If you have a WordPress site, you may have asked yourself – why do these sites get hacked so often?
It‘s frustrating to wake up one day and find your WordPress site defaced, redirecting to shady websites, or being used to send spam. You‘re not alone – WordPress powers over 43% of all websites, so hackers have a huge pool of potential targets.
In this comprehensive guide, we‘ll share the top vulnerabilities that make WordPress sites prone to hacking, so you can avoid these pitfalls and keep your site secure. Let‘s dive in!
Contents
- Why Is WordPress a Common Target for Hackers?
- 1. Insecure Web Hosting
- 2. Weak Passwords
- 3. Unprotected WordPress Admin
- 4. Incorrect File Permissions
- 5. Outdated Software
- 6. Plain FTP
- 7. "Admin" Username
- 8. Nulled Themes and Plugins
- 9. Unsecured wp-config.php
- 10. Default Database Prefix
- 11. Disabling File Editing in WordPress
- Bonus Tip: Use a Security Plugin
Why Is WordPress a Common Target for Hackers?
WordPress is the world‘s most popular CMS, which means there are millions of WP sites ripe for the picking by hackers. There are a few key reasons why it tends to be targeted:
-
Popularity: With so many sites using WordPress, hackers have a huge pool to target. They can easily find less secure WP sites and exploit vulnerabilities.
-
Hacker Motivations: Hackers may want to distribute malware, mine cryptocurrency, attack other sites, send spam, or deface sites for notoriety.
-
Ease of Use: The flexibility of WordPress makes it easy for beginners to unintentionally leave sites vulnerable if security best practices aren‘t followed.
Now let‘s look at the top weaknesses hackers exploit to compromise WordPress sites, and how to address them.
1. Insecure Web Hosting
Your WordPress site relies on your web host‘s servers for security. Using a hosting provider with poor security makes your site an easy target.
The Fix: Choose managed WordPress hosting that uses hardened servers and proactive monitoring to block common attacks. Top providers like Kinsta and WP Engine offer built-in security.
2. Weak Passwords
Hackers can use brute force tools to guess weak passwords. Unique, randomly-generated passwords of 12+ characters are best for securing your WordPress site.
The Fix: Create strong, unique passwords for every account – your WordPress admin, web host, FTP, databases, and email. Use a password manager like LastPass to generate and store passwords safely.
3. Unprotected WordPress Admin
The WordPress admin area (/wp-admin) gives a hacker access to your entire site if left unsecured.
The Fix: Add layers of security by password protecting wp-admin, enforcing strong passwords for all users, and installing 2-factor authentication plugins.
4. Incorrect File Permissions
Improper file permissions allow hackers to modify or add malicious files on your server.
The Fix: Set files to 644 and folders to 755 permissions. Managed WP hosts like WP Engine will handle permissions automatically.
5. Outdated Software
WordPress, plugins, and themes contain vulnerabilities that are regularly patched. Using outdated software leaves holes for hackers to exploit.
The Fix: Have a plan to keep WordPress, plugins, and themes updated quickly when new versions are released. Managed WP hosts can auto-update the WP core.
6. Plain FTP
Using plain FTP sends your password in plaintext, making it easy to steal.
The Fix: Use SFTP, SSH, or FTPS which encrypt your password and prevent snooping of your traffic.
7. "Admin" Username
Hackers will target the easy-to-guess default admin username.
The Fix: Change your admin user to a new, randomized username. Here‘s a step-by-step guide.
8. Nulled Themes and Plugins
Nulled software contains backdoors for hackers to control your site. Thefts of payment info, personal data, and site hijacking can result.
The Fix: Never use nulled software! Only download themes and plugins from trusted sources like the official WordPress directory.
9. Unsecured wp-config.php
This file contains your database credentials. If exposed, hackers have full access to your site and data.
The Fix: Secure wp-config.php by adding this code to your .htaccess file:
<files wp-config.php>
order allow,deny
deny from all
</files>10. Default Database Prefix
The default "wp_" prefix for database tables is easy for hackers to target.
The Fix: Install WordPress using a random, complex prefix to obscure database table names.
11. Disabling File Editing in WordPress
By default, WordPress allows editing plugins and themes from within the admin dashboard. This can lead to malicious file changes if a hacker gains access.
The Fix: Disable file editing by adding define( ‘DISALLOW_FILE_EDIT‘, true ); to your wp-config.php file. This forces editing via FTP/SFTP only for greater security.
Bonus Tip: Use a Security Plugin
For maximum protection, a dedicated WordPress security plugin is recommended. Here are two top options:
-
Sucuri – Malware scanning, firewall, remote site audits, and more. Plans from $99/year. We use them on all our sites!
-
Wordfence – Real-time blocking of attacks and country blocking. Free and premium options.
If your site has already been compromised, here‘s a game plan to take back control:
-
Scan for malware using a plugin like Wordfence or an online scanner like Sucuri. Remove anything malicious.
-
Find and close backdoors implanted by hackers to regain access. Change all passwords.
-
Restore from backups to factory settings if you can‘t find and fix all vulnerabilities.
-
Harden your site by implementing the security fixes mentioned above.
Taking these preventative measures will go a long way in making your WordPress site an unattractive target for hackers. Stay vigilant by monitoring for suspicious activity, report any issues you detect, and keep WordPress security a priority to avoid becoming a victim.
