Why hackers target WordPress (and what you can do about it)

Why hackers target WordPress (and what you can do about it)

In this article, you’ll learn why hackers target WordPress websites and, more importantly, what steps you can take to improve your WordPress security.

Firstly, let’s set the scene: the internet is a hostile environment for websites – and if you want to have an online presence to attract business, then you’ll also need to be mindful of the risk that you may also attract the attention of people with less benign interests.

Another way of looking at that is:

“The only way to 100% guarantee that your website will be not be hacked is to never attach it to any computer network (especially the Internet!)”

If we embrace that simple truth, then we come to terms with the realisation that any online presence comes with an element of risk.

Why would hackers target my site?

I see this question raised a lot. For example, I run a WordPress web design company – there is nothing particularly controversial about we do, we’re not likely to incur the wrath of a foreign power who in a fit of retaliatory action might unleash their military-grade cyber-terror-ops squad against my company, and our website hardly contains secrets that would attract the likes of lone hackers such Matthew Broderick in War Games (yes, I’m showing my age here!).

So, that begs the question, why would someone hack a bog-standard website?

The answer lies in the fact that the most hacking attempts are not targetted at the victim specifically. Instead, they are automatically targeting the software.

It is more akin to the random act of trying car door handles until the miscreant finds one that opens.

Computer programs (sometimes called ‘scripts‘) can be written to automatically scan lists of IP addresses – think of it like calling random phone numbers until you get an answer. When the script does get an answer, what can it detect? What can it learn about the website it ‘sees’? What software does that website run?  Is it WordPress? And does that version of WordPress have any known security holes that the script can automatically exploit?

Cleverer still, such automated scripts can keep a database of what software they detected on a website. And then, further down the line, if an exploit comes to light with (say) a particular WordPress plugin that they detected on your website, then yours will be one of the first handles they try next time.

[adrotate banner=”3″]

But why WordPress?

Because it’s a numbers game.

According to the latest stats, WordPress software powers at least 35% all websites out there.

So that 35% is a nice, big juicy target for hackers to point their scripts at. If you’re going to fish, go where the fish are.

Is WordPress inherently insecure?

Not really. It’s not really more insecure than any other software. The WordPress platform is open source, which means people can review the code base all the time, and if issues are spotted, then an ‘update‘ can be written which addresses that issue.

However, if it takes you (as the WordPress website owner) a while to add that update to your WordPress installation, then there is a period of time when your website is vulnerable. Think of this as a window – the quicker you can stay on top of updates, the quicker you can close that window.

It’s not quite as simple as that though. For one matter, since WordPress version 3.7, WordPress has had the ability to automatically update against minor security updates (it can also be configured to update automatically with major WordPress version changes).

But WordPress itself is not the only thing that needs updating….

Plugins & Themes

Plugins are those elements of pre-packaged functionality which can add all manner of extras to your site: from Yoast SEO, to WooCommerce e-commerce, to Event Calendar Pro to handle your events calendar – the list goes on.

Guess what, yes, all of these plugins can have updates as well. And if any of those updates address security holes, then hackers have another window of opportunity there. 

Therefore you need to keep your plugins up to date as well: you can either do this manually or some hosting companies like Flywheel can update plugins for you. Also, there are plugins which can help – e.g. Jetpack (by the founders of WordPress), can update your plugins for you.

The same goes for WordPress themes – themes are the off-the-shelf designs which you can install that affect the look and layout of your website: themes can have security holes as well.

So, yes, keeping your site updated is a key aspect, but it isn’t everything.

Note: in an upcoming release of WordPress (5.5), it looks like they are going to include the automatic ability to update plugins and themes – so watch this space.

Better Hosting

Certain website hosting companies are better than others. Some hosting companies come from the ‘stack it high, sell it cheap‘ school of thought – where the focus is on sales and security is little more than an afterthought. You don’t want to host with companies like that.

For hosting, you might want to consider companies like Flywheel or the slightly more techy service of CloudWays  (those links should take you to security-related pages on both websites). Note: we do not take referral fees from any recommended companies or services.

Having a solid hosting platform to house your website is a very good starting point in terms of website security.

Security Plugins

You can even get WordPress plugins to help with security e.g.

  1. Sucuri
  2. iThemes Security
  3. WordFence

Note: here is a link to a very comprehensive post on the different versions and features of the common security plugins.

Security plugins can help with tightening up the basic of security of the site, ensuring default settings have been changed, monitoring for issues (& reporting on them), and adding extra security (e.g. two-factor authentication – which basically means you need more than just a password to log in to your site).

Here at Glass Mountains, we tend to prefer iThemes Security Pro but many of the alternatives are also very good.

Security Shield

Wouldn’t it be good if there was a service which examined all the Intenet traffic coming to the website, and intercepted the naughty bits before it even got to your website? Well, guess what, you can.

This is generally called a Web Application Firewall (or WAF for short).

For WAFs we normally recommend CloudFlare. CloudFlare is a free service but, if you pay $20 a month for their Pro account, you’ll get their Web Application Firewall services. Actually, even if you don’t upgrade to Pro, your website will probably be more secure just being on their free account (though the Pro WAF is a highly recommended next step).

Note: I believe the Sucuri plugin mentioned earlier also have a WAF, if you prefer to use that service.

Common Sense

Aside from some of the technical solutions we’ve mentioned above, you can do common sense housekeeping like:

  • making sure that you don’t have too many ADMINISTRATOR accounts on your WordPress site
  • Spring cleaning your plugins, do you really need them all?

The End

Well, not quite. However hard you try – it’s one of those where one exploit is all it takes and your site has been compromised. So – we always recommend you have a good backup policy so that should this happen to you, you can quickly restore a backup from right before the hack and then address the exploit or vulnerability to prevent it recurring. If that ever happens to you, we can help.

Hopefully, that helps, if you’d like to jump onto one of our WordPress webinars, you can always ask us your security questions,



No Comments

Leave a Reply