Why Do WordPress Websites Get Hacked?

wordpress website hacked

WordPress is used by 35% of the websites on the internet. This figure includes websites powered by WordPress.Com. That said, 35% is still a very high figure. So guess, when it comes to hacking a website, who do hackers target? Drupal, Joomla… some other unknown CMS or WordPress? Well, their effort pays back best when they spend that time to target the CMS with widest usage — WordPress.

So how do you protect your WordPress website? Is it about secure hosting, or is it about securing your passwords or is it about securing WordPress? Amongst the many layers of security, which one should you focus on the most?

The Major Cause of Security Breaches in WordPress

WordPress is pretty secure out-of-the-box. The core code get proper security audit etc. However this code has little effect on how plugins operate (which are pretty independent in their way of functioning). Plugins are contributed to the WordPress repo by independent parties and the onus of the security audit of their code doesn’t lie with WordPress. Only the initial version goes through the approval process. What’s introduced subsequently is all up to the plugin developer(s). That said, even then there are specific attack vectors responsible for the majority of the infections.

Major Attack: Cross-site Scripting & SQL Injection

Insecure or poor code in plugins can compromise the security of the website. If a plugin allows an unauthenticated user to save data then an attacker may be able to inject rogue data into WordPress. This translates into cross-site scripting or XSS. These form a majority of attacks and malware clean up requests on our support desk here.

SQL injection is the second most popular attack wherein an attacker can inject malicious SQL which gets executed on the database. As a result your database gets compromised.

Summary

A lot of security providers thrive in the concept of FUD: Fear, Uncertainty and Doubt. The common WordPress user knows little about security and they can be sold almost anything in the name of security. However, you don’t have to dig everything that you come across.

  • Most hosting providers are pretty secure else they don’t remain in business for too long.
  • The major cause of security breaches are plugins (and themes).
  • Security breaches also happen because of poor handling of credentials.
  • Always keep your plugins, themes (and WordPress) up-to-date.
  • Make sure third-party plugins come from credible developer(s).
  • Don’t feel paranoid, don’t fret too much about everything security.

About the author: Shiv —That which is not…. Shiv is a software security engineer running 18yrs+ into his career.