WordPress powers over 43% of all websites. That's hundreds of millions of sites. It's also why WordPress is the most targeted platform for attacks - not because it's insecure, but because it's everywhere.
Here's an honest look at why WordPress sites get hacked, and what you can actually do about it.
The Truth About WordPress Security
Let's be clear about something: WordPress core is not the problem.
The WordPress core software is developed by a dedicated security team and is regularly audited. When vulnerabilities are found, they're patched quickly. The core is as secure as any major platform.
The problems come from:
- Plugins and themes - especially outdated or poorly coded ones
- User behaviour - weak passwords, ignored updates
- Hosting quality - cheap hosts with poor security
- Maintenance neglect - "set it and forget it" attitude
How WordPress Sites Actually Get Hacked
1. Outdated Plugins (Most Common)
When a security vulnerability is discovered in a popular plugin, it often becomes public knowledge. Security researchers disclose it, the plugin developer (hopefully) patches it, and a race begins.
Bots immediately start scanning for sites running the vulnerable version. If you haven't updated, you're a sitting duck.
Real example: The WPGateway plugin vulnerability in 2022 allowed attackers to add admin users. Within days of disclosure, millions of attack attempts were recorded. Sites that updated promptly were fine. Sites that didn't update were compromised.
Prevention: Update plugins promptly. Enable auto-updates for trusted plugins. Delete plugins you're not using.
2. Weak Passwords
"admin" with password "password123" is still depressingly common. Brute force attacks try thousands of common username/password combinations. If yours is predictable, it will be cracked.
Prevention: Use strong, unique passwords. Enable two-factor authentication. Don't use "admin" as a username.
3. Nulled Themes and Plugins
"Nulled" means pirated - premium themes and plugins distributed for free on dodgy websites. These almost always contain malware. The attackers are literally giving you pre-infected files.
Prevention: Only download plugins and themes from wordpress.org or legitimate developers. If it seems too good to be true, it's probably malware.
4. Abandoned Plugins
Plugins whose developers have stopped maintaining them don't receive security updates. Eventually, vulnerabilities are discovered that never get fixed.
Prevention: Check when plugins were last updated. If it's been over a year without updates, consider alternatives.
5. Poor Hosting Security
Budget hosts often lack:
- Web application firewalls
- Malware scanning
- Proper server isolation (if one site on the server is hacked, others might be affected)
- Automatic security updates
Prevention: Use reputable hosting with good security practices. You generally get what you pay for.
The Security Maintenance Problem
WordPress's biggest security challenge isn't technical - it's behavioural.
Many business owners:
- Build their site, then never log in again
- Ignore update notifications
- Don't have backups
- Don't know their admin password
- Haven't opened their hosting dashboard in years
This "set and forget" approach is why WordPress gets a reputation for being insecure. The sites that get hacked are almost always the ones that aren't maintained.
Essential WordPress Security Steps
1. Keep Everything Updated
This is the single most effective security measure.
- WordPress core: Update promptly when new versions are released
- Plugins: Update regularly, or enable auto-updates for trusted plugins
- Themes: Update when updates are available
- PHP version: Keep reasonably current (check with your host)
2. Use Strong Authentication
- Unique, strong passwords for all admin accounts
- Two-factor authentication using a plugin like Wordfence, Solid Security, or Google Authenticator
- Limit login attempts to block brute force attacks
- Don't use "admin" as a username
3. Be Selective About Plugins
- Use fewer plugins - each one is a potential vulnerability
- Check last updated date - avoid plugins not updated in 12+ months
- Read reviews - patterns of issues might indicate problems
- Stick to reputable sources - wordpress.org, known developers
- Delete unused plugins - not just deactivate, delete
4. Install a Security Plugin
Choose one comprehensive security plugin:
Wordfence (Popular, comprehensive)
- Firewall
- Malware scanning
- Login security
- Free tier available
Solid Security (Formerly iThemes)
- Focuses on hardening WordPress
- Two-factor authentication
- User action logging
- Free tier available
Sucuri Security
- Firewall (premium)
- Malware scanning
- Security hardening
- Free tier available
Don't install multiple security plugins - they can conflict.
5. Use Quality Hosting
Look for hosts that offer:
- Web application firewall (WAF)
- Automatic malware scanning
- Regular backups
- SSL certificates
- WordPress-specific security features
- Good support when things go wrong
Managed WordPress hosts (WP Engine, Kinsta, Flywheel) handle much of this for you but cost more. Quality shared hosts (SiteGround, Cloudways) offer good security at lower prices.
6. Regular Backups
If everything else fails, backups are your safety net.
Good backup practice:
- Daily automatic backups minimum
- Store backups off-site (not on the same server)
- Test that you can actually restore from backups
- Keep multiple restore points
Many hosts include backups. Consider additional backup plugins like UpdraftPlus for redundancy.
Signs Your WordPress Site May Be Hacked
Watch for:
- Unexpected redirects - site sends visitors elsewhere
- Strange content - spam pages, weird links, unfamiliar posts
- Google warnings - "This site may be hacked" in search results
- Performance issues - sudden slowdowns without explanation
- Unknown users - admin accounts you didn't create
- Host notifications - security alerts from your hosting provider
- Email problems - emails bouncing, blacklisting notices
- Modified files - changes you didn't make
Set up Google Search Console - it will alert you if Google detects issues.
What To Do If You've Been Hacked
- Don't panic - but act quickly
- Take the site offline - prevent further damage
- Don't destroy evidence - you need to understand what happened
- Restore from a clean backup - the fastest solution if you have recent backups
- If no backup, clean manually - this typically requires professional help
- Change all passwords - WordPress, hosting, FTP, database, email
- Update everything - WordPress, plugins, themes
- Scan for remaining malware - ensure nothing was left behind
- Identify how they got in - fix the vulnerability
- Monitor closely - watch for reinfection
If you're not technically confident, professional cleanup services typically cost ยฃ200-500 and are worth it to ensure proper recovery.
The Maintenance Reality
WordPress security isn't a one-time task. It requires:
Weekly: Check for and install updates Monthly: Review security scan results, check user accounts Quarterly: Audit plugins (remove unused ones), verify backups work Yearly: Full security review, password rotation
If you can't commit to this maintenance, consider:
- Managed WordPress hosting - they handle updates and security
- A maintenance service - developers who maintain your site monthly
- A different platform - Wix/Squarespace handle security for you
The Bottom Line
WordPress isn't inherently insecure. But it requires maintenance that many site owners neglect.
The formula is simple:
- Keep everything updated
- Use strong passwords and 2FA
- Install a security plugin
- Use quality hosting
- Maintain regular backups
- Actually do this regularly
Sites that follow these practices rarely get hacked. Sites that don't are the reason WordPress has a security reputation.
If you're not going to maintain your WordPress site properly, either pay someone to do it or use a platform that maintains itself. Security isn't optional - it's an ongoing responsibility.