WordPress Hack

Is it just us, or have there been a lot of data breaches lately? Beyond the big names in the news, we’ve also had our fair share of WordPress hack events, like that big defacement issue back in 2017.

Unfortunately, security breaches are very real…

As a website owner, it’s up to you to be vigilant and to ensure that your site isn’t susceptible to being hacked.

In this article, we share 5 different factors that increase the chances of your WordPress site being hacked, and what you should do to protect yourself.

If any of these things apply to you, make sure you remedy them ASAP. It’s just not worth putting your business at risk!

1. Not updating WordPress

If there’s one commonality among WordPress hack victims, it’s this:

Not updating WordPress!

According to Sucuri’s Hacked Website Report, somewhere between 55-61% of WordPress hack victims were running out-of-date WordPress when they got infected, and that’s definitely not a coincidence:

(Charts by Visualizer Lite.)

By default, WordPress security updates are supposed to happen automatically. But some hosts disable that functionality, so you can’t count on that always working.

In our experience, the people who don’t update their sites fall into two camps…

  1. They put off updates (or ignore them completely) because they’re too busy, OR
  2. They’re afraid that updating their site will break it.

If you belong in the first category, stop procrastinating already – it just takes a few seconds to update your site.

If you belong in the second category, you can take some steps to ensure nothing breaks your site.

First, create a complete backup of your site before you run an update.

In the unlikely event that your WordPress site does crash, you can easily restore the previous version.

And if you want be more proactive about checking for issues with an update, you can create a staging site to test updates, or choose a WordPress host that offers staging functionality.

2. Not updating plugins

Running in the same vein, it’s also important to update the plugins that you use.

If you use outdated plugins without updating them, you’re essentially exposing yourself to security flaws and bugs…

Again, Sucuri’s study has some helpful data – 18% of WordPress hack victims were hacked just because they hadn’t updated plugins with known vulnerabilities. The plugin developer knew there was a problem and fixed it – people just didn’t update the plugin to secure their site!

Additionally, in a survey of WordPress hack victims from Wordfence, over 55% of people who knew how the hacker got in said it was because of a plugin issue.

If you’ve got a ton of plugins and you find it hard to keep track of all the updates, we recommend using Wordfence.

This plugin comes with a malware scanner that will check your other plugins for malware, bad URLs, backdoors, SEO spam, malicious redirects and code injections. It also draws your attention to potential security issues when a plugin you’re using has been closed or abandoned.

WordPress Security Plugin

3. Not protecting your WordPress admin directory

In that same Wordfence survey, one of the most common WordPress hack attempts involved getting access to your WordPress login credentials, either through brute force attacks or password theft:

To prevent that from happening, you’ll want to protect your WordPress admin directory (your /wp-admin page).

First and foremost, make sure you password protect your WordPress admin page.

By default, you’ll require a password to get into the directory, but we’re talking about adding another layer on top of that.

Avoid WordPress Site Hack With Two-Factor Authentication

That way, anyone trying to access your WordPress admin will need to provide an extra username and password.

If you need a walkthrough on how to do this, check out Step 2 of our article: 4 Ways to Tighten WordPress Security.

If you don’t like that approach, another good alternative is two-factor authentication.

With two-factor authentication set up, your site users won’t just require a password to log in – they’ll also need to input a code that’s sent to them via text message, email, or an app.

To do this, check out our WordPress two-factor authentication guide.

Last but not least, it’s not a good idea to use “admin” as your WordPress username.

Hackers might attempt to get into your site using this default username, so you should definitely switch it up.

While WordPress doesn’t let you directly change your username, you can still do it by following these methods.

4. Using weak passwords

This one’s pretty obvious – if you use weak passwords, it’s easier for hackers to access your accounts.

We’re not just talking about the password that you use for your WordPress admin account, though.

The same thing applies to your other passwords, including your:

  • Web hosting accounts
  • FTP accounts
  • MySQL database
  • Email accounts associated with your WordPress admin account

To learn more about generating a strong password, read How Secure Is My Password? Here’s Your Answer, Plus How to Pick a Strong Password.

Additionally, some hosts (like Kinsta and WP Engine) let you use two-factor authentication for your hosting account. That’s another good layer of security.

5. Using dodgy themes

If you do a quick Google search, you’ll find a good handful of websites that distribute paid WordPress themes for free.

At first glance, this might look like a cool money-saver for website owners on a tight budget.

In actuality, though, most of these sites are pretty dodgy…

If you download and install a theme from them, you might end up compromising the security of your website.

Remember, there’s no such thing as a free lunch.

If you want to use a premium theme on your website, then get it from a reputable theme developer website and PAY for it. Or you can check out our free WordPress themes (no hacks here – promise!).

Stop WordPress hack attempts before it’s too late

Sad to say, the average WordPress site owner doesn’t consider security a priority.

When you’re setting up your site for the first time, you’re probably more concerned with the look and feel of your website than anything else.

And once you get your site up and running, you’ll turn your focus to churning out great content, neglecting security as you go along.

Obviously, this is a huge mistake.

You don’t wait to wait for a WordPress hack attempt BEFORE you start caring about your site’s security – when that happens, it’ll be too late.

So set aside an hour or two and make sure that your WordPress site is secure and up-to-date.

Forget analyzing your traffic from Google Analytics or optimizing your pages for SEO — this is the one most important thing you can do for your WordPress site.

Don’t put it off!

Do you have any questions about fixing these security issues? Let us know and we’ll try to help!

Inline Feedbacks
View all comments

Or start the conversation in our Facebook group for WordPress professionals. Find answers, share tips, and get help from other WordPress experts. Join now (it’s free)!