Do You Know Why Hackers Are Targeting Your WordPress Site?

Do You Know Why Hackers Are Targeting Your WordPress Site?

As we discover better ways to secure WordPress websites, it’s easy to feel a bit more relaxed about the whole thing… which is both good and bad. It’s good because it means we trust the tools and services we’ve invested in to harden security in WordPress. It’s bad though when we mistakenly confuse the tightening of security with a set-it-and-forget-it mentality.

To put it bluntly: hackers are looking to break into your WordPress site. That’s a fact. If you’re thinking that your site is too small or new to earn the attention from hackers, think again. There are tens of thousands of security attacks happening every minute of every day, and hackers show no prejudice when it comes to the size of the website or business they attack.

Weaknesses abound in WordPress unfortunately and hackers are well aware of what they are. If you want to put up a good defense around your WordPress site, then you need to think like a hacker. Identify what the weakest spots of your site are and consider the different ways in which they might exploit them. Only then will you be able to properly fend off attacks.

Where Are the Weakest Spots on Your WordPress Site?

Perhaps the scariest thing about all this? A lot of times, hackers aren’t specifically searching online for your website (especially if it does happen to be brand new or on the smaller side). Many hackers automate the process of sniffing out vulnerabilities by using bots. These bots detect the entryway and the hackers jump inside. So, really, any WordPress site can become the victim.

To keep hackers and their bots at bay, it’s important to familiarize yourself with the most common weak spots in WordPress.


Any spot on the backend or frontend of your WordPress site that requires a login and password is a prime area for targeting.

This includes the main WordPress login area:

Comment boards:

Comment Login

e-Commerce accounts or payment gateways:

Zappos Login

Hackers know that users aren’t always inclined to create a unique and strong password for every account they have online (which goes against password security basics 101). That’s why this will be one of their first targets on your WordPress site.


Comments aren’t just a security liability because of the login element (if there even is one). Comments can also be problematic because of spam, which is why some people choose to disable comments entirely in WordPress.

Here’s an example from the Clients from Hell comment board:

That link might not lead to anything malicious, but it certainly doesn’t belong in this comment string about bad clients.

Contact Forms

Contact forms, subscription forms, payment forms–any part of your site that asks users to input their details is an obvious spot for hackers to target.

Of course, there’s the obvious break in behind the scenes and then grab the sensitive data entered into those fields approach. There’s also a way in which hackers can steal data by monitoring users’ keystrokes–either through hacking into wireless keyboards or by using keylogging malware installed on their computer.

WordPress Database

While it’s great that WordPress has simplified the naming of files and database structures across all sites, it also a major problem since every single one of us (including hackers) knows that the “wp-” prefix is used to label pretty much everything. This leaves your WordPress database fully exposed and vulnerable to attack if that’s not changed.

WordPress Core

Did you know that over 73% of previous WordPress installations have known vulnerabilities within them?

WordPress Versions

Although the WordPress core isn’t your responsibility to manage, it certainly is your responsibility to see to it that any updates WordPress makes are processed immediately. As diligent as WordPress’s security team is about keeping the core updated, it’s important that WordPress developers do the same on their end so as not to introduce those insecurities to their sites.

WordPress Plugins

Even more susceptible to security breaches than the WordPress core are plugins. In fact, WordPress plugins account for over 50% of all security attacks on WordPress websites.

WordPress Plugins

Of course, that shouldn’t make you wary of using WordPress plugins; they’re an essential part of the work you do in building interactive and engaging websites for our audiences. However, it does mean you need to pay close attention to what’s happening with your current set of plugins as well as keep your eyes and ears open when reviewing new plugins for your site.

There are generally two ways in which WordPress plugins can create sticky situations for you:

  • When they are updated by the developer, but you don’t make the upgrade on your site (or do it in a timely fashion).
  • When you unknowingly add a fake WordPress plugin to your site.

So, be sure to pay close attention to these.

WordPress Themes

The same goes for WordPress themes, although you shouldn’t have to worry about using a fake one. With these, it’s simply a matter of issuing updates from the developer in a timely fashion.

Web Hosting Server

Sadly, not all web hosting companies are made equal and this can often affect the level and quality of server security you receive. Of course, you should be on the lookout for the following when you choose a web hosting plan:

  • Server-side firewall and encryption
  • NGINX or Apache web servers
  • Antivirus and anti-malware software
  • On-site security systems
  • Availability of SSL certificates and a CDN

There’s also the risk of cross-site contamination when there are multiple domains sharing the same space on a server. If that scenario directly relates to your site, then you may need to take extra security precautions at the server level.

What Do Hackers Want from Your WordPress Site?

If you’ve ever had the thought, “My site is too small/new/local. What could hackers possibly want from it?”, it’s time to change your tune. Hackers aren’t just looking to rip off big corporations. Nope. They’re simply looking for any vulnerability they can exploit.

So, the next time you think, “I have nothing they’d want”, consider the following opportunities they may take advantage of:

1. Inject Malicious Content

In some cases, hacking is simply about getting malicious content or code onto the front end of your WordPress site with the hopes that your visitors then click on the errant links. This may happen through comment spam, by hijacking your site’s email and sending spam messages to your followers, or through actual content submissions.

As an example of the last one, take a look at the NextGEN Gallery plugin vulnerability. Through this, hackers had the ability to update a website’s PHP and then attack a site through the plugin.

2. Spread Viruses

Another manner in which hackers aim to terrorize your visitors is by using your WordPress site to spread viruses and malware. They can do this using malicious code they’ve written into the backend or with files they’ve uploaded for download on the front end. When visitors interact with them, hackers then steal the visitors’ information or they use their computers to spread viruses to other websites.

The BlogVault backup plugin breach is a good example of this. Through this attack, hackers were able to infect WordPress sites that had the plugin with malware.

3. Steal Visitors’ Personal Information

This is the one your visitors are obviously most worried about and the one you should hope never happens as it’s quite costly. Granted, any security breach is bad for business, but this one also means having to compensate your visitors and customers for the money and privacy compromised in the attack. Not to mention their loss of trust in your brand.

Hackers can obtain this information in a number of ways and they can also do a number of things with it. Sometimes it’s for their own personal monetary gain, but sometimes it’s like the Ashley Madison hack where they’re trying to make some sort of statement.

4. Steal Business’s Private Information

Businesses work very hard to keep details about their company–especially as it pertains to financials and customer account details–under wraps. Which is why it’s incredibly important not to sync that information to the corresponding business site.

The Heartbleed vulnerability is a recent example of this kind of attack and it stemmed from an issue with OpenSSL–something created in order to better protect websites. Instead, what OpenSSL ended up doing was to feed sensitive business data back to the hackers when they sent fake requests to the affected websites’ servers.

5. Host Phishing Pages from Your Server

Phishing on websites basically refers to when hackers create a fake page on your WordPress site in an attempt to collect information from visitors willing to give it. They can do this by embedding a contact form on the page and directly collecting information or they can redirect visitors to another website where that information will then be lifted.

Google blacklists 50,000 websites every week because of phishing scams. Pretty crazy, right?

6. Host Legit Pages from Your Server

Some hackers may actually take the time to build out legit pages on WordPress sites in order to improve their SEO. These pages talk up their own enterprise and link back to them in order to give their site more clout in search. Or they may choose to skip the landing page and instead use a more subtle approach to boosting SEO. In this case, they’d use a system of backlinks from your site to theirs.

7. Overload Your Web Server

When hackers overload your web server with an influx of hits, this is what’s known as a distributed denial of service (or DDoS) attack. Once they hit that threshold, your site goes down, and they win. Why would they do this? What could they possibly get from taking your site offline? Well, it could be for bragging rights. It might be because they have a personal vendetta against the brand behind the site. Maybe the site is just one of many victims in a major widespread attack. Or maybe they did it in order to demand a ransom.

8. Steal Your Server Bandwidth

I’ve talked before about how people might knowingly or unknowingly steal images from your WordPress site. One of the ways in which this happens is through hotlinking, which effectively turns your site into a hosting ground for other websites’ traffic through your linked images.

However, there are other ways in which hackers may steal your server’s resources to host their own nefarious activities, such as bitcoin mining and brute force attacks on other websites. That’s exactly what happened in the case of the Monero mining hack in which breached sites became “slaves” used in the hackers mining activities.

9. Vandalize Your Website

And, of course, there’s website vandalism. For the most part, hackers are doing this to establish a calling card for themselves while simultaneously hurting your brand. One of these such defacements happened to a large swath of WordPress websites–and continued to happen even after WordPress issed the patch because users failed to update in time.

Wrapping Up

To wrap this up on a positive note, let’s try to focus on what we do know:

No, WordPress is not invincible.

But yes, we have the means to put up a good defense against intruders if we know what we’re looking at.

As a reminder, here is what you can do:

And don’t forget to run regular vulnerability scans to ensure that your site is free from vulnerabilities!

Over to you: How much of a struggle is it to convince your clients that their WordPress sites need (more) security?

Brenda Barron

Brenda Barron Brenda is a freelance writer from Southern California. She specializes in WordPress, tech, and business and founded WP Theme Roundups. When not writing about all things, she's spending time with her family.