A Web.com Partner

10 Reasons Your WordPress Site Got Hacked

Learn more about why your WordPress site got hacked wordpress-small

WordPress is an excellent CMS, however, like with all web-applications, they require tweaking on the user’s behalf to make them bullet-proof against common web-threats.

If your WordPress site has been compromised or you’re just looking for some practical ways to secure it, be sure to read through these 10 unmissable reasons.

  1. Your WordPress version is outdated
    Using an outdated version of WordPress can open you up to a world of vulnerabilities. The WordPress core is frequently updated with security fixes to improve and harden your WordPress site. Be sure to continuously check your WordPress site is up to date, additionally, we recommend subscribing to the WordPress Updates mailing list so you can be notified when a new version has been released.
  2. You’re broadcasting your WordPress Version
    WordPress, by default, broadcasts its version in the ‘generator’ meta tag. Additionally, WordPress also includes two other identifiers, a ‘readme.html’ and a ‘license.html’ file. Combined, they can be a glory-hole for rogue bots scanning for WordPress specific sites. Once a bot has picked up your WordPress version, it can proceed to cross-check it with sites like Exploit-DB or Secunia to view the associated vulnerabilities.
  3. You’re using predictable WordPress table prefixes
    Throughout the WordPress installation process, you are asked to specify a table-prefix, with ‘wp_’ being the default. Attackers can leverage the default WordPress table prefix in an SQL injection attack to exploit your WordPress website.
  4. You’re using insecure WordPress plugins
    There are thousands of insecure WordPress plugins out there. You need to be extremely cautious with the plugins you install as they could be poorly developed and open you up to a slew of severe vulnerabilities. Be sure to always check the release-date, reviews, downloads and if there are any associated vulnerabilities on Exploit-DB or Secunia before installing.
  5. You didn’t lock down your WordPress wp-admin folder
    Your WordPress admin folder is something you don’t want exposed. Lock down your WordPress wp-admin folder to prevent unwanted brute force attempts by using password-protected directories or a plugin such as Limit Login Attempts to keep a tab on incorrect username / password combinations.
  6. You’re granting all privileges on your database user
    In the case that your WordPress site is hacked, the last thing you want is the attacker to have full database privileges, i.e. the ability to completely remove the database or specific tables. To ensure that this doesn’t happen, you should only allow ‘INSERT’, ‘CREATE’, ‘ALTER’, ‘UPDATE’, and ‘SELECT’ for your WordPress database user.
  7. Your WordPress theme is insecure
    Securi recently named and shamed insecure WordPress themes that didn’t sanitize data inputs correctly, allowing an attacker to perform SQL injections on the victims site. Be sure to do your research before settling on a WordPress theme. You can also cross-check the theme with the latest WordPress best practices and standards with a plugin such as Theme-Check.
  8. Your WordPress permissions are incorrectly set
    By default, files are writable by WordPress. While this might be handy, it’s probably not a wise idea to leave them writeable in the case of an attacker gaining access to your site. Make sure you refer to the WordPress file permissions section for the correct file / folder permissions to set. Important: Set your wp-config.php permissions to 400. This way, only the user can read.
  9. Your WordPress logins are weak and predictable
    Using the default ‘admin’ username and password-is-my-password combination will get you fast-tracked to the hacked database. Common brute force tools will default to using the ‘admin’ username on the WordPress login. Make sure you think of a unique username and password to minimize your chances of being compromised.
  10. Your computer is infected
    You might be confident that your computer isn’t infected, however, the amount of users that have had their FileZilla plain-text-stored passwords stolen is alarming. Once these critical passwords are leaked, it won’t be long until an attacker connects to your account’s FTP and kicks up the dirt. Always check your local computers security to ensure this doesn’t happen.