Why do WordPress websites get hacked?

You’ve all heard a horror story of sites being hacked. I read on Forbes that something like 30,000 sites a day show up distributing malicious code. And WordPress is always at a hot center of this debate.

But why? Why do you have to install several different systems to keep hackers out? Why do you have to know how to configure your installation for security? Why do hackers target WordPress more than other websites?

This question actually can mean one of two things, and I’m going to answer them both here.

What motivation do hackers have for hacking into a website?

For the average person, it can be hard to understand why a hacker would even want to try to break into your little blog where you sell handmade soap. Am I right?

There are three main reasons.

  1. They want to use it to send out spam email.
  2. They want to gain access to your data, mailing list, credit card information, etc.
  3. They want to gain access to your site and cause it to download malicious software onto your end user’s machine or they want to install malicious software for use on your site.

This last option is probably the most confusing. Malicious software can be installed for use on your website, and it can be installed in a way that your users unknowingly end up with things installed on their machines.

One typical use of this kind of attack is to enable larger scale attacks. It takes a ton of machines to do a proper Denial of Service attack. Your hacked site might be one of them. Or maybe the hacker is targeting another entity and is using your website (or your users’ personal computers) as intermediary points for their own personal security.

In any case, these are the main reasons why hackers attack. (Or they’re a bored 13-year-old who will get a kick out of showing your wrecked site to friends at school – yep, it happens.)

Why do hackers target WordPress specifically?

The short answer? Because it’s very popular.

Put yourself in the mindset of a hacker for just a second. If you want to take over a lot of websites for your own nefarious purposes, are you going to spend all of your time trying to find vulnerabilities on a platform used by 500 websites, or are you going to try to break the platform with hundreds of millions of sites? Because WordPress is so widely used, it’s an incredibly popular target for hackers.

Even though the WordPress core is usually very secure, WordPress is also a modular platform — it can be extended in any number of ways with themes and plugins. Because anyone can write tools for WordPress, it’s possible that not all extensions live up to the same code review standards as the WordPress core. It’s possible for a very popular plugin to have security flaws that can impact thousands of WordPress sites all at once.

Because of its popularity, WordPress is an incredibly popular platform for hackers and security researchers alike.

What doesn’t kill you makes you stronger

The reality is, though, that the open source nature of the code is also what makes it strong. It is what allows white hat hackers to find exploits and report them easily so holes can be patched.  It is what lets anyone with motivation help improve security over time. It is what allows third parties to create even stronger security solutions that can just be installed right on top of WordPress.

The WordPress Core is actually a very secure piece of software. On top of which, you can make it more secure just by following some simple practices. Like not having a user called admin. And moving your wp-config.php file up one directory out of your public root. You don’t even have to change any settings to do that – WordPress looks for it there automatically.

I don’t really need to write that article, though – WordPress already has it in their article on hardening WordPress.

why-wordpress-hacked-laptop

Other safety measures you can take

If you’ve run through the post on Hardening WordPress and done most of what they mentioned, but you want to be extra sure your site is safe, there are some other great steps you can take.

Before you install a new plugin, check it to make sure it doesn’t have any known and unfixed issues. However, you don’t have to give up on a plugin that has a history of vulnerabilities – most of the best plugins will show a few.

You have to balance security with pragmatism – it is almost impossible to ensure that all of your code is 100% secure all of the time. And, the more popular your plugin is, the more people there are going to be trying to find little vulnerabilities (because the more sites your plugin is installed on, the bigger the network they get if they can hack your plugin).

You can also get outside help. There are companies like Sucuri that focus just on security (and they are great at what they do – it is well worth the annual cost for their premium service.) Your hosting company might also provide some levels of security. Take Flywheel for example; not only do they scan your site for attacks, but they’ll also remove the malware for you (for free!). Or like my own company, ManagedWP.Rocks, that does complete website management and includes security auditing and hardening in the package. If you are in business and your site is actually profitable, usually the cost of this kind of service is completely offset by the amount of time you save trying to keep up to date on all the latest issues and best practices.