7 Reasons Why WordPress Sites Get Hacked & How to Prevent It

Posted on: April 09, 2023

Written by: Mick Sherry

From outdated software to weak passwords, here is everything you need to know so you can harden your WordPress site against attacks and keep your data secure.

WordPress is the world’s most popular content management system (CMS), powering over 40% of all websites across the internet.

While WordPress is easy to use and incredibly flexible for it’s users, it’s definitely not immune to hacking attempts. The WordPress CMS is constantly being probed and attacked by bots and automated scripts at all hours of the day so the risk is real.

WordPress sites are a prime target for hackers due to their popularity and the widespread use of vulnerable plugins and themes. If you website has already been hacked, you need to engage a developer who can repair a hacked or infected WordPress website.


1. Outdated Software

One of the top reasons WordPress sites get hacked is running outdated plugins and WordPress core software.

When new security vulnerabilities are discovered, software companies release updates to patch them.

However, if you don’t update your WordPress core, plugins, and themes, you leave your site vulnerable to attacks and exploits from bots and hackers.


  • Regularly update WordPress core, plugins, and themes.
  • Enable automatic minor updates for WordPress core, plugins, and themes.
  • Use a plugin like Wordfence to scan for vulnerabilities and outdated software.


2. Weak Passwords

Another common reason WordPress sites get hacked is passwords.

A weak password can be defined as a short, common, a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords.

This could include things like words in the dictionary, proper names, words based on the user name or common variations on these themes.

If you’re using a password like “123456”, “abc123” or “password,” it’s only a matter of time before a hacker gains access to your site.


  • Use a strong password with a mix of uppercase and lowercase letters, numbers, and symbols.
  • Use a password manager like LastPass or 1Password to generate and store strong passwords.
  • Set up two-factor authentication (2FA) to add an extra layer of security. This will prevent 99.9% of brute force password hacks from ocurring.


3. ‘admin’ as your WordPress Username

Using the default ‘admin’ as your WordPress username is not recommended.

If your administrator username is ‘admin’, then you should immediately change that to a different username.

Unfortunately changing your username is not as easy as modiying your first name, last name or email address.

You will need to create a new user with administrative access permissions and then delete your old ‘admin’ user.


  • Create a new administrative user account which does not use ‘admin’ as the username.
  • Delete the old ‘admin’ user and when prompted you should allocate all the old users posts to your new user account.
  • Use a strong password for your account and consider setting up TwoFactor authentication.


4. Unprotected Access to WordPress Administration Login (wp-admin)

The WordPress admin area is where you manage your website, add new content, and configure settings. It’s also the area most commonly targeted by hackers.

Leaving it unprotected allows them to try different approaches to crack your website, including brute force attacks and password guessing.

To make it difficult for hackers to access your WordPress admin area, you need to add layers of authentication to your admin directory.


  • Change the URL of your “/wp-admin” area to something else like “/access” or “/management”.
  • Password Protect Your WordPress Admin Area. You can do this by using a plugin like “Password Protected” or “WPS Hide Login“.
  • Enforce Strong Passwords. You can do this by using a plugin like “Password Policy Manager.”
  • Add Two-Factor Authentication. You can do this by using a plugin like “Google Authenticator


5. Vulnerable Plugins and WordPress Themes

Plugins and themes are a great way to add style and functionality and customize your WordPress site.

However, some plugins and themes are poorly coded and have security vulnerabilities that can be discovered and then exploited by hackers.


  • Only use plugins and themes from reputable sources.
  • Regularly update plugins and themes as their updates become available.
  • Remove any unused plugins and themes, as well as their data.
  • Use a plugin like Plugin Security Scanner, WordFence or configure a plugin management tool like ManageWP to regularly scan for vulnerabilities.
  • Engage a local web designer/developer who can perform regular monthly WordPress website maintenance for you.


6. Insecure Web Hosting

Your web hosting provider plays a crucial role in the security of your WordPress site.

If your hosting provider has lax security protocols or doesn’t keep their software up to date, your site may be at risk.

When your website is on a cheap shared hosting environment, this can also lead to issues. If another website on your shared hosting server becomes compromised, this another risk that can lead to your site being hacked as well.


  • Choose a reputable web hosting provider with a solid track record of tight security and great customer service. For Australian web hosting, I use and highly recommend ClickHost.
  • Use a hosting provider that offers automatic updates for software like PHP and MySQL.
  • Use a hosting provider that offers built-in security features like firewalls and malware scanning.
  • Use a service such as CloudFlare or Sucuri to add extra layers of protection to your WordPress site.


7. Lack of Reliable Data Backups

If your WordPress site is hacked, it can be a nightmare to recover if you don’t have any back-ups of your website.

When you have a business website, it’s essential to take and maintain regular backups of your site.

If your site is hacked, a good backup schedule give you the opportunity to restore from a clean backup before the site was compromised. This way, you can potentially get your site up and running again fairly quickly.

A good backup principle is the rule of 3 which simply means:

  • Have at least three copies of your data.
  • Store the copies on at least two different media types. Example:  1 set of back ups on your web host and another set of back ups locally on your computer.
  • Keep at least one of those copies offsite – this could be on another server, in Google Drive or another cloud based storage platform or locally on your PC.


  • Investigate if your webhost can take automated backups for you.
  • Use a backup plugin like UpdraftPlus or BackupBuddy to schedule regular backups of your WordPress website.
  • Store your backups offsite in a secure location like Google Drive or Dropbox.
  • Use a website managment tool like ManageWP to complete automated backups of your website and then store them off-site.


Frequently Asked Questions (FAQs)

There are several signs that your WordPress site may have been hacked, including:

  • Unexplained changes to your site's appearance or content.
  • A sudden decrease in site speed or performance.
  • Suspicious login attempts or activity in your site's logs.
  • Emails from your site being marked as spam or phishing attempts.

If you suspect that your WordPress site has been hacked, here's what you should do:

1. Contact a professional: Get in touch with someone who can dignose + fix a hacked WordPress website and clean any malware left behind.

2. Take your site offline: The first thing you should do is take your site offline to prevent any further damage.

3. Scan your site for malware: Use a plugin like Wordfence or Sucuri to scan your site for malware and security vulnerabilities.

4. Remove any infected files or plugins: If malware is detected, remove any infected files or plugins from your site.

5. Restore from a backup: If you have a recent backup of your site, restore it to a clean version.

6. Change all passwords: Change all passwords associated with your site, including your WordPress admin password, FTP password, and database password.

7. Contact your web host: If you're unable to remove the malware or if you need help restoring your site, contact your web host for assistance.

While no site is 100% hack-proof, there are several steps you can take to minimise the risk of your WordPress site being hacked:

  • Keep software up to date: Regularly update WordPress core, plugins, and themes to patch security vulnerabilities.
  • Use strong passwords: Use a mix of uppercase and lowercase letters, numbers, and symbols for all passwords associated with your site.
  • Limit login attempts: Use a plugin like Login Lockdown to limit the number of login attempts and block IP addresses after a certain number of failed attempts.
  • Use a security plugin: Use a plugin like Wordfence or Sucuri to scan for malware, block suspicious IP addresses, and add extra layers of security to your site.
  • Use a reputable web host: Choose a web host with a track record of security and a focus on keeping their software up to date.
  • Back up your site regularly: Schedule regular backups of your site and store them offsite in a secure location.

Yes, you can use the .htaccess file to password protect your WordPress admin area.

However, using a plugin is easier and more user-friendly if you are not a developer and trying to do this yourself.

Two-factor authentication is a security process that requires users to provide two forms of identification before accessing the admin area.

This can be a password and a code sent to a user's phone or email.


Closing Thoughts

Keeping your WordPress site safe and secure is essential for protecting your content, your users and their data.

If your website represents a business entity, your reputation is everything. You need to ensure that your site remains a safe, reputable and trusted resource for your audience.

By following some of the tips outlined in this article, you can harden your WordPress website security to minimise the risk of your site being hacked.

Don’t wait until it’s too late – take action now to protect your business and secure your WordPress site against bots, hackers and malware.


Need Help? Get in Touch

If need help hardening your WordPress security or recovering from a hacked WordPress site, contact Michael Sherry.

Michael is an Gold Coast Web Designer & SEO Professional with more than 8 years experience securing and maintaining websites for businesses across the country.

Call direct on 0431 739 060 for an obligation free discussion about your website security.

Click-To-Call Send Message