3 Most Common Ways WordPress Sites Are Exploited

Thousands of WordPress sites continue to be hacked & injected with malware every day. Not surprising considering WordPress is the world’s most popular free blogging and website software.

Around 80 million people currently use WordPress.

Free plugins & themes being amongst the most popular features.

If you’re wanting to avoid being hacked, there’s 4 questions that need to be answered:

  1. Do you update your wp core, themes and plugins when new updates become available?
  2. Do you backup your sites files as well as your databases?
  3. Do you store your backup on your server or in a safe location away from your live site?
  4. Do you use the default login username, admin and a short password?

Here’s a list of the 3 most common ways your site could be hacked and damaged or lost entirely.

1. Out Of Date Free Plugins & Themes

Its easy to install a free plugin or theme and based on the latest WordPress stats, there’s been hundreds of millions of downloads.

When a plugin or theme gets updated, the changes are disclosed in a changelog. Most of the time they include security updates which hackers can easily exploit as they know exactly what is vunerable.

If you haven’t updated the plugin or theme, you run the risk of allowing your site to be hacked.

Another problem related to free plugins and themes is the owners don’t have any incentive to fix security holes unlike premium plugins and themes because they don’t get paid to.


  • Update WordPress core files
  • Update plugins for WordPress
  • Update WordPress themes

2. Weak Login Details

I think most of us can remember the default login username when we first installed WordPress is admin.

Its a bit of a no brainer to understand that experienced hackers know this as well. What they do is use software programs to scan the entire internet looking to exploit this weakness.

Failed Login Attempt: Failed Login

Most WordPress users have a login address which ends in wp-login.php

Click your login link now and check this is correct on your site.

So hackers know the address to most WordPress login pages as well as the username.

If you’re using the default login username, admin and also have a weak password like your dogs name, fluffy, its only a matter of time before your site will be exploited.


3. Database Injections

Unlike old style HTML websites which don’t use a database, WordPress does.

I’m sure you know that your site is made up of a database and files.

phpMyAdmin manages your MySQL database(s) which you can access from cPanel.

If a hacker gets into your database, they can do anything.

Delete it, mess it up, redirect all your url’s to malware distributing sites, Viagra or Canadian Pharmacy etc.

The work involved in cleaning this up is a nightmare even for the people that do it for a full time living.


Google Security Warnings

If your site is hacked & injected with redirects to malware distributing sites, Google will find out.

When they do, they’ll issue a warning to all your site visitors before they land on your site advising them of the risks.

Click this image to view a warning from Google, Bing and most other browsers.

Google Malware Warning
Click To View

Avoiding Security Breaches

  1. Here’s a long list of security solutions as well as another list on hardening WordPress.
  2. Take full backup of your sites files and databases and store them away from your server.

Security Plugins

  1. Exploit Scanner – Search the files and database of your WordPress install for signs that may indicate that it has fallen victim to malicious hackers.
  2. The Most Popular WordPress Security Plugin
  3. Bullet Proof Security Plugin
  4. Better WP Security Plugin
  5. Wordfence all in one security plugin

Security Services

If you don’t want to learn more about securing your installation, you may consider using a service:

  1. Use a managed WordPress host which Guarantee’s the security of your site
  2. Use a WordPress security service which scans your installation and takes backups on a regular basis
  3. Install a premium plugin which automatically creates a daily full backup and sends it to a storage location of your choice. i.e: Dropbox, Amazon s3 etc.

If you’ve got daily full backup stored in a secure location and your site does get hacked, you’re safe. If you don’t, what have you got to lose?

Need More Help?

Join WP Sites to get full access to all tutorials & code.

  • Support for installation & modification of existing PHP code
  • Help with Genesis & StudioPress theme customisation
  • Access all tutorials & code snippets
  • Ask questions in the comments & get answers
  • Education - Request video explaining how the code works and what functions are included

Click Here to Learn More