How Does a WordPress Website Actually Get Hacked?

There are a number of ways your site could be compromised. We’ll go through the main causes in this blog post.


The most common cause is via a plugin. This could be a plugin you’ve downloaded from the internet and uploaded to your site, or it could be one you’ve downloaded via the WordPress plugin repository, although this is less likely as all the code is reviewed before being added. However what can sometimes happen is a plugin that was once secure, becomes out dated and the author doesn’t keep it up to date. It may be using code libraries that have become known to have a flaw in them, but the author hasn’t updated it.

There are a number of websites around that give away premium plugins – and as the old saying goes if it’s too good to be true it probably is. The reason this is common is that hackers will purchase a premium plugin, add their own malicious code to it and then give it away for free. The unsuspecting website owner thinks they’ve got a great deal, but have opened up a door for the hackers on their site by uploading the dodgy plugin.

If you have old plugins keep them updated, and if you have plugins you’re not using remove them so you don’t need to keep them updated.

Brute Force

How strong is your password? Does it contain a mixture of lower and uppercase characters as well as a mixture of numbers and special characters? We see it all the time, often when sites get hacked the username/password combinations are shared by the hackers. These data items get added to master lists. It only takes a few minutes for an automated program to try hundreds of thousands of username/password combinations against a site and be successful in gaining access.

Core software

It has be known that WordPress itself has had security flaws identified. As with all major software like Apple and Microsoft, it needs to be maintained. When WordPress release a security update, it’s critical you update your own site.

Before you do, it’s even more important to backup your site first, just incase something goes wrong.


Similarly to the plugin risk is “nulled” themes, where popular premium themes are loaded with malicious code ready to attack your site when signalled.


If your website is hosted on cheap hosting, there is a risk that all of the files for your website are sitting alongside dozens, if not hundreds of other websites. The reason they can offer such cheap hosting is that they have managed to host all these other sites on the same server installation.

The issues is that if one of these other sites – which you don’t own becomes infected because the website owner isn’t keeping their software up to date, there is a risk that your site sitting a folder alongside the folder with malicious code can become infected.

Password Theft

If you’ve ever accessed your WordPress website from a public computer you should consider changing your password afterwards from a secure computer. This is because you don’t know what software is running on that public computer, and there could be key logging software running which has tracked each and every key stroke you’ve made.

In addition, if you use the same username/password combination on other sites such as eBay, or PayPal and those accounts become compromised, the chances are the same username password combination will be tried by the hackers elsewhere.

Download our FREE eBook

Do you want More Leads and Sales from your website?