Why do WordPress websites always get hacked ?

Running a business, irrespective of size and getting your website hacked cannot only be a real nuisance, but it also can quickly become a very costly problem.
Most business owners are probably aware of WordPress and how it has proven to be a great flexible  Content Management System and why you should use WordPress for your Business Website.
There is no denying the popularity of WordPress, as an all round Web Content Management system, after all WordPress powers over 20% of all internet sites.  Its growth has been amazing,  starting out in 2003 as a purely blogging platform.  It has gradually evolved and improved with every release, gradually transforming into a general purpose web content management system. 
The WordPress team has already fixed more than 2,450 security vulnerabilities since they first launched their application. In most cases, they fix vulnerabilities within a few days. The fastest response time for a WordPress vulnerability patch was just under 40 minutes.
 Wordpress releases updates to it core system frequently to not only enhance, update or add new features but also to provide security updates and also to address bugs.
WordPress is so widely used and constantly tested in real-world scenario’s, there is a constant feedback cycle!  So if there are any issues, they are acted upon fairly quickly.
Here comes the first Dilemma, when the WordPress community create and release a security patch, obviously they would want to communicate this to as many people within the community, in order to notify them so that they can update their systems.  Obviously people being people, would like to know more details about what’s in the security release and why they are at risk.  So this information is dutifully communicated in Blog Posts,  Email lists etc.
The trouble is the more nefarious members of the internet community, also look out for this information. Once they gain an understanding of what they issues are, and more importantly which versions the issues affect. They will go search for these older versions of WordPress, and orchestrate  an attack!

Why do hackers target WordPress websites ?

The average WordPress websites are either used blogs or websites, most of the time both.  However, it is becoming increasingly more common now, for people to run their entire business using WordPress, including e-commerce  and Social Media platforms.
Irrespective, of the type of website, most organisations and individuals will use them get User Information, i.e. Email Addresses, Names, Postcodes etc.  In the case of e-commerce or subscription-based sites, credit card information.
To your average hacker, this is a treasure trove of information as it can be sold for Bitcoins.  How else are they going to afford to buy all those Monster drinks and Fritto’s ?
The number of cyber attacks targeting WordPress has continued to increase at a rapid rate. Some data sources state that in 2017, there were nearly 100,000 attacks on WordPress websites happening per minute.
Typically these attacks use vulnerabilities in the WordPress core, plugins or themes. Hackers use these vulnerabilities to steal data, plant malware or launch a denial of service attack.

How to stop WordPres from getting hacked?

So the answer to that is, you need to ensure that your WordPress website is not in the 70% unmaintained instances.
You will need to carry out regular maintenance on your WordPress site,  also ensure your hosting provider has all the necessary security precautions on the server itself.
However, it is important to note, that not all hosting services contracts actually include coverage of your actual website, or maintaining the website. This is the responsibility of the Website Owner/Administrator.
Hosting providers usually only guarantee that the server your website is hosted on is secure and backed up regularly, but the software and warranty of the software you use to create your website is often your responsibility!
Ensure your hosting company provides Website Maintenance Plans, with packages which are optimized to make WordPress websites and blogs as fast, secure and reliable as they can possibly be.
Fully managed packages typically include backstage chores like updates, security patches and daily backups. These will typically include multiple powerful software firewalls, sophisticated monitoring and custom rules and plugins to help defend your site from common WordPress threats like brute force attacks.

Common website vulnerabilities

The developers of WordPress take security seriously. They have extensive processes for their release cycles, security releases, and bug checking.
WordPress is also heavily involved with the Open Web Application Security Project (OWASP) — an online community that is focussed on improving web security.
There are thousands of WordPress developers working hard to address the top 10 security risks identified by OWASP including:
– Injection attacks
– Broken Authentication and Session Management
– Cross-Site Scripting (XSS)
– Insecure Direct Object Reference
– Security Misconfiguration
– Sensitive Data Exposure
– Missing Function Level Access Control
– Cross-Site Request Forgery (CSRF)
– Using Components with Known Vulnerabilities
– Unvalidated Redirects and Forwards
The steps that WordPress developers take to address these issues helps to make it one of the safest content management systems available.
WordPress also has a Bug Bounty Program in place. This program gives developers rewards if they find bugs. However, their bug bounty program only covers vulnerabilities that are strictly the fault of developers.
The main entry point for most WordPress Hacks are ironically through Themes and Plugins. Mostly Themes and Plugins that have not been update in a while. For instance, if you are using a theme or plugin that has not been updated in at least 6 months, then there is a very good chance that it may be presenting an attacker opportunity to penetrate your system.

What you can do stop your website getting hacked?

In short, the primary reasons why WordPress websites get hacked often have nothing to do with WordPress itself being a poor platform or insecure by default. Rather, in most cases the fault lays squarely with the owners of the websites not being proactive and responsible for the administration and maintenance of the website.
In most cases, the website owners may have contracted an agency or freelancer to build the initial website and then once this initial work had been completed may have touched the website for a few months or years.
WordPress itself is generally secure. Most of the time the point of entry for hackers are the hosting environment, vulnerable plugins and themes as well as weak login information.
The best approach you can take to ensuring you take out a Website Maintenance Plan which not only ensures your website is as secure and performing as it should be, but also enables you to have a team developers supporting your website and the continual enhancements it needs.