Why Are WordPress Websites Targeted By Hackers?

If you are wondering why your wordpress site keeps getting hacked or why you are being targeted by hackers, we have compiled some of the top reasons for you. WordPress is one of the most commonly used content management systems on the modern web. Currently, over 445 million websites use WordPress. With over 40% of websites using WordPress to some degree, bad actors are expected to take advantage of its popularity.

An attacker first tries to gather as much information as possible about a particular set of sites on a host or CMS. Once they identify a target, they will exploit it by any means necessary and then work to support the attack.

There are several methods of successfully hacking WordPress sites which we will discuss in more detail, but many site owners wonder Why they were the target of one of these attacks in the first place. The main reason is usually money, either directly or as part of a larger plan. Any method that allows an attacker to make an economic gain is one of the factors that lead opportunists to turn to hacking methods.

For example, an attacker can inject malware onto your site that uses a drive-by-download, so when visitors access the site, they are advised to download bogus software that can infect their local system and provide an attacker full access.

There is also credit card theft which is the most profitable type of attack, and SEO spam campaigns where attackers support low quality pharmaceutical and essay writing sites.

Another reason is based on hacktivism, which mainly targets political or religious organizations. Or just, just boredom.

Predictable login credentials

A common type of attack known as brute force attack takes advantage of unprotected access to the wp-admin directory. This admin panel allows users to access various actions that can be used on a WordPress website.

These types of attacks use password attempt tools that use a list of leaked passwords, trying to predict weak passwords that may have been used. This can be used not only with wp-admin but also with web host control panel, ftp accounts, sql databases or any email associated with WordPress admin or hosting account .

With such a variety of options for a hacker to choose from, it is important to never use a username such as “admin”. You must use additional security to access the WordPress admin section, such as enabling 2FA or requiring an additional password.

It is also always important to use strong passwords for all site users. If you implement a Web Application Firewall, this layer of protection can also block all requests to wp-admin, only allowing IPs from a whitelist.

Unsecured hosting environment

Some hosts offer inexpensive services, which may seem like a lot. However, cost savings sometimes come at the cost of platform security. At the very least, a hosting provider should regularly monitor their network, update their software, and limit access to their infrastructure. SSL support and additional security services like monitoring and firewall will also come in handy.

If finding a secure hosting provider at a reasonable price seems a bit daunting, many WordPress users appreciate managed WordPress hosting. It is basically a concierge service where all technical aspects, such as backups, loading time, scalability, availability, etc. are managed by the host.

Different hosting providers interpret the word “managed” in different ways, so you’ll want to clarify with your potential host how well they will actually “manage” your environment.

Incorrect File Permissions and Simple FTP

File permissions are a set of rules that your web server uses to control access to site files. If file permissions aren’t set correctly, it can allow bad actors to write and run things they’re not supposed to. By default, all WordPress files should be set to a value of 644 and folders should be set to 755. Anything above this value is considered a higher security risk to a site. For a properly secure environment, the PHP server process must be isolated from the user who owns the website files.

File Transfer Protocol (FTP) accounts are used to upload, modify, and delete files and folders from a web server. Most hosts offer FTP, SFTP or SSH connections. If your password is sent on port 21 (via FTP), it is not encrypted, which may expose you to the risk of being spied on and having your credentials stolen. Instead, using a Secure File Transfer Protocol (SFTP) or SSH is much safer.

Outdated CMS version, themes and plugins

Outdated WordPress versions, themes, and plugins are a common culprit of infections. The older a version gets, the more vulnerable a site is. One of the main reasons updates are released is for bug fixes and security vulnerabilities. If you choose to ignore these updates, an attacker can exploit this. If updating these items seems to be taking too long, there is always the option to enable them automatically.

Some site owners worry that updates will break their site. If so, there is backup services which can run before the update, and if something breaks, you can roll back to the previous version for site revisions to be made.

Vulnerable themes and plugins

As we always say in the security industry, nothing is 100% secure. This includes even the most popular themes and plugins that exist. It is very important to note how often the plugin or theme developer releases release notes. Sometimes developers will abandon ship and that plugin/theme will be left in the wild, regularly exploited.

In one of my recent articles, I discuss most interesting vulnerabilities found in 2021. Some of these mentioned vulnerabilities were found with the CMS version or plugins/extensions.

It is always important to keep plugins and themes up to date as much as possible, and to use them to a minimum. The more third-party integrations there are, the more entry points can be leveraged. You should also never download plugins or themes from any unreliable sources, as they can be used to compromise your site’s security or even steal sensitive data.

Access the wp-config.php file

The wp-config.php contains sensitive login credentials which are used to connect to the WordPress database. Most hosting environments block remote database administration unless the requesting IP is authorized via cPanel/WHM. The details in wp-config.php are still very sensitive and better protected. Adding an extra layer of protection by denying access to this file is helpful in mitigating security risks. For this to work, add the following code to the .htaccess file:

order allow,deny

deny from all

Once that’s been added and saved, you should be fine.

In conclusion

WordPress is one of the most popular CMS for good reason. It allows a site owner to tweak a site beyond what an average website builder is capable of and provide visitors with a visually appealing experience on their site. Like most things, convenience can come with risk, so it’s always important to consider both. In my personal experience, I’ve seen a range of WordPress vulnerabilities from site owners overly satisfied with triggers with “install” buttons on their dashboard, to predictable users and configurations.

We’ve discussed some of the most common culprits when it comes to WordPress infections, and I hope you find them helpful. In one of our previous articles, I discuss what to do if your WordPress site is hacked, and tips for better protecting the site in the future.

Esther L. Gunn