Resource Center  >  Blog

Top 5 ways WordPress websites get hacked

April 22, 2020
Admir Dizdar

WordPress has many advantages and is not without reason the most popular way to build a website, with 60% of pages on the web based on it. Unfortunately, it is this popularity that makes WordPress a juicy target for malicious users. Every year hundreds of thousands of WordPress and ecommerce sites get hacked.

So, is WordPress secure?

Attackers don’t get in thanks to security flaws in WordPress’s latest core software. Rather, most hacks can be easily prevented by taking simple steps like keeping things updated and securing passwords.

Top 5 ways WordPress sites get hacked

According to data, here are the top 5 ways WordPress websites get hacked:

1. Out-Of-Date Core Software
2. Out-Of-Date Themes and Plugins
3. Compromised Login Credentials for WordPress, FTP or Hosting
4. Supply Chain Attacks
5. Poor Hosting Environment and Out-Of-Date Technology

1. Out-of-date Core Software

According to WPScan Vulnerability Database, ~76% of the known vulnerabilities they logged are in the WordPress core software. But if we look at the version of WordPress those vulnerabilities were found, then we can see that 9 out of 10 most vulnerable WordPress versions are WordPress 3.x.x. Unfortunately only 21.5% of websites run on the latest version of WordPress.

2. Out-Of-Date Themes and Plugins

While themes and plugins are great for extending your site, each extension is a new potential gateway for a malicious actor. While most WordPress developers do a good job at following code standards and patching any updates as they become known, there are still a few issues:

–        A plugin or theme has a vulnerability
–        The developer has stopped working on the theme or plugin but people are still using it
–        The developer patches the issue, but people don’t update

3. Compromised Login Credentials for WordPress, FTP or Hosting

A non-trivial percentage of hacks are from malicious actors getting their hands on WordPress, hosting or FTP account credentials.

Once the attacker has the key to your front door, it doesn’t matter how otherwise secure your WordPress site is.

WordPress does a great job mitigating this by generating secure passwords. It’s still up to users to keep those passwords secure.

4. Supply Chain Attack

There are some instances where hackers used a nasty trick to gain access to sites. The malicious actor would:

–        Purchase a previously high-quality plugin listed at
–        Add a backdoor into the plugin’s code
–        Wait for people to update the plugin and inject the backdoor

It’s hard to prevent such attacks as you are doing something you are supposed to do – you are keeping a plugin up-to-date. team usually quickly spots these issues and removes the plugin from the directory.

5. Poor hosting environment and Out-Of-Date Technology

A whopping ~28% of WordPress websites are still using PHP 5.6 or below. The support for PHP 5.6 expired at the end of 2018, and earlier PHP versions haven’t had security support for years. This opens you up to the potential of unpatched PHP security vulnerabilities. Using a secure hosting environment and recent versions of important technologies like PHP helps further ensure that your WordPress site stays safe. Always make sure your website is well maintained.

How to stay secure?

The only way to be completely sure your website is secure is to test it for vulnerabilities. Automated solutions like Bright are easy to deploy and you don’t have to be a security expert to start a scan. Bright is a SaaS solutions and new payloads are added faster than with any other traditional solution. Request a demo and check out how Bright can help you keeping your WordPress site secure.

Related topics

Understanding the Emerging Threat to Your Applications and APIs In today’s digital-driven world, applications and APIs are the linchpins of

See more

Artificial intelligence (AI) has emerged as a transformative force in today’s business landscape, touching virtually every industry with its disruptive

See more

Laravel is growing and becoming one of, if not the most popular PHP framework present today. In fact, Cloudways ranks

See more

Test Your Web App for 10,000+ Attacks

  • Find & fix vulnerabilities fast
  • Zero false positives
  • Developer friendly
See Our Dynamic Application Security Testing (DAST) in Action
and see how easy AppSec can be
Get Started
Read Bright Security reviews on G2