The Top Way Hackers Gain Access to WordPress Websites and What Happens Then

Get your FREE WordPress Troubleshooting Guide – see how to fix most WordPress problems!

Hacker InsideWhen your website is hacked bad things happen: it will be removed from the search listings and the major browsers will prevent anyone from reaching it (if visitors type in the address themselves).

Basically, you go dark.

That will cut off all sales or leads you were getting from your website overnight.

I wrote about the experience the owner of a well-known website went through when his site was hacked back here – it’s worth a read.

Keep your software up-to-date

Keeping all the software on your website up to date is an important step in the process of protecting your site from the hackers.

And if ever there was a clear illustration of the reason I’m so fastidious about doing this for all sites under my management, it’s to be found in the results of a study done by the team at WordFence.

WordFence is one of two security plugins I have used for some years now. It provides comprehensive protection for WordPress websites and, depending on the type of service I’m providing, I install it on websites I build for clients.

The result of that study shows that the number 1 way (by a wide margin) that hackers gain access to WordPress websites is via plugins:

Graph of ways hackers gain access to WordPress websites

Courtesy of WordFence

You can read the full report here.

There are more than 43,000 plugins available for WordPress now. That’s a staggering figure when you think about it (and the reason why WordPress is such a powerful and flexible platform on which to build a website).

But it also provides hackers with a whole range of opportunities.

All software of any type needs to be maintained and updated because hackers are always looking for ways to create mischief for their own benefit – financial or otherwise.

And that includes plugins (especially includes plugins!)

So when they release a plugin, the author is taking on an ongoing responsibility to monitor it for weaknesses that the hackers discover, and to provide fixes whenever necessary.

But remember that the majority of plugins are free. And the circumstances of plugin authors can change overnight.

Without any commercial incentive to continue to monitor and maintain their plugins, many authors simply lose interest, sell, or give away their creations.

And that is one of the ways that plugins that were initially secure can become insecureas I described here.

What all this means is that it’s vital to keep a close eye on your WordPress installation and to apply security fixes and updates whenever they are released.

At Abledragon we are extremely careful about which plugins we install on a site and, for general sites, stick with plugins that we know and trust. We also generally go for paid (premium) plugins, unless we already know and trust the free version, and it does the job.

Where the functionality required by a customer means that we have to install a plugin that’s new to us, we do a lot of research to ensure that we are installing a reliable one.

But we still keep a very sharp eye out!


So the message is this: if you’re running a WordPress website you need to check it daily and make sure you apply all software updates as soon as they are released (and not just for plugins – themes, the WordPress core and any other software used on your site).

And if you’re busy, we can help: we offer a WordPress website security monitoring and disaster recovery service – to read the details:

Update – 9 April, 2016

The Panama Papers leak, naming thousands of people who used off-shore accounts to minimise (or avoid paying) taxes, appears to have been made possible by an out-of-date (and insecure) WordPress plugin. I bet whoever was responsible for managing that website is kicking him or her self for not keep their plugins updated..! To read the details click here.


Martin Malden

About the author: Martin Malden owns Abledragon, a WordPress agency that was established in 2009. Today it serves customers in Hong Kong, Australia and the UK. Abledragon websites are built for today’s Internet, with the mobile user in mind, and are known for security and speed. Successful Abledragon projects.