WordPress is one of the world’s most popular and widely-used content management systems, powering millions of websites across different industries. However, as with any website, WordPress sites are also vulnerable to hacking and security breaches. This blog will discuss the 5 most common reasons why WordPress sites get hacked and what you can do to prevent them.

01. Outdated theme/plugin vulnerability

Over 70% of WordPress sites get hacked caused of outdated, vulnerable themes and plugins. Using an outdated plugin or theme can make your site vulnerable. No matter what measures you take to protect the website, a powerful plugin or a theme vulnerability can still be exploited. There is no better protection available than keeping the plugins and theme up-to-date.

02. Unused WordPress installable directories

Creating a staging website, installing a new website, or just creating a backup in the wrong way may make the whole web server vulnerable during web development.

Example scenario:
You are going to upgrade your WordPress website manually. So you have moved all files except the “wp-content” and “wp-config.php” in the “old” directory on the domain root directory. In this way, you make the “old” directory an install WordPress directory!
If you access a directory like “example.com/old,” you will get a WordPress installation page.

Now, do you know that so many bots are kept trying to identify those “old,” “new,” “wp,” “backup,” and “WordPress” directories?
Because once the bot discovers it, it will install a WordPress website in that directory using a remote database!

After installing WordPress, the bot will upload a shell using its established WordPress backend.
The shell is going to ruin every website on the same server.

Recently we have discovered an extensive collection of hacked WordPress websites database.
The attacker used the same database, username, and password with different table prefixes for each website.

Interestingly, we have noticed two different “hacked by” group names, “hacked by Sid Gifari” and “Hacked BY TonAnt” in the same database of hacked websites using new WordPress installable directories.

Let’s see some true examples of installable WordPress directories discovered by hacker groups and their bot:

  1. akmu**media.nl/2018
  2. lit**oolz.com/wordpress
  3. log**cy.com/backup
  4. sol**try.com/new
  5. pura**ayurved.com/wordpress
  6. met**edsa.co.za/wordpress
  7. restumpi**xperts.com.au/new
  8. oco**s.com.br/wordpress
  9. korek**on.com/wordpress
  10. lesa**moureux**.com/backup
  11. a3**exp.com/wordpress

03. Pirated Themes and Plugins

Premium themes and plugins may make the website development process so more manageable. But you should always pay for that!
Premium themes and plugins available for download for free on a third-party website are often pirated, which means they may contain malware or malicious code. Be sure only use premium WordPress products downloaded from the author’s website.
If you download WordPress themes and plugins from unreliable sources, that is very dangerous. These themes and plugins contain backdoors and adware installed inside. Once installed on the website, they can easily compromise your website security, steal sensitive information, and show ads for users without acknowledging it.

04. Using Weak Passwords

Weak and guessable passwords are the most used effortless techniques used to compromise a website administrator account. Administrator username identification for a WordPress website is not challenging. And password brute force attack is an old but effective way to crack weak passwords and compromise the website.
It would be best if you made ensure that you’re using a robust and unique password for every account, such as:

  • WordPress admin account.
  • FTP accounts.
  • Web hosting control panel accounts.
  • Email accounts used for hosting or WordPress admin panel.
  • MySQL database used for the site.

Passwords protect all these accounts. Suppose you are using weak passwords that make it easier for hackers to crack them. You can easily avoid this by using specific and robust passwords for every account.

05. Using admin as the username

Automated WordPress installation sets the administrator account username “admin” by default. If you disable username enumeration of the website and keep the username as “admin,” that doesn’t make any difference! Every brute force attack bot uses the username “admin” on the first attempt! This common username is cracked by hackers within minutes when a weak and guessable password is also used. If you have kept the administrator username as admin, immediately change that to a different username and disable username enumeration.

In conclusion, keeping your WordPress site secure requires a combination of solid login credentials, regular software updates, secure hosting, and regular backups. By following these best practices, you can significantly reduce the risk of your site getting hacked and protect your business from potential harm.

Does your website have vulnerabilities? – Free Security Audit