Misconfiguration
  • Sensitive Data Exposure
  • Missing Function Level Access Control
  • Cross-Site Request Forgery (CSRF)
  • Using Components with Known Vulnerabilities
  • Unvalidated Redirects and Forwards

The steps that WordPress developers take to address these issues helps to make it one of the safest content management systems available.

WordPress also has a Bug Bounty Program in place. This program gives developers rewards if they find bugs. However, their bug bounty program only covers vulnerabilities that are strictly the fault of developers.

The main entry point for most WordPress Hacks are ironically through Themes and Plugins. Mostly Themes and Plugins that have not been update in a while. For instance, if you are using a theme or plugin that has not been updated in at least 6 months, then there is a very good chance that it may be presenting an attacker opportunity to penetrate your system.


In short, the primary reasons why WordPress websites get hacked often have nothing to do with WordPress itself being a poor platform or insecure by default. Rather, in most cases the fault lays squarely with the owners of the websites not being proactive and responsible for the administration and maintenance of the website.

In most cases, the website owners may have contracted an agency or freelancer to build the initial website and then once this initial work had been completed may have touched the website for a few months or years.

WordPress itself is generally secure. Most of the time the point of entry for hackers are the hosting environment, vulnerable plugins and themes as well as weak login information.

Follow Me