With nearly a decade of working on WordPress security and website security, we’ve probably seen every kind of attack you could imagine. Some breaches are obvious while many might go undetected for months or even longer. This makes it harder to pinpoint the exact reason why the site was hacked in the first place.
Criminals often hide their tracks and won’t visibly damage sites right away, so they could create a zombie network of breached websites which can later be abused as proxies to perform further attacks on other targets.
With years of analyzing such attacks, we are confident that 99% of attacks fall under the following list of 4 reasons why WordPress websites get hacked. Once you address these 4 issues, you’ll understand that WordPress security is much easier than thought and everyone can do it.
In this article, we’ll go over each of those and provide some practical ways to stay protected.
Before we get started
It’s important to understand that malware infection on websites, SEO spam, backdoors, and all those nasty things that can happen are consequences.
An average clean-up service costs around $200, while protecting your site for a year is a fraction of that.
It’s very important to have a plan B and C as backups and malware scanners, but you should keep your plan A as solid as possible – which is that your site won’t get hacked or infected at all. In this article, let’s explore how to do that.
Vulnerable WordPress core, plugins, and themes
Whenever you see a blog post about WordPress security, almost every single one of them keeps saying that the number one priority is to keep your website updated. That includes the WordPress core and every plugin or theme you have installed.
The reason behind this is simple – if something is outdated, then there is a chance that you have also missed an important security fix that was released by the developers within the recent version.
Vulnerabilities within popular WordPress plugins are known to be the biggest threat to the security of the WordPress ecosystem. A single vulnerability in a popular plugin can give the criminal unauthorized access to thousands of sites with a single automated attack.
Criminals actively monitor the changelogs
Whenever WordPress core, plugin, or a theme releases a new version, it will include an update in the changelog file, which lists all the new changes made. These changes often include lines such as “Proper sanitization/validation of some requests.”, “Prevent XSS in form title”, “+Fixed: Security issue.”.
Since we’re talking about open-source code, a criminal can instantly compare the previous version with the latest one to see which exact functions were fixed. If a vulnerability is critical enough, it can be weaponized within hours after the release.
Such attacks are known as 1-day attacks in the information security field. That means a vulnerability has a fix released by the developer, but the attacks happen before the users have installed the patched version.
Criminals look for zero-days
Criminals regularly scan the code of popular plugins and themes to find vulnerabilities that nobody knows about. Instead of reporting the found vulnerabilities responsibly (read why you should report vulnerabilities responsibly) to the developer, they instead weaponize the vulnerability right away.
Such attacks are the most dangerous and will cause the most damage. Attacks may go undetected for days before site owners start to report problems on their sites. As the developer is not aware of the vulnerability, even sites that are completely updated will become a victim.
What can you do about it?
Keep the number of plugins/themes installed on the website as low as possible. With every new component you install to the website, you’ll increase the chances of introducing vulnerabilities to your site. If you de-activate a plugin, don’t forget to delete it as it can still be attacked.
As the first step, update your WordPress core, plugins, and themes as fast as possible. If you’re worried about the site breaking down with automatic updates, you can use Patchstack to enable auto-updates only for the plugins/themes that fixed a security issue in a recent version.
Look out for new vulnerabilities found in the plugins/themes you use. You can’t protect yourself from the things you don’t know about. You can use free services like this to get alerts every time a vulnerability is found on any of your websites.
The best-known way to minimize the attack window is to enable vPatching. vPatching is like a security firewall on your website that eliminates the vulnerability without changing any functionality/code on the website. In many cases, vPatches can also protect you from security issues that have no fixes available. You can read more about vPatching here.
To protect yourself from zero-day attacks, you should use a web application firewall. It filters out malicious requests that don’t look like regular visitors or match exploitation patterns of known vulnerability types such as XSS, SQLi, LFI, etc. For that, you could try a combination of Cloudflare and Patchstack.
Compromised privileged accounts
The second biggest reason for websites to get hacked is compromised privileged accounts. Criminals have deployed massive zombie networks of hacked websites and servers which are searching for WordPress sites and try to guess the usernames and passwords – automatically.
We’re still living in a world where the username “admin” and password “admin” are terrifyingly common combinations. Short passwords without any numbers and special characters are the easiest for bots to brute force.
As computers have become more powerful so have the bots. Nowadays, there are also lists of millions of leaked usernames and passwords which can help bots use to guess even more complex combinations.
Learn how to become an expert on password management.
Criminals try to brute force usernames and passwords
Brute forcing is probably one of the simplest methods to gain unauthorized access. In its nature, it’s just blindly guessing the username and password for as long as it happens to be the right combination.
By default, WordPress has the login page available on /wp-admin/ location. Without rate-limiting the login attempts or applying a captcha to that page, anyone could try to guess your username and password as many times as they want.
Criminals are of course abusing this with automated tools that search for WordPress websites and then bombard them with automatically generated combinations. Some of the bots are more advanced than others and use previously leaked usernames and passwords to create plausible combinations that people might use.
For more targeted attacks check your leaked passwords
Have you heard about the website haveibeenpwned.com? It’s a project that combines all known data breaches where usernames and passwords have been leaked. It includes a whopping 11 billion leaked usernames and passwords.
Most of this data is available to criminals and is being sold on the darkest corners of the web. If a criminal knows the email of the website administrator, he could look up if any passwords connected to this email have previously leaked as there is a chance that the same password is used elsewhere.
What can you do about it?
Luckily, this is one of the easiest threats to mitigate. Some simple thing you could do to protect your WordPress accounts is to enable 2 Factor Authentication (2FA) on your accounts. With 2FA (also known as Multi-Factor Authentication) even if the criminal has your password, he would also need access to another factor, which is usually your phone.
To take the power away from bots, you can enable login rate-limiting and reCaptcha which will challenge the bots to prove if they are humans before they can try to log in and will block the IPs after a few failed attempts. You can set that up under Hardening settings within Patchstack App on your site view.
You’ve probably heard it before but use strong passwords. As a tip, use a password management tool such as LastPass, KeePass, or any other to create randomly generated passwords for every website that is impossible to guess so you don’t reuse passwords across different sites.
Insecure hosting environment
This isn’t just about how good your hosting company is. This has a lot to do with how you’ve configured your hosting account or server and how you’re actually using it. Even on the cheapest hosting services, you can have quite good security if you keep some basic security principles in mind.
We’ve seen many hosting accounts filled with hacked sites in both high-end premium hosting companies and in cheap shared hosting companies. It’s especially true with cheaper shared hosting companies where users look to save money and therefore make some bad decisions.
When it comes to configuring your hosting environment, it often comes down to hardening, for which there are an incredible amount of free WordPress security plugins in the WordPress plugin repository such as SecuPress, ShieldSecurity, and iThemes Security to name a few.
Not isolating websites from each other
One big problem with some cheaper hosting companies is the fact that they don’t properly isolate the website within shared hosting from another. That means if a criminal managed to hack one of your websites, he may take over other websites hosted on the same server.
In some shared hosting environments, it’s been possible to get root access to the shared server which then exposes access to sites owned even by other hosting customers. Security has generally been improving over the years and such vulnerable configurations are not that common anymore.
Read more about the dangers of shared hosting here.
Many managed WordPress hosting companies have decided to run each website in a dedicated virtual machine or in a containerized environment to isolate websites from others as much as possible. So you might want to look at services that do that.
Having WordPress installations in sub-folders
This is something we see all the time. Many who own multiple websites aim to save money and therefore make multiple WordPress installations into different folders. In such cases, multiple websites share the same directory and even database.
This is a goldmine for criminals because breaching just one website may give them access to many other sites which might have not been vulnerable at all. We keep seeing this all the time and it’s one of the worst things that can happen.
At this point, as the sites are now infecting each other, the only way to clean the sites up is to close access to all of them and clean up every site at the same time. Saving some money can result in an average bill of $3000 if there happened to be 15 different WordPress installations.
What can you do about it?
First of all, if you plan to host a WordPress website, look for a hosting provider that has specialized in hosting WordPress sites. They often put much more detail into the specific characteristics of WordPress which also includes security.
Don’t forget to ask if the hosting company creates backups of your sites. Good hosting companies have at least some level of automated backups in their standard plans and more frequent backups in higher-tier plans.
Great hosting companies automatically scan your sites for malware. Scanning your websites regularly for malicious code is important, but instead of using malware scanning plugins, the scanning should happen deeper on the server. This approach is more efficient in terms of performance and results. Ask about that from your host.
Nulled/pirated plugins and themes
Can we call this karma? Actually no – there are many different ways how nulled/pirated plugins can end up on the website and not always are the site owners or even those installing the plugins aware of the plugin or theme being nulled.
Nulled plugins and themes are usually premium versions that have been made free by removing the licensing part from the code. There are many malicious websites where criminals host such software to attract those who want to save some money and in return, they get a pre-infected version that hides a backdoor to the website.
We’ve seen cases where an agency that builds websites for its customers is constantly using nulled plugins and themes on the customer’s websites. The sites eventually get hacked and when it happens the clean-up cost is forwarded to the customer.
Read more about the dangers of nulled WordPress plugins here.
Nulled plugins include backdoors and other malware
Everyone who is searching for “Free {insert_premium_plugin} download” should think about why someone paid for it and then made it free for everyone else to download. The chances are that it was not Robin Hood and whoever did it gets some kind of value out of it.
That value is the website and its server resources. Criminals create nulled versions of popular plugins and themes to get people to install malware on their sites voluntarily. In fact, there’s even an organized gang called WP-VCD who regularly produces nulled plugins and spreads them through a large number of websites.
Once a victim has installed the backdoored version of the plugin or theme to the website, the criminals have the freedom to do anything they want with the website. It’s the usual activity – redirecting traffic, hosting SEO spam, sending out spam emails from your website, and infecting visitors with malware.
Nulled plugins don’t receive updates (and can be vulnerable)
Whenever nulled plugin or theme is created, it’s whatever version that the criminals got access to at this point in time. Since popular plugins and themes are actively developed they receive updates quite frequently. Therefore most nulled plugins/themes available are not the latest versions.
As the nulled plugins and themes have licensing removed from the code, it mostly also means that it has no access to the updates anymore. So, as a bonus to having malware on the site, the website will also be stuck with an old version of the plugin.
Taking all that into account, installing nulled plugins is probably the worst thing one could do as it not only infects the website with backdoors and malware – it has significant chances to make the website also vulnerable to other criminals.
What can you do about it?
If something sounds too good to be true, it usually is. Download plugins only from the WordPress.org repository, from the official website of the plugin developer, or from a trusted marketplace like Envato.
If a website was built for you by a developer and you see any premium plugins installed to the site ask for the licenses or confirm that the plugin is connected to the licensing server from your WordPress admin panel.
PS! There is a professional or maybe even a whole team behind the premium plugin who has put months and years into building this tool. If you really need to use it then support the developer!
Main takeaways and conclusion
If you made it so far then, wow, and thanks!
For many many years, dealing with the consequences of poor security has been the main way how people get exposed to security in the WordPress ecosystem.
TLDR; Take these 4 steps to prevent ~99% of attacks.
– Prevent having vulnerable plugins installed on your sites
– Protect your accounts with 2FA and rate-limiting
– Find a good hosting specialized in WordPress sites
– Don’t install nulled/pirated plugins
It’s still common that WordPress security isn’t thought about until sites get hacked. Keep in mind that malware on the website is not a problem, but a consequence. Most of your attention should go to improving the security proactively so the breach never happens!
I hope this article gives you a good understanding of how to do that. Good luck!