7 Reasons Why WordPress Sites are Hacked

by Kristin Schallhorn Last Updated

Each year, around 170,000 WordPress sites experience what any website owner might consider their worst nightmare – a site hack.

The popularity of WordPress definitely contributes to it’s awesomeness, but it also presents security risks.

Luckily these risks are well known, and there are solutions to protect your site from malicious activity.

Here are the most common reasons that your WordPress site could get hacked, and what you should do to protect yourself.

1. Your password is insecure

Brute force attacks (simple password guessing) make up abut 8% of  WordPress website hacks. That number might seem small, but it’s insanely easy to prevent your site from become one of those statistics – choose a harder password.

An ideal password is one that is a random combination of numbers, letters, and symbols.

WordPress automatically suggests a strong password when creating or updating a user. It’s best to go with this randomly generated password that WordPress suggests.

It is also a good idea to update the passwords of all your site’s user periodically.

2. You are using the default “admin” username

If you want to see an example of why you should never leave your WordPress username as “admin” just take a look at this  –   


“Admin” is the most guessed username in attempted WordPress brute force attacks.

An ideal username should be something that a hacker would not be able to guess based on information on your site, like your personal name or company name.

You should also avoid other commonly guessed WP usernames like “test” and “root”.

Combined with a secure password, this will make chances of someone password guessing their way into the backend of your site unlikely.

3. You’re not using WordPress managed hosting

41% of website hacks occur from vulnerabilities in hosting platforms. Choosing a high quality hosting provider is one of the most important things you can do to protect the security of your site.

The best hosting providers for WordPress sites are ones that specialize in the specifics of WordPress and offer an optimized environment for WordPress sites.

Reputable hosting providers often offer automated scans for malware and daily site backups, in case something ever does go wrong.

4. Your version of WordPress is out of date

Older versions of WordPress are targeted by hackers due to their lack of updates. It is a best practice to update your version of WordPress as soon as an update is available.

The current version of WordPress provides patches for security vulnerabilities and is always the most secure.

5. Your plugins are outdated

Outdated plugins account for about 22% of WordPress website hacks. Although it can be tiresome to constantly keep plugins updated, it is absolutely crucial to the security of your site.

Many plugins have an option to autoupdate, which should be used whenever possible.

It is also a good idea to remove inactive and non-critical plugins to reduce vulnerabilities. They can always be reinstalled later if they are needed again.

6. Your theme is outdated

Starting to see a trend?

The components of WordPress are constantly being updated, and for good reason. Updates offer patches to known vulnerabilities and security risks.

While updating a WordPress theme can be a tense experience, not doing so can lead to a site hack – which can be much worse.

It is a good idea to have a full site backup before updating a WordPress theme so that you can easily revert your site if anything does go wrong.

7. You have the preinstalled themes on your site

The fact that WordPress comes stocked with themes is convenient, but there is a downside to these themes being preinstalled for free – anyone can have access to them.

The availability of the preinstalled themes means that hackers can find vulnerabilities in the themes and exploit them.

These themes should be deactivated and deleted from your site right away.

It is better to pay a little extra for a less vulnerable theme than suffer the damages of a website hack later on.

Leave a Reply

Your email address will not be published. Required fields are marked *