WordPress is the most popular CMS on the internet, powering over 26% of all websites. It’s easy and customizable, but it can also be vulnerable if you don’t take the right precautions. That’s why in this post we’re going to discuss 5 common reasons why WordPress sites get hacked so that you can keep your site safe!

1. Outdated theme/plugin vulnerability

More than 70% of WordPress sites are hacked causes by outdated, vulnerable themes and plugins. Using an outdated plugin or theme can make your site vulnerable. No matter what measures you take to protect the website, a powerful plugin or a theme vulnerability can still be exploited. There is no better protection available that is better than keeping the plugins and theme up-to-date.

2. Unused WordPress installable directories

Creating a staging website, installing a new website, or just creating a backup in the wrong way may vulnerable the whole web server during web development.

Example scenario: You are gonna upgrade your WordPress website manually. So you have moved all files except the “wp-content” and “wp-config.php” in “old” directory on the domain root directory. In this way, you make the “old” directory an install WordPress directory! If you access the directory like “example.com/old”, you will get a WordPress installation page.

Now, do you know that so many bots are kept trying to identify those “old”, “new”, “wp”, “backup”, “WordPress” directories? Because once the bot discovers it, it’s going to install a WordPress website in that directory using a remote database!

After installing WordPress, the bot will upload a shell using the WordPress backend they have installed. The shell is going to ruin every website on the same server.

Recently we have discovered an extensive collection of hacked WordPress websites database. The attacker used the same database, username, and password with different table prefixes for each website.

Interestingly, we have noticed two different “hacked by” group names, “hacked by Sid Gifari” and “Hacked BY TonAnt” in the same database of hacked websites using unused WordPress installable directories.

Let’s see some true example of installable WordPress directories discovered by the hacker groups and their bot:

  1. akmu**media.nl/2018
  2. lit**oolz.com/wordpress
  3. log**cy.com/backup
  4. sol**try.com/new
  5. pura**ayurved.com/wordpress
  6. met**edsa.co.za/wordpress
  7. restumpi**xperts.com.au/new
  8. oco**s.com.br/wordpress
  9. korek**on.com/wordpress
  10. lesamoureux**.com/backup
  11. a3**exp.com/wordpress

3. Pirated Themes and Plugins

Premium themes and plugins may make the website development process so easier. But you should always pay for that! Premium themes and plugins available for download for free are often pirated, which means that they may contain malware or malicious code. Be sure to only use premium WordPress products for your site. If you download WordPress themes and plugins from unreliable sources, that is very dangerous. These themes and plugins contain backdoors, adware installed inside. Once installed on the website, they can easily compromise your website security and steal sensitive information, and show ads for users without acknowledging.

4. Using Weak Passwords

Weak and guessable passwords are the most uses effortless techniques used to compromise a website administrator account. Administrator username identification for a WordPress website is not challenging. And password brute force attack is a very old but still effective way to crack weak passwords, compromise the website. You need to make ensure that you’re using a strong unique password for every account such as:

  • WordPress admin account.
  • FTP accounts.
  • Web hosting control panel accounts.
  • Email accounts used for hosting or WordPress admin panel.
  • MySQL database used for the site.

Passwords protect all these accounts. Suppose you are using weak passwords that make it easier for hackers to crack the passwords. You can easily avoid this by the usage of specific and robust passwords for every account.

5. Using admin as the username

Automated WordPress installation set the administrator account username “admin” by default. If you disable username enumeration of the website and keep the username as “admin”, that doesn’t make any difference! Every brute force attack bot uses the username “admin” at the first attempt! This common username is cracked by hackers within minutes when a weak and guessable password is also used. If you have kept the administrator username as admin, immediately change that to a different username and disable username enumeration.