Why do WordPress websites get hacked?
You’ve all heard a horror story of sites being hacked. I read on Forbes that something like 30,000 sites a day show up distributing malicious code. And WordPress is always at a hot center of this debate.
But why? Why do you have to install several different systems to keep hackers out? Why do you have to know how to configure your installation for security? Why do hackers target WordPress more than other websites?
This question actually can mean one of two things, and I’m going to answer them both here.
What motivation do hackers have for hacking into a website?
For the average person, it can be hard to understand why a hacker would even want to try to break into your little blog where you sell handmade soap. Am I right?
There are three main reasons.
- They want to use it to send out spam email.
- They want to gain access to your data, mailing list, credit card information, etc.
- They want to gain access to your site and cause it to download malicious software onto your end user’s machine or they want to install malicious software for use on your site.
This last option is probably the most confusing. Malicious software can be installed for use on your website, and it can be installed in a way that your users unknowingly end up with things installed on their machines.
One typical use of this kind of attack is to enable larger scale attacks. It takes a ton of machines to do a proper Denial of Service attack. Your hacked site might be one of them. Or maybe the hacker is targeting another entity and is using your website (or your users’ personal computers) as intermediary points for their own personal security.
In any case, these are the main reasons why hackers attack. (Or they’re a bored 13-year-old who will get a kick out of showing your wrecked site to friends at school – yep, it happens.)
How to develop WordPress locally with Vagrant and OS X
This article was originally posted in 2015, and a lot has changed since then. Check out our full guide to local WordPress development for the latest best practices. WordPress is super fl...
Why do hackers target WordPress specifically?
The short answer? Because it’s very popular.
Put yourself in the mindset of a hacker for just a second. If you want to take over a lot of websites for your own nefarious purposes, are you going to spend all of your time trying to find vulnerabilities on a platform used by 500 websites, or are you going to try to break the platform with hundreds of millions of sites? Because WordPress is so widely used, it’s an incredibly popular target for hackers.
Even though the WordPress core is usually very secure, WordPress is also a modular platform – it can be extended in any number of ways with themes and plugins. Because anyone can write tools for WordPress, it’s possible that not all extensions live up to the same code review standards as the WordPress core. It’s possible for a very popular plugin to have security flaws that can impact thousands of WordPress sites all at once.
Because of its popularity, WordPress is an incredibly popular platform for hackers and security researchers alike.
What doesn’t kill you makes you stronger
The reality is, though, that the open-source nature of the code is also what makes it strong. It is what allows white hat hackers to find exploits and report them easily so holes can be patched. It is what lets anyone with motivation help improve security over time. It is what allows third parties to create even stronger security solutions that can just be installed right on top of WordPress.
The WordPress Core is actually a very secure piece of software. On top of which, you can make it more secure just by following some simple practices. Like not having a user called admin. And moving your wp-config.php file up one directory out of your public root. You don’t even have to change any settings to do that – WordPress looks for it there automatically.
I don’t really need to write that article, though – WordPress already has it in their article on hardening WordPress.
Other safety measures you can take
If you’ve run through the post on Hardening WordPress and done most of what they mentioned, but you want to be extra sure your site is safe, there are some other great steps you can take.
Before you install a new plugin, check it to make sure it doesn’t have any known and unfixed issues. However, you don’t have to give up on a plugin that has a history of vulnerabilities – most of the best plugins will show a few.
You have to balance security with pragmatism – it is almost impossible to ensure that all of your code is 100% secure all of the time. And, the more popular your plugin is, the more people there are going to be trying to find little vulnerabilities (because the more sites your plugin is installed on, the bigger the network they get if they can hack your plugin).
You can also get outside help. There are companies like Sucuri that focus just on security (and they are great at what they do – it is well worth the annual cost for their premium service.) Your hosting company might also provide some levels of security. Take Flywheel for example; not only do they scan your site for attacks, but they’ll also remove the malware for you (for free!). Or like my own company, ManagedWP.Rocks, that does complete website management and includes security auditing and hardening in the package. If you are in business and your site is actually profitable, usually the cost of this kind of service is completely offset by the amount of time you save trying to keep up to date on all the latest issues and best practices.
A good read…I think one of the bigger problem areas are plugins. There are many that are not coded correctly, but the problem is, how does an end-user know? The other common problem are usernames and passwords. It’s amazing how many people don’t use strong usernames and passwords. Regarding usernames, many still use “admin” as one and this is very common. Usernames should be complex character sets just like passwords. For my passwords, I do nothing short of 12 characters, mixed with upper and lower case letters, numbers, but also symbols….the same for usernames.
It’s not just plugins either, it’s also themes that can also have vulnerabilities, more so the ones with built-in plugins that are coded directly into it. I know for my themes, I don’t do that, but they are also reviewed by the theme review team at WordPress.org…there, they dig deep into their review and push for secured code; something I follow.
Not such thing as a 100% secure site, but it’s all the little things we need to be vigilant about from our WordPress, to plugins, to themes, to our login credentials, and more.
Great article, Justin. Security is perhaps the one area of owning a website that is still completely misunderstood. As you stated, many people don’t understand the motivation for hackers to take over their small site. The average person is unaware that spam email, drive-by malware downloads, or DDoS attacks can happen to their site.
I’d venture to say that many folks that have an average business site on WordPress rarely touch it, much less update the plugins or version. Education, like the kind you are providing here, needs to continue until the regular business owner has little choice but to hear the message.
Great article. I agree with Andre. The biggest threat are the plugins. We won’t even use a plugin unless it is regularly updated by the developer. If a plugin’s last updated version was 6 months ago or more, I wouldn’t use it. Also, always look for premium plugins. The free ones can get you into trouble; you get what you pay for.
I have to comment on a couple of your points here, as they are misleading for people who may not work with WordPress on a technical level.
Firstly, a plugin doesn’t need to have been updated within the last 6 months to actually be up to date. There are many great plugins that aren’t necessarily affected by WordPress updates, as they may be dealing with aspects of WordPress that haven’t changed in some time. There are smarter ways to judge a plugin.
Secondly, it’s unwise to think that, by buying a premium plugin, you are automatically safe. Premium plugins are often not hosted on the WordPress plugin repository, which means they are NOT subject to any form of review before being made available. This means the plugin author can put whatever they like in their plugin and start selling it; the only motivation they have to maintain/improve their plugin is their desire to continue generating revenue.
When choosing a plugin, you should spend time checking it’s compatibility rating, user ratings, user reviews (Google it!), and support forum. It’s also a good sign if the plugin has many active installs. If all the signs are good and the support forum is actively engaged, you may just have a very good plugin on your hands.
Don’t fall into the trap of black and white thinking. Consider all the available information and make informed decisions.
Hey Phil – I couldn’t agree with you more, and I don’t mean to mislead anyone. There are a couple of good ways to review plugins including https://wpvulndb.com/ which has a database of vulnerabilities, a plugin (yes, I know – it’s a plugin) called Plugin Vulnerabilities that you can install that scans, and a new service (I haven’t tried this, but it sounds promising) called Mongoose that you can install which will monitor all of your installed plugins and send you an email if security issues arise with any of them.
Understanding that many people will never be able to look at the wpvulndb database and make any sense of it, the other two options are probably a better bet, or working with a WordPress management company to ensure you have experts on your side.
Thanks for the good advice.
A managed wordpress hosting is very difficult to hack.
When my site was hosted on a shared hosting. I tried to protect my site from being hacked by
1. As pointed out above, I dont use admin as user name
2. My password is very difficult to brute force, it consists of numbers,letters, and special characters
3. I do not use free themes and plugins even from the wordpress.org
4. I buy my themes and plugins only from reputable vendors.
Don’t forget that when WordPress releases a update it exposes all known security flaws. Giving all hackers a blueprint for what to attack.
What I’m trying to figure out if these are actual people trying to hack into WordPress websites or at they automated somehow… It would be nice to finally figure out how to block these things from happening.
I find it interesting that you guys post about the wp-config.php file being placed not in the root directory; yet, all of the installs you guys do aren’t setup that way. Why is that?
You bring up a great point! One of the reasons why putting your wp-config.php file in a separate place besides your root directory is because you can put it in a non-public folder. When you’re managing your own WordPress installation, it’s easy to misconfigure file permissions, potentially exposing sensitive data such as database logins to the public. On Flywheel the WordPress Core is internally configured and automatically write-protected, so the permissions will always be the same even if someone tries to change them.
I get clients asking me all the time why their website was hacked. This is a great article to send them to thank you for writing it!
Great post! I’m pretty sure a lot of people still don’t know that you can limit login attempts, a good security measure to put in place.
We’ve been working on suspicious login detection for a few years now and recently built a WordPress security plugin. It’s just now come out of beta and it’s in the WP directory here: https://en-au.wordpress.org/plugins/thisdata/. If anyone gives it a try please let me know what you think :)
I can’t believe it’s taken me so long to find this article. Great Read!
Getting your website hacked is a real pain in the arse, but if you maintain regular backups, recovery is reasonably simple.
Although I found the hardening tips linked in this article very useful.
The more popular the plugin, often the more it’s reviewed. If it is insecure it’ll get bad reviews. Also popular plugins often have lots of development time, so hopefully have less bugs, and are therefore more secure. But there aren’t any promises. I don’t think you can assume less popular plugins are more secure, or that more popular ones are more secure either. There won’t be a definite pattern.
If I was hacking a WordPress.org site, I’d go for the medium level popularity plugins because:
a) They are still fairly common
b) They have less development time
The best plugin to hack would be:
1) One that is immensely popular
2) One that has the least development time
3) One that hasn’t been developed recently
I’d then search for any textual errors relating to just that plugin.
Even better, I might even do some social engineering and volunteer to help a plugin author who hasn’t done much development recently, and use VPNs and anonymous email addresses so I’m untraceable. You can then put intentionally security-weak code into that plugin, and use that.
You are so awesome! I do not suppose I have read through something like that before.
So nice to find another person with original thoughts on this
topic. Seriously.. thank you for starting this up. This web
site is something that is required on the internet, someone with a bit of originality!
Hi, where can I find your package for my customers? Cause I’m growing old of this hacking. It’s annoying.
Hey Carrie, sites getting hacked is definitely no fun. If you’re interested in Flywheel, you can learn more about our hosting services here.
Hi Justin, hi everyone,
I just finished reading the article and also every comments here. A good reading, evaluating every point of view helped me watching WP security with new eyes.
Although WP security is a huge and complex topic, we can compare it with human health : we are all build up with the same basic compounds, but we react differently according on how we’re built and our daily intakes. Anyway, an advice we could tell every WP user is having several clean website’s backups at hand and monitoring regularly. Infection and hacking will occur on every WordPress site one day.