How do WordPress websites get hacked?

Friends and colleagues often contact us because their WordPress website got hacked. They wonder why they would be the target of an attack without realizing most attacks are simply carried out by bots using various vulnerabilities. According to, this is the break down of how WordPress sites get attacked.

Weak password are responsible for 8% of attacks.

Every service we use needs a password and it’s not surprising passwords are often forgotten. Users get tired of having to remember a plethora of passwords so they’ll use very simple ones. According to a password with a length of six (6) characters would take 3.7 weeks to crack through brute force. While this might seem like a long time, consider how often you change your own passwords.

Password length isn’t the only strength indicator. 55% of users reuse the same password across most websites because they don’t want to be hassled with remembering dozens of unique passwords. The problem with this is many websites get attacked which often lead to leaked personal information. With access to one email account a hacker could access another website like Facebook, LinkedIn or even an online banking site and get in without setting off any alarms!

Vulnerable themes and plugins are responsible for 51% of attacks.

Some free WordPress themes are designed and developed up to code but many aren’t. Themers will often tout how cheap WordPress development is because they can simply download a free solution and add their own brand colours and logo to make it appear like their own. Without knowing what’s under the hood they might be opening that site up to automated attacks, especially if the theme is a very common one. 29% of all attacks originate from badly developed WordPress themes.

While a website only has one theme, think of all the plugins themers are installing to customize the website. A user lucky enough to pick the right theme (or rather, the wrong one) might be opening a few back doors each time they install a plugin found online. Always audit plugins or have them custom built to ensure they are designed and developed with best practices put first! With so many free plugins available, it’s no surprise they are responsible for 22% of all backdoors.

A bad hosting solution is responsible for the rest of the 41% of all successful hacking attempts.

A good hosting solution will know the best permission settings for each site’s file structure. A host who supports WordPress installations should know how to harden each website and make it secure. This includes, but is not limited to, disguising the default WordPress folders.

A good host will keep track of unusual activity, ban continuous queries to non-existent sections, only make use of SFTP (Secure File Transfer Protocol), and also keep servers up to date. Offering secure hosting is a full time job in itself and shouldn’t be taken lightly. If your $6 hosting package seems too good to be true, that’s because it is.