How WordPress websites get hacked

Because of its widespread popularity as a CMS, WordPress is also a popular target for hackers.

Hacking attacks are mostly opportunistic rather than about targeting (although big brand websites may be specifically targeted). Most attacks are automated, with bots searching high and low across the internet for security weaknesses to exploit.

Attacks are often made via:

  • Insecure website hosting
  • Login details – for example, by attempting multiple random username and password combinations
  • Security weaknesses in CMS, plugin or theme software – usually when it’s not been updated

Hackers have a wide variety of different motives but often it’s about profit. Hacking sites to distribute malware, gain user data, send spam emails, or redirect website visitors can be extremely lucrative.

Such security breaches can have a hugely negative impact on your website and business – undermining user trust, causing legal violations, and potentially costing thousands of pounds. So it’s vital to protect your WordPress website against hacking.

Is my WordPress site vulnerable to hacking?

WordPress beginners and small site owners often think that they don’t need to worry about security. They assume that their site will be too small and insignificant to interest hackers.

This assumption is wrong.

WordPress sites of all sizes are hacked. Hackers use automated bots to scan the internet for sites with security weaknesses and will hack wherever there is an opportunity.

Another key thing to realize is that you may not even be aware when hackers are attempting to break into your site. Unless you get regular security notifications about hacking attempts, you’ll probably only find out when a hacking succeeds and something on your website goes awry.

The take-away message is that all sites are vulnerable to hacking – and prevention is better than cure. Make sure to install a security plugin and take other preventative security measures to keep your site safe.

How to beat the WordPress hackers

We now share the top 10 ways to keep your WordPress website secure and prevent it from being hacked.

1) Choose a secure hosting provider

All good hosting providers will include security protection to ensure your website information is kept safe on their servers.

When choosing a hosting provider, make sure to check what security measures they have (such as firewalls and secure FTP), how they monitor their server network, and how they respond to any security breaches.

Your WordPress site may be particularly vulnerable to hacking if you have a shared hosting plan, as hackers can potentially use other sites on the same server to gain access to yours.

The most secure – but also the most costly – hosting option is a dedicated server. This is well worth considering if you have particularly high traffic levels or hold sensitive data on your site.

2) Get a security plugin

Having a high-quality security plugin is a must-have to prevent your WordPress site getting hacked.

Security plugins generally include:

  • a firewall to block suspicious traffic
  • brute-force protection against multiple random login attempts
  • a scanner that checks your files, themes and plugins for security issues
  • regular security notifications

We recommend Wordfence – an excellent, free security plugin. Once installed, ‘Wordfence’ will appear in the left-hand menu of your WordPress dashboard. You can click here at any time to scan your site, see the latest notifications and get recommendations to improve site security.

3) Choose a secure theme

Choosing the right theme for your site is crucial. Of course, it needs to have the right look and features for your organisation. But it also needs to be robust and secure.

A secure theme will:

  • Be updated and patched regularly
  • Follow good coding standards
  • Not be associated with bugs or compatibility errors

With more than 7,000 WordPress themes available, it can be tricky to know where to start!

The best way to choose a secure theme is by looking on There, you can browse theme reviews, check how many installations a theme has had, and see when the theme was last updated – all good indications of security.

You may also want to ask your WordPress agency for theme recommendations that will meet your particular website and organisation’s needs.

4) Keep WordPress updated

Keeping WordPress up-to-date is another important security measure. WordPress software updates are made regularly to optimise performance and patch any security issues as they are discovered.

It’s possible to apply automatic updates for most WordPress core releases, so that your site is updated in the background without you having to do anything. However, you still need to manually action larger releases – make sure to backup your site first!

Update messages will appear on your WordPress dashboard as soon as they are available. Just click on them to action. It’s a good idea to update plugins and themes regularly too.

5) Use secure login details

As mentioned above, one of the key ways hackers can access your WordPress site is through automated ‘guessed’ login attempts. The more obvious your username and password, the more likely these attempts will succeed.

To prevent hacking, make sure to choose an atypical username. This basically means not using ‘admin’, which is so common it’s usually the first username hackers will try.

Secondly, go for a secure password including a mix of letters, symbols and numbers. For maximum security, this should be at least 12 characters and not include any dictionary words.

As well as securing your WordPress dashboard login, make sure to choose secure usernames and passwords for your other website-related accounts, such as your custom email address. Otherwise, these could also be used to hack your site.

6) Add two-factor authentication

You can strengthen your WordPress login even further by enabling two-factor authentication. This is particularly useful if you have multiple users logging into the back-end of your site.

With two-factor authentication, users login in two stages. First, they enter their username and password. Then, they have to enter a one-time passcode to verify their identity.

With the Wordfence security plugin we recommended above, two-factor authentication is easy to enable. It uses an authenticator app to generate passcodes for users.

To set things up, go to Wordfence > Login Security in your WordPress dashboard, and copy the key given. Then download Google Authenticator (or another authenticator app), and enter this key.

At this point, the app will provide a six-digit code. Simply enter this back on your WordPress dashboard and click ‘Activate’.

Two-factor authentication will now be enabled. This means that every time you try to login on WordPress, you’ll be prompted to go to your authenticator app and collect a passcode.

7) Disable file editing

WordPress has a code editor which allows you to edit your site files through your dashboard. Whilst this is obviously a useful feature, it’s also a huge liability in terms of hacking. We therefore recommend turning it off.

To disable the code editor, simply add the following code into your wp-config.php file:
// Disallow file edit
define( ‘DISALLOW_FILE_EDIT’, true );

Another way to prevent file editing is by disabling PHP file execution in your /wp-content/uploads/ folders. For this, open Notepad – or a similar text editor – and paste the following:
<Files *.php>
deny from all

If you save this as .htaccess and upload the file to the /wp-content/uploads/ folders on your website, it will also prevent hackers from making backdoor attacks on your PHP execution.

8) Scan your website and computer

It’s important to scan your website regularly to check for malware, viruses and suspicious code. If using the Wordfence plugin, this can be done by going to Wordfence > Scan and clicking ‘Start new scan’.

If there are any issues, Wordfence will suggest how to fix them and get your site secure again. We recommend scanning at least once a month – if you can do it more frequently, then even better!

However, it’s no good relying on having a secure site if the computer from which you operate the site is bugged or infected. So, make sure to scan your computer or device regularly as well.

You should use a good anti-virus software on your device, and ensure you update your system regularly. We also recommend checking the privacy settings on your browser to avoid being hacked while you’re browsing the internet.

9) Use HTTPS

Having an HTTPS site means that communications between your website and users’ browsers are encrypted. This is therefore another key way to prevent hacking.

If you don’t have a HTTPS site already, it’s very simple to transfer. You just need to get an SSL (Secure Sockets Layer) certificate, which is available to all websites, free of charge, from Let’s Encrypt.

If you already have an SSL certificate, then make sure to set a calendar reminder to renew it every two years. Otherwise, it’s easy to forget and let your site’s HTTPS status – and good security credentials – lapse.

10) Backup, backup, backup!

Whilst our final tip doesn’t actually prevent hacking, it’s probably the most important step to take just in case your site is ever hacked.

By making regular site backups, you can reinstate your site again quickly if ever needed. Without backing-up, you could stand to lose everything you’ve ever designed, posted or written on your site.

How to backup your WordPress site will depend on the type of hosting you have. Make sure to speak to your hosting provider; they may include backups as part of your hosting package.

Alternatively, talk to your WordPress agency or install a backup plugin. Whichever way you do it, make sure to backup your WordPress site regularly and store your backup files safely so you know they’re there if you ever need them.