Why WordPress gets hacked

If you’re wondering why WordPress sites get hacked, here’s the short answer: it’s almost never WordPress itself. The CMS core is maintained by a serious team, audited constantly, and critical flaws in it are rare and patched fast. The danger comes from somewhere else, and it’s very concrete.

WordPress runs a huge slice of the web, which makes it an obvious target. But a target isn’t a victim until there’s an open door. And the doors are almost always the same ones. Here they are, each with its fix in a single sentence.

the real number-one cause: out-of-date plugins and themes

A large majority of compromised sites are hit through an outdated plugin or theme. The scenario is mechanical: a researcher finds a flaw in a popular plugin, the developer ships a patch, the flaw becomes public, and within hours bots start scanning the web for every site that hasn’t updated yet. You did nothing wrong. You just waited too long.

The problem is rarely the WordPress core. It’s that layer of plugins installed over the years, some of which haven’t been touched in two major versions.

Fix: update everything without waiting, core, themes and plugins, and turn on automatic updates at least for the critical plugins.

”nulled” plugins: malware you install yourself

Pirated versions of premium plugins or themes, the ones people call “nulled,” are one of the worst choices you can make. Someone took a paid product, modified it to bypass the license, then put it back up as a free download. The question to ask isn’t “does it work,” it’s “why is this person going to so much trouble to give it to me for free.”

The answer is almost always the same: the code has been laced with a backdoor. You install the entry point yourself, and the attacker just walks in whenever they want. Saving $50 on a license to end up with an infected site and a cleanup bill to pay is the worst possible math.

Fix: only install plugins and themes from the official repository or bought directly from the developer, never a “free” version of a paid product.

weak passwords and brute force

Some attacks don’t target any technical flaw. They just target your password. Bots try thousands of combinations on a loop against the wp-admin login page, pulling from lists of common passwords and from credential databases already leaked elsewhere.

Two things make their job easier: a weak password (password123, the site’s name, a date), and above all a reused password. If you use the same password on your site and on some service that got breached, your WordPress credentials end up on a public list, and no brute force is even needed.

Fix: a long, unique password per admin account, plus two-factor authentication, and brute force is off the table.

shared hosting where the neighbor infects everyone

On low-end shared hosting, dozens of sites can share the same server space. If the separation between accounts is poorly configured, an infection on a neighbor’s site can spread to other accounts on the same server. Your site was perfectly up to date, and it gets infected because another customer on the host wasn’t.

This happens more often than people think, and it’s one of the few causes you have no direct control over.

Fix: pick a host that isolates accounts properly, or move to a dedicated plan if your site really matters.

the other doors people forget

A few fuzzier causes come up regularly in the sites we clean.

No updates at all. A site set up three years ago and never touched again is a guaranteed target. Everything on it is outdated, so everything on it is vulnerable.

Poorly secured forms and upload modules. A contact form, a file-upload area, or a badly coded application plugin can let an attacker drop a PHP file onto the server. Once that file is in place, they have a foot in the house.

Leaked FTP and admin credentials. An FTP login saved in plain text in some software, a computer infected by a password stealer, credentials typed on an unencrypted public network: one leak is enough to make everything else pointless.

Abandoned plugins. A plugin its developer no longer maintains will never get a patch. The flaw someone finds in it next year stays open forever. A plugin with no update in two years is a time bomb, even if it “still works.”

Fix: delete what you don’t use, stay away from unmaintained plugins, and store your FTP credentials in a password manager, never in plain text.

”my little site is of no interest to anyone”: wrong

This is the belief that does the most damage. You picture a hacker who picks a target, studies your business, decides to come after you. That’s not how it goes in 99% of cases.

Almost all attacks are automated. Bots crawl the web nonstop, test millions of addresses, and the moment they hit a vulnerable plugin version or a poorly protected login page, they strike. Without knowing or caring who you are. To these bots, a neighborhood blog and a small business site are the same thing: two servers to turn into a spam relay, a redirect page to a casino, or a host for fraudulent pages.

Not being a chosen target doesn’t protect you. You’re a mass target, just like everyone else. The size of your audience isn’t part of the equation.

the takeaway

None of the causes above is a technical inevitability. They’re concrete points, and each has a simple fix. Update, avoid “nulled,” unique passwords with two-factor, a decent host, and a cleanup of unused plugins: do those five things and you eliminate the large majority of the risk.

If you want the full method, point by point, follow the checklist to secure WordPress. And if you have any doubt about the current state of your site, first learn to spot the signs of a hack before hardening anything, because hardening an already infected site does nothing.

My site is up to date, am I safe? Far better protected, but not invulnerable. A reused password or an infected neighbor on shared hosting can be enough. Updates are the baseline, not the end of the story.

A plugin that “still works” but is no longer maintained, is that serious? Yes. As long as it works, you forget it no longer gets patches. The day a flaw is found in it, that flaw stays open indefinitely. Replace it with a maintained alternative.

I got hacked, is it necessarily my fault? Not necessarily. Sometimes the cause is a misconfigured host or a zero-day flaw nobody could anticipate. But in most cases, we find one of these open doors, and that’s actually good news: it means we can close it.

If it’s already happened and you want it fixed fast, see what to do, concretely. At WP-Detox, we start with a free scan to confirm the infection, then clean the site in about thirty minutes for €149 all-in. We back up the site before any action, we refund you if we can’t fix it, and we tell you exactly which hole the attacker came through, so you can close it and not see this again.