15 Reasons Why Your WordPress Site Was Hacked

Three things in life are certain: death, taxes, and WordPress websites getting hacked. The good news is that insecure websites can be controlled — even so, websites are still getting hacked and we’ve identified 15 reasons why. Read more to found out how to avoid every single one of them.

Death, taxes, and WordPress websites getting hacked. All three seem to be inevitable, but the good news is that insecure websites are one thing we do have control over. Even so, a lot of us are still allowing ourselves to get hacked. In 2019!

We can’t stand for our websites being taken advantage of any longer so I’m going to share my list of 15 reasons your WordPress website was hacked and how to prevent every single one.

What’s the big deal with getting hacked anyway?

Getting hacked is the online equivalent of having broccoli stuck between your two front teeth. Except that broccoli has the ability to serve users spam, steal sensitive private information, and turn your company blog into a soldier in a botnet used to mine Bitcoin. Hackers can also deface your website and cause serious damage to your brand as well.

OK, so it’s a little more serious than broccoli in your teeth. It’s not just a little bit of embarrassment and writing a quick check to Sucuri. There are real stakes here.

Last year hackers caused billions of dollars in damage and caused irreparable harm for many brands and companies. Studies have shown that 60 percent of small businesses that suffer a cyber attack are completely out of business six months later!

I’m not a bank. I’m a restaurant owner.

The reality is that most WordPress websites likely aren’t storing the type of data that can put a company out of business if they get hacked, but some certainly are. Especially with the rise of WooCommerce and tighter enforcement of regulations like GDPR, protecting yourself from getting hacked is more important than it’s ever been.

A screen grab of a line graph showing much higher WooCommerce usage numbers versus other e-commerce platforms between 2011 and 2018.
WooCommerce usage compared to other eCommerce platforms according to BuiltWith

Even if breached data isn’t a concern, dealing with a hacked website is a hassle for everyone involved and will certainly end up costing you at least some money to resolve should hackers gain access to your site.

Is WordPress Insecure?

This is the question. The short answer is no, WordPress isn’t insecure.

That said, because of the modularity of the platform and the fact that literally anyone can create code to run on WordPress, security vulnerabilities happen. Whenever WordPress core itself has a security issue, the team is right on top of it and releases updates in a very timely fashion compared to other major open source content management systems.

If a plugin or theme end up with a security vulnerability, we’re at the mercy of the software author to release a patch in a timely fashion. For the really ugly security bugs, we’ve seen the WordPress team take control and force updates out to everyone automatically to prevent mass-infiltration.

The other reason WordPress is often painted as insecure is that it is a giant target for hackers. It makes up over 32 percent of the top 1,000,000 websites on the internet, which makes it a real darling in the eyes of attackers. Some call it the Microsoft of the web.

Most hackers are lazy. And finding a security hole in a popular theme or plugin gives them the ability to infiltrate thousands of websites at once, rather than wasting time trying to hack one website at a time. It’s more efficient and a lot more interesting.

For now let’s turn our attention to prevention and how to keep our websites from getting hacked in the first place. Sound good? Good.

1. You’re practicing bad password hygiene

I know I’m not talking to you, dear reader. But maybe you know someone who still uses the same password for every single website they visit? Or with the recent emphasis on password strength they’ve begun appending exclamation points or octothorpes to the end of their cat’s name for “enhanced security”?

Well, it’s time for an intervention. Not with you, of course. But with that “friend” of yours. In 2019, using secure unique passwords for all of your websites and services is non-negotiable. Going forward, consider it mandatory!

Shaming isn’t my game, but I’ll never forget the time a friend pulled their phone out of their pocket to find a password. I wrongly assumed they had a password manager app, but they proceeded to open Photos and navigated to their “Passwords” album. 300 screenshots of every password they’ve ever used!

The security implications alone nearly had me committed, but the “system” also seemed incredibly painful to use. Please stop storing credentials in Google Sheets too. Yes, I know you. It’s not a secret anymore.

The Password Protected Journal should never ever be used!

Let me be the first to congratulate you on your new subscription to 1Password. You need this app. Here’s why. Please go buy it now.

In the context of WordPress, you can set password rules across your entire user base using the Force Strong Passwords plugin. Now Darryl in accounting won’t be using RoXyGirl88 for his password anymore.

2. Two-factor authentication still isn’t setup on your website

I know I’m asking a lot today, but it’s because I care. I’m going to take this password stuff one step further and ask that you turn on Two Factor authentication for your website too. If you’re not familiar with 2FA, here’s a great overview.

The idea is that every time you go to login to your website, you authenticate with another device. This is incredibly difficult for hackers to spoof (though, full disclosure, it’s not impossible), so it adds one more layer of security to prevent unauthorized access to your website.

Combination lock on chain link fence
This Masterlock only has one-factor.

WordPress has many different solutions for Two Factor, from more commercial implementations like Duo Security that’s very fully featured, or something more straightforward like Two Factor from George Stephanis. Other popular plugins have 2FA built in as an additional feature like Jetpack and iThemes Security.

3. Brute force and dictionary attacks aren’t being blocked

One of the more popular ways to attack a WordPress website is to automate trying to guess user passwords. If Darryl still hasn’t updated his password, a dictionary attack won’t have to run for very long before it has access to your website.

The good news is that these are relatively easy attacks to thwart. Lots of firewalls like Sucuri and Cloudflare have built-in brute force prevention, and Jetpack uses a tool called Protect to prevent the same types of automated attacks.

Additionally, I’d recommend Limit Login Attempts. This handy plugin does exactly what it says on the tin. You can set a number of login attempts to allow, and once that number is exceeded with incorrect credentials, the user is locked out for a pre-configured amount of time.

4. In 2019 you still have a WordPress user with username ‘admin’

This is very closely related to the last 3 items but includes some interesting history. For the longest time, WordPress shipped out of the box with a pre-configured user named ‘admin’. The problem that this creates is that because a username and password are supposed to be a secret key combination, this default username essentially gives away half of the secret code! Not so secret anymore.

We’ve since learned our ways and WordPress no longer has a default user. However, since WordPress doesn’t make it very easy to change or edit usernames, there are still many many WordPress sites using this default username. If that’s you, or cough “someone that you know,” follow these steps and get yourself a unique username as soon as you can.

5. Way too many people have Admin privileges

I really hate to keep picking on Darryl but the only time he ever logged into WordPress was when Brad from IT created users for everyone in the organization. Darryl peeked in and looked around, found nothing of interest, and never logged in again.

Unfortunately Brad made two big mistakes here. First, he allowed known-security-threat Darryl to have his own account, even though he didn’t need access to the website at all. And second, he gave Darryl admin privileges!

Darryl is never going to touch the website, so it’s unlikely he’ll mess anything up. But his weak password will eventually get cracked, and then the hacker has full access to change or disrupt absolutely anything on the website.

Most organizations don’t need more than one or two administrative accounts. Audit your WordPress user list today and make sure people only have access to exactly what they need to get their work done. This is a nice overview of common WordPress roles and what they’re capable of.

6. You stopped updating WordPress core

This one seems obvious, but it’s more common than you might think. We still see websites every single day that are several versions behind in WordPress.

Most website owners have probably encountered a situation where they couldn’t update WordPress because it had a bad interaction with a plugin or their theme. Or maybe people are afraid of what might happen because of a big new change in WordPress. Sound familiar? Any time we’re faced with an obstacle we don’t know how to climb or some kind of technical issue, the temptation is to make it go away.

We’re busy people so we stop automatic WordPress updates so we can move on with our lives and avoid technical issues. We need our website to “just work,” so if that requires stopping updates until we “can get back to fixing it,” then that’s what we do.

But we never get back to fixing it. The website ends up going months or years without any WordPress security patches being applied, and suddenly we’re in really bad shape. If WordPress updates are causing you grief, get in touch with our team so we can help you get things back on track before it’s too late.

7. You stopped updating themes and plugins

The root cause of not updating themes and plugins is likely similar to why WordPress core updates were stopped. Something broke, so you rolled it back to its last working state and moved on.

Even so, there’s another element that’s introduced when themes and plugins come into play. Because this software is built by third parties and not supported by the WordPress community, it’s possible that plugins or themes become totally abandoned and stop receiving updates altogether.

WordPress dashboard displaying Update notifications, confirming the site is running on the latest version of WordPress.
Not necessarily an up-to-date website

So while you don’t see any update notifications in your dashboard, it’s entirely possible that your software is still slowly dying without you even knowing about it.

Set a monthly calendar reminder to review your plugins and theme to make sure the authors are posting regular updates and that the projects haven’t fallen by the wayside.

8. Cheap and insecure web hosting

You should pay or more per year for web hosting, even if it’s for “a small website.” If it’s a website you care about and that represents you or your business, a solid hosting partner is essential.

While there isn’t a perfect correlation between price and quality of hosting, hosts who charge more have the ability to hire more people or more expert people. This means that critical issues like security aren’t ignored or put off for another day. They’re at the forefront of every team meeting and conversation, and this benefits you in a myriad of ways.

Find a quality hosting provider and ask the right questions to make sure you’re getting great value for your costs. What seems like a bargain today might not feel that way when hack remediation and website recovery ends up costing a thousand bucks in one fell swoop.

9. You’re still using FTP to upload or edit files

This falls right in line with security-conscious web hosting, but you can’t use FTP anymore. It’s an outdated protocol and transfers your username and password IN PLAINTEXT to the server. This is an article from 2011 that’s encouraging people to stop using FTP. It’s time to move on! FTP traffic can easily be sniffed and once a hacker has file level access to your server, it’s game over. It’s way worse than a user even having Admin access to your WordPress site.

Screengrab showing an encrypted and secure connection using secure file transfer protocol (SFTP).
We love SFTP!

You should use SFTP or SSH for secure transfer instead. This ensures that there’s an encrypted connection between you and the server, so you can do your work discreetly and out of the path of hackers. And frankly, if you’re with a host that still supports plain old FTP, it’s time to move. It’s high-level sign of other potential underlying security issues.

10. Someone bought software from a very sketchy vendor

We’ve all been in a situation where we need our website to do one very specific (and likely very niche) thing. We search high and low and find one little corner of the internet selling exactly what we need. Eureka!

But not so fast.

Does that little website have an “About” page? Can you even tell who it is that’s selling you this solution? Before you click the “buy” button, look to make sure the vendor has a solid reputation, has been around for some time, and ideally has at least a few other products that they support. Seeing regular updates in forums and on social media are other good indicators that the vendor is someone you can trust.

If you can’t find what you need from a reputable vendor, you might be better off deciding you don’t need it at all.

11. WordPress salts aren’t being used

We’re not talking about the seasoning here. Sorry.

WP Salts are a built-in cryptography feature that can help with the encryption of your passwords. It also helps with securely signing your website’s cookies. (Again, not a food reference. Sorry.)

Screengrab showing the strings of numbers, letters, and symbols that make up a WordPress salt key.
You can generate WP Salt keys here.

Without getting too far into the technical weeds, WordPress salt keys are an important and often overlooked piece of the security pie (I really need to stop with the food puns). Salt keys are quick to implement and work seamlessly in the background, protecting you day and night.

Here’s a guide for checking to see if you have salt keys, and adding them if you don’t.

12. WordPress hasn’t been hardened

Hardening WordPress is something that’s rarely done and can protect you from all sorts of unnecessary grief. It can mean a myriad of different things, but some of the key components are:

Want to go the extra mile? Change the WordPress admin URL, or add additional password protection to your login pages.

Some security folks are critical of WordPress’ default file permissions, and it’s not uncommon for us to see file permissions even more lax tha what WordPress ships.

I’ll never forget the day I reviewed a site with fully public file permissions for the entire website. Literally any part of their website, public facing or not, could be accessible by every single person on the planet.

If you’re interested in doing more website hardening, refer to the links above or reach out to our team for assistance.

13. Your domain and hosting aren’t kept separate

We like to recommend that people don’t buy their domains and their web hosting from the same company. This article points out some great reasons why.

Some reasons why are it’s easier to move to a new hosting provider if domains and hosting are separate, and even if your website gets hacked, at least you’ll still have control over your domain and can restore a backup on another provider if necessary. If you lose the power to control the flow of traffic, you’ll be in real bad shape and may lose control over your website completely.

Have a clear understanding of your domain and hosting ownerships and who owns both types of accounts. Ownership is a critical piece of security and the business owner should have control of both hosting and domains.

14. Your website isn’t using SSL/TLS

Much has been said about the importance of serving websites over a secure connection. It’s no less important today than it was two years ago when we started to bring it up.

We’ve made some great progress as a whole and it’s encouraging to see more and more hosting companies direct their customers to SSL-enabled websites. But there are still some stragglers. If you’re one, that’s okay. Now is the time to make your move to https. Our team would love to help you make that change. It usually only takes a day to complete.

15. You’re logging everything, and may not even know it

Web servers and some WordPress software have logs enabled — sometimes by default. Depending on the plugin or the web service that’s doing the logging, it’s entirely possible that information about the internal workings of your website are available in publicly accessible directories.

A screen grab of a site's Log files, showing dates and times of different activities on a website.

Years ago, I worked with an individual who had logging enabled for their payment gateway and was recording the name, email, and transaction amount for every single purchase in their shopping cart into a publicly accessible log file.

It ended up being a truly silent killer. No one had any idea that the logging had been enabled until hackers accessed the log files and began emailing the customers as part of a fear campaign.

If you’re unsure what types of logs are being collected behind the scenes, contact your hosting provider or get in touch with us — we’ll be happy to chat that out for you, too!

Wrapping Up

As you can see there are already so many things to be aware of to protect your site. The great news is that while we haven’t uncovered immortality yet, and tax evasion probably isn’t a good idea, securing our WordPress websites is something we can all work on together starting now.

Today is the first day of our fully protected website lives! 🎉

Ryan Sullivan Avatar
Chief of Staff

15 min read