How do WordPress sites get hacked?


How do WordPress sites get hacked?

According to data, here are the top 5 ways WordPress websites get hacked:

1. Out-Of-Date Core Software
2. Out-Of-Date Themes and Plugins
3. Compromised Login Credentials for WordPress, FTP or Hosting
4. Supply Chain Attacks
5. Poor Hosting Environment and Out-Of-Date Technology


1. Out-of-date Core Software

According to WPScan Vulnerability Database, ~76% of the known vulnerabilities they logged are in the WordPress core software. But if we look at the version of WordPress those vulnerabilities were found, then we can see that 9 out of 10 most vulnerable WordPress versions are WordPress 3.x.x. Unfortunately only 21.5% of websites run on the latest version of WordPress.


2. Out-Of-Date Themes and Plugins

While themes and plugins are great for extending your site, each extension is a new potential gateway for a malicious actor. While most WordPress developers do a good job at following code standards and patching any updates as they become known, there are still a few issues:

–        A plugin or theme has a vulnerability
–        The developer has stopped working on the theme or plugin but people are still using it
–        The developer patches the issue, but people don’t update


3. Compromised Login Credentials for WordPress, FTP or Hosting

A non-trivial percentage of hacks are from malicious actors getting their hands on WordPress, hosting or FTP account credentials. Once the attacker has the key to your front door, it doesn’t matter how otherwise secure your WordPress site is. WordPress does a great job mitigating this by generating secure passwords. It’s still up to users to keep those passwords secure.


4. Supply Chain Attack

There are some instances where hackers used a nasty trick to gain access to sites. The malicious actor would:

–        Purchase a previously high-quality plugin listed at
–        Add a backdoor into the plugin’s code
–        Wait for people to update the plugin and inject the backdoor

It’s hard to prevent such attacks as you are doing something you are supposed to do – you are keeping a plugin up-to-date. team usually quickly spots these issues and removes the plugin from the directory.


5. Poor hosting environment and Out-Of-Date Technology

A whopping ~28% of WordPress websites are still using PHP 5.6 or below. The support for PHP 5.6 expired at the end of 2018, and earlier PHP versions haven’t had security support for years. This opens you up to the potential of unpatched PHP security vulnerabilities. Using a secure hosting environment and recent versions of important technologies like PHP helps further ensure that your WordPress site stays safe.


How to stay secure?

The only way to be completely sure your website is secure is to test it for vulnerabilities. Automated solutions like NexDAST are easy to deploy and you don’t have to be a security expert to start a scan. NexDAST is a SaaS solution which is quickly implemented within your SDL and new payloads are added faster than with any other traditional solution.



Request a demo and check out how NexDAST can help you keeping your WordPress site secure.

Abonneer je op onze blog

Ontvang het laatste nieuws en inhoud over cyber security