Submit a enquiry

    Back to all posts

    5 ways to get your WordPress site hacked

    by Iain Thomson Project Lead

    WordPress powers around 30% of the internet and has been around for more than 15 years. It’s unsurprising that the most popular open source content management system is a target for hackers.

    Here we detail a few common mistakes that will leave your WordPress site vulnerable to hackers and how to fix them.

    Using a weak password

    Using weak passwords (or the same passwords for multiple accounts) makes it easier for hackers to guess their way into accessing your site. Password hacking is usually done through one of the following methods:

    • Brute Force – using an automated software, the hacker tries pretty much every possible character combination for your password (starting with commonly used passwords first) until they gain access. While this technique will eventually get your password correct, you can make it harder and more time consuming by using a maximum strength password.
    • Phishing – a scam method that convinces the user to enter their password/login info on a page or form that mimics one that is legitimate via a spoof email or phone call.
    • Dictionary – the hacker runs a simple file of words that can be found in a dictionary against your passwords. An easy way to successfully hack into accounts that use weak/generic passwords.

    Using strong and unique passwords, not sharing passwords with anyone via email, are checking the send address when emails are asking you to click a link are all ways that can help protect your site from password hacking.

    Keeping the default URL for your admin login page

    Keeping the default URL for your admin login page leaves it wide open for hackers to access. Don’t make it easy for them! Hackers can use software that forces email address and password attempts until they gain access. Make it hard for them to find where to login in the first place.

    It is also a good idea to limit overall login attempts to prevent anyone(/bot) that does get onto your login page from trying an indefinite number of passwords.

    Downloading plugins from unknown sources

    Any developer can create themes and plugins and make them available for WordPress users to download which makes for an incredible and inclusive community, however it also means that there are a huge amount of dodgy plugins and themes just waiting to be installed.

    Do your research and find out who the developer is and what their reputation is before you download and install their plugin! You could be unknowingly installing a backdoor into your website. A backdoor is a way to access a system by bypassing it’s security measures; when it is installed, it is difficult to detect and allows hackers to access your website. To avoid this, you should only download plugins from legitimate and trusted sources ( and trusted developers only).

    Not updating WordPress

    Each WordPress update usually comes with bug fixes and important security improvements. While it may feel like a pain to keep up with updates, hackers tend to target older versions as they know where the vulnerabilities are. Staying on top of updates helps to patch these vulnerabilities and keep your website (and data) safe. WordPress gives you the option to set automatic updates so you never have the excuse of forgetting.

    Scrimping on your hosting provider

    Be careful who you choose to host your site and check whether they use a secure server. If they don’t, your site is at serious risk of attack regardless of what security features your site has. A secure host might cost more but it is vital to make sure that your website and customer data is protected.

    Need any development support? Gooey are a white label development agency specialising in frontend web and email development. Contact us to see how we can help you.