How WordPress Sites Get Hacked (And How to Stop Each Attack)

Posted Category Guides and resources Topics Security, WordPress,

Your WordPress site probably will not be hacked by a genius in a hoodie targeting you personally. Understanding how WordPress sites get hacked is far less glamorous than the movies suggest: the overwhelming majority of attacks are automated, opportunistic and aimed at whichever sites left a door open. In this post we break down the four entry points behind most WordPress compromises and show you exactly how to close each one, usually in minutes.

  • Almost all WordPress hacks are automated and opportunistic, not personal or sophisticated
  • 91% of new WordPress vulnerabilities found in 2025 were in plugins, with only six low-priority issues in WordPress core
  • The four most common entry points are outdated plugins and themes, weak or reused passwords, forgotten admin accounts and insecure hosting
  • Routine defenses such as updates, strong passwords, login protection and two-factor authentication stop the vast majority of attacks
  • Prevention is not enough on its own; you also need a way to detect anything that slips through

Why hackers target WordPress at all

Section titled Why hackers target WordPress at all

WordPress powers over 40% of the web, so one working exploit can be replayed against millions of sites. Attackers are not usually after your content. They want to send spam from your server, inject SEO spam links, distribute malware to your visitors or recruit your site into a botnet.

That scale is why attacks are automated. Bots scan the entire internet for known weaknesses around the clock, which means an unpatched site gets found whether or not anyone has heard of it.

How WordPress sites get hacked in the real world

Section titled How WordPress sites get hacked in the real world

This is the number one cause of WordPress compromises, and it is not close. According to Patchstack’s State of WordPress Security in 2026, 11,334 new vulnerabilities were recorded in the WordPress ecosystem in 2025, and 91% of them were in plugins. WordPress core itself accounted for just six low-priority issues.

The attack pattern is always the same. A vulnerability in a plugin or theme is publicly disclosed, a patch is released and bots immediately start scanning for sites that have not applied it. The window is brutal: mass exploitation can begin within hours of disclosure.

How to close this door:

  • Update plugins, themes and WordPress core promptly, or enable automatic updates for anything you do not test manually
  • Delete deactivated plugins and themes entirely, since their code can still be exploited while it sits on your server
  • Avoid abandoned plugins that have not been updated in over a year and never install nulled (pirated) plugins or themes

Automated scripts test millions of leaked username and password combinations against WordPress login pages every day. If a password you use has ever appeared in a data breach, a bot somewhere is trying it against your site right now. This is not an exaggeration: in a single year, Wordfence reported blocking tens of billions of password attacks across the WordPress ecosystem.

Remember that your site has more than one set of keys. Your hosting control panel, SFTP account, database and admin email all unlock the same kingdom.

How to close this door:

  • Use a long, unique password for every account connected to your site, stored in a password manager
  • Enable two-factor authentication for all users who can log in, especially administrators
  • Turn on login lockout so an IP address is blocked after a few failed attempts, and consider hiding your login page from bots entirely

Every admin account is a door into your site, and old doors get rusty. The developer who built your site three years ago, the intern who left last summer, the shared “admin” login everyone knows: each one is an entry point that no amount of firewall rules can protect if the credentials leak.

Attackers love these accounts because using them does not look like an attack. It looks like a normal login.

How to close this door:

  • Audit your users list quarterly and delete or downgrade accounts that no longer need access
  • Apply the principle of least privilege, so editors are editors and not administrators
  • Never use “admin” as a username and never share one account between multiple people

4. Insecure hosting and file permissions

Section titled 4. Insecure hosting and file permissions

Less common than the first three, but a badly configured server can undo everything your site does right. Outdated PHP versions no longer receive security patches, overly permissive file permissions let attackers modify your files, and cheap shared hosting can allow one compromised site to infect its neighbors.

How to close this door:

  • Choose a reputable host and run a supported PHP version (8.x)
  • Set file permissions to 644 and folder permissions to 755, and block direct access to wp-config.php
  • Use SFTP instead of plain FTP when transferring files
Entry point How the attack works Your first defense
Outdated plugins and themes Bots scan for known, already-patched vulnerabilities Prompt or automatic updates
Weak or reused passwords Credential stuffing and brute force at massive scale Unique passwords, 2FA and login lockout
Forgotten admin accounts Old or shared credentials used as a normal login Quarterly user audits and least privilege
Insecure hosting Server-level weaknesses bypass site-level security Quality host, current PHP, correct permissions

Almost every hacked site we see was hit by a bot exploiting a plugin flaw that already had a patch. Update automatically, turn on login lockout and 2FA, and you stop being the easy target the bots are scanning for.

Alexandru Bucsa – Product Manager, All In One Security

Notice what is missing from everything above: sophistication. Because attacks are opportunistic, routine defenses genuinely work. Here is the order we recommend:

  1. Update everything, then remove plugins and themes you do not use
  2. Change any password that is short, reused or shared, starting with admin and hosting accounts
  3. Enable login lockout, two-factor authentication and a firewall at the site level
  4. Review your users list and remove anyone who should not be there
  5. Set up monitoring, such as an activity log and malware scanning, so you find out quickly if something slips through

WordPress sites get hacked through a handful of predictable, preventable entry points: unpatched plugins, weak passwords, forgotten accounts and sloppy hosting. None of them require an attacker with skill, which means none of them require heroics to defend against. Close the four doors above and you are already ahead of the crowd the bots are looking for.

Secure your site in minutes

All-In-One Security closes every entry point in this article from one dashboard: login lockout, hidden login page, firewall rules and two-factor authentication in the free version, with malware scanning to catch anything that slips through.

How do most WordPress sites get hacked?

Through known vulnerabilities in outdated plugins and themes. Bots scan the internet for sites that have not applied available patches, which is why keeping everything updated is the single highest-impact habit.

Is WordPress itself insecure?

No. WordPress core had only six reported vulnerabilities in 2025, all low priority. The risk lives almost entirely in the plugin and theme ecosystem and in how sites are configured and maintained.

How do I know if my site has been hacked?

Common signs include unexpected redirects, new admin users you did not create, strange files in your uploads folder, browser warnings and a sudden drop in search traffic. An activity log and a malware scanner will surface these far earlier than your visitors will.

If you discover your site has already been compromised, follow our guide on what to do if your WordPress site is hacked to minimise damage and begin recovery.

Will a free security plugin protect my site?

Free WordPress security tools cover prevention very well: login protection, firewall rules, two-factor authentication and hardening. What free tiers typically do not cover is detection and response, such as malware scanning or removal, which tells you when something got through anyway.

About the author

Picture of Alexandru Bucsa, the product manager for All-In-One Security

Alexandru Bucsa

Alex is our All-In-One Security Product Manager. With more than six years of WordPress experience, he listens closely to what users need and works hard to make AIOS even better. Drawing on his background in forensic investigations, Alex loves diving into problems to understand their causes and find practical fixes that truly help our community.

AIOS

Comprehensive, feature-rich, security for WordPress. Malware scanning, firewall, an audit log and much more. Powerful, trusted and easy to use.

From just $44.50 for the year.

More stories

Our plugins

Try TeamUpdraft’s full suite of WordPress plugins.

  • UpdraftPlus

    Back up, restore and migrate your WordPress website with UpdraftPlus

  • WP-Optimize

    Speed up and optimize your WordPress website. Cache your site, clean the database and compress images

  • UpdraftCentral

    Centrally manage all your WordPress websites’ plugins, updates, backups, users, pages and posts from one location

  • Burst Statistics

    Privacy-friendly analytics for your WordPress site. Get insights without compromising your visitors’ privacy