How a site gets hacked.


There are loads of different ways to hack a WordPress site.  One of the most worrying facts is that the method used by the hacker just can’t be found.  You could spend hours trying to find out how your site was hacked and sometimes will never find out how.  The time you spent looking could be better spent ensuring the security of your site.

So how do sites get hacked?

As we have already stated there are loads of different ways that a site can be hacked, we can however tell you the most common ones:

  • Out of date plugins
  • Malicious plugins
  • Out of date WordPress Files
  • Brute Force Attacks
  • Bad file permissions
  • Bad host provider
  • Issues with local computer

Why your site gets hacked?

A lot of people think that their site won’t get hacked.  Who’s interested in hacking a small website?  One thing you need to remember unless you are Microsoft or Sony your site being hacked is not personal, no one has it out for you or your company, hacking is automated.  In the same way that Google’s bots scour the web looking for and indexing websites a hackers bots are out looking for vulnerable websites.  WordPress makes up over 25% of websites on the web today so it has become a huge target.

How to prevent getting hacked?

If there were no plugins or themes WordPress would not be what it is today, a thriving web solution powering between 1 in 4 and 1 in 3 websites on the web today.  Searching for plugins and themes results in millions of results.  Themes and plugins fall in to 2 distinct categories – free and premium.  If you want to use a free plugin only use the WordPress Repository to download your plugin, if you are using a premium (paid for plugin) only download the plugin from the developers site – do not search on Google or other search engines, chances are you will find the plugin on a warez site and end up uploading and installing a fake plugin and making it easy for a hacker to get onto your site.

Backup, backup and backup

“Your site is as safe and secure as the last backup”  We keep saying it the most effective form of security is having an effective backup solution!  No one can guarantee your site against hacking and I mean no one – anyone how does is selling you a service that they can’t provide.  If your site is not backed up, use one of the services below, or sign up to our service.  Do this before you go any further, we mean it.  If your site gets hacked or taken down and you have no backup – things are going to get difficult very quickly.

Sign up for the RocketWP service, click the button below:

Sign Up

OK? Done?  Let’s continue:

Use trusted plugins

When you search for a plugin on the WordPress repository check the following:

  1. When was the plugin last updated?
  2. Is the plugin compatible with your version?
  3. How many times has the plugin been downloaded?
  4. What rating has the plugin got?
  5. Level of support?

A summary of the information above is displayed next to the plugin, clicking on more details will show you a lot more information about the plugin and let you read the reviews.

Now while a new plugin by an unknown developer with only 12 downloads maybe great and be exactly what you are looking for can you wait and let the WordPress community test it for you?  If not why not set up a test site so you can make sure that it does not cause any issues and does what you want it to do?  You could then write a review and increase the trust.

If the plugin has not been updated for several months or even years I (personally) would avoid it.

If you purchase a premium theme make sure that you only download the plugin from the official site.

Use trusted themes

Exactly the same can be said for themes – check out the rating, compatibility and last updated information on any theme if using the WordPress repository, if using a paid for theme only download it from the developers official site or the developers theme repository e.g. Theme Forest.

WordPress Vulnerabilities

It does happen WordPress has and will contain vulnerabilities in the core code – that’s the bad news.  The good news is that WordPress are very good and quick at patching the core, releasing information about the vulnerability and the fix – so the moment we hear about the issue we have the fix.  The update now just needs to be applied.

One thing to also note – if you use the inbuilt WordPress update function then any files that need to be removed (yes there are files that were in older releases that are no longer in the newer releases) will also be removed.  If you only ever update but uploading the new files then some files will need to be removed.

We’ve said it before and we’ll say it again and again and again – Update!

To ensure the security of your site ensure that you keep it up to date – the core, the plugins and the theme will need updating.  Updates are normally due to security issues and/or performance issues – ensure you regularly update your site.

Brute force attacks

A brute force attack is where an automated process just keeps trying password after password after password after pa… (you get the picture) until they get the right one.

To prevent brute force attacks

  • never use a weak password
  • never use a common login name such as your name, admin, administrator or your company name
  • move the login page
  • add capture support
  • use 2 Factor Authentication

Bad File Permissions

File permissions need to be correctly set on your site to prevent access to important files such as .htaccess, wp-config.php, you also need to php files from being run in your uploads directory and prevent directory browsing.  If a hacker can read your wp-config.php file then they have access to your database, if a hacker can write to your .htaccess file then they can re-direct your visitors to other sites, if php can be executed (run) from your uploads directory then all they need to do is upload a php file and then run it from a browser.

All directories in WordPress should be set to 755 and all files should be set to 664, wp-config.php should be set to 660.

Bad host provider

Maybe the hack was nothing to do with your site and you have secured your site yet it has been hacked – could it be your provider?  If your site has been hacked ask them to assist – if they seem cagey or not really bothered I would look at moving – or hosting my own server.  Some reports show that over 40% of sites are hacked via the server and not the site.

Issues with your local computer

This is always the last place that normally gets checked – is your computer compromised?   Make sure you computer has up to date anti-virus protection, try not to use open wireless networks at cafes or train stations, use secure FTP or ssh to upload files not just FTP.  Ensure all passwords to your hosting control panel, SFTP, WordPress are complex, different passwords – if necessary use a password management tool such as DashLane to store them.

There is an easier way – get us to manage, maintain and monitor your WordPress site – check out our plans and pricing:

Plans & Pricing



More to explorer

Leave a Reply