It is so confusing right!

If WordPress is such an amazing and common Website Builder platform, why does it get hacked?

WordPress is in fact an amazing and very popular Website Building Platform. We believe that sites can be reasonably secure. However, unfortunately, they usually are not, and there are five main reasons:

  1. FLEXIBLE: WordPress is a very flexible Content Management System. This is both a major benefit and a major risk at the same time.
  2. POPULAR: WordPress is the most popular platform on the planet. It powers more websites than any other CMS technology. This popularity makes it a big target for hackers.
  3. POOR QUALITY HOSTING: Some Shared hosting does not properly isolate users accounts. If any other accounts are hacked, the hacker can also gain access to your site.
  4. POOR QUALITY THEMES AND PLUGINS: Although there are some great free Themes and Plugins,  simply searching for free Themes and Plugins is highly discouraged.
  5. NOT MAINTAINED: Most websites are built and then just left alone. There are no scheduled maintenance, updates, backups considered.


The up side of Flexibility:

WordPress comes standard with a set of features. You then add Themes for “Look & Feel” and Plugins for functionality.  Often the Themes also add functionality, e.g. A real Estate theme might add a custom Post Type called “Property”, and another one called “Agents”.

This flexibility enables developers to make your site do pretty much anything you want, making WordPress a very good platform for custom websites. In contrast, proprietary systems like “WIX” and “Squarespace” are limited to the functionality that they already provide and can not be extended by a developer.

Amazing Right! So what is the downside?

The downside is that anyone can create Themes and Plugins, even with basic programming skills.

So why is that a problem? Hackers are constantly scanning websites, trying to find security holes.  Poor programming practices open up security holes that hackers can easily exploit.

Even the best programmers inadvertently leave security holes as their Themes or Plugins grow in size/functionality. Therefore, developers release updates quite often. As soon as developers become aware of security holes, they release updates to fix those holes.


With currently available technologies, it is hard to fathom why some shared hosting companies still have a vulnerability that enables hackers to access all accounts on a server if one account is hacked. At WPEasy, we use Cloud Linux and CageFS. This isolates each account into its own virtual file system, making it impossible for one account to access another. The fact that it is not done by some hosting companies is in my opinion inexcusable.


Web developers generally get to know which free Themes and Plugins are good quality and well maintained. For anything else, they normally purchase commercial plugins from sites like Theme Forest or Evanto.  Simply searching free themes or plugins is fraught with danger.  All too often, the results you find will be find poorly coded. In the worst-case scenario, they may be intentionally malicious.

E.g. you may want to add a Facebook feed on a page:

  1. so you search for a free plugin and find the first “Facebook Feed” plugin and it looks pretty good.
  2. You install the plugin and enter your Facebook login details.
  3. The plugin sends the developer your Facebook login details.
  4. The developer now has access to your Facebook account to do whatever he wishes to do.

This is a fictitious example, but it illustrates how easy it is to get  scammed by installing free Themes or Plugins, if you chose the wrong one.


The unrivalled popularity of WordPress makes it a high value target for hackers. They are constantly looking for security holes and all too often find them.

In most cases the security holes they find are not in WordPress code itself, they are usually in the Themes or Plugins installed.

Apart from the popularity of WordPress itself, there are Themes and Plugins that are very popular. For example, the Plugin “Yoast SEO” is installed on almost every WordPress site that I see. So it stands to reason that hackers will constantly be looking for holes in “Yoast SEO“. If they find a hole, they can gain access to millions of WordPress sites, especially if they are not updated.


An unmaintained WordPress site is gold for hackers. The longer the WordPress Core, Themes and Plugins remain without updates, the less secure the site becomes.

Why? Here is a brief explanation of one method used by hackers:

  1. They constantly run BOTs, scanning the web looking for WordPress sites. They then keep a database of the sites they find and the versions of WordPress, Themes and Plugins.
  2. They then look at existing Plugin and Theme code to find security holes that they can exploit.
  3. If they find a hole in a particular Theme or Plugin, they deploy an attack to all WordPress sites in their database that have that particular Theme or Plugin version.
  4. Fortunately for Theme and Plugin Developers, the hackers can’t help but brag on forums about what they have found.

So what can you do to mitigate the risks of getting hacked?

  1. Only use well known Themes and Plugins, or research paid themes/plugins before using them.
  2. Ensure that all Core, Theme and Plugin versions are updated as often as possible.
  3. Use a good quality hosting provider.
  4. Make sure your website is backed up off-site every day.
  5. Make sure the Up-Time of the website is being monitored.
  6. One more thing that WPEasy do on all sites is to install WordFence, This helps to detect and block hackers attempts to access your site.
  7. See our “WordPress Health Checklist” for additional suggestions, or contact us if you need help and want peace of mind.

WPEasy offer plans that ensure all updates are done weekly, Updates for newly identified vulnerabilities are done daily and that the site is backed up daily. This gives the site owner peace of mind that as much as possible is being done to keep the site secure, and that if the does get hacked, it can be recovered quickly.


WPEasy offer plans which ensure all updates are done weekly, Updates for newly identified vulnerabilities are done daily and that the site is backed up to a cloud service daily. This gives our customers peace of mind that everything possible is being done to keep the website secure, and that if for any reason the website does get hacked, it can be recovered quickly.


Note: This is not intended as a comprehensive guide to WordPress security. The full discussion is well beyond the scope of a simple article.  However, we believe that by following this simple advice  your chances of getting hacked are minimised.