WordPress is enormously popular – 20 million websites and blogs have been built using it.

WordPress has a wide ranging functionality and feature set and is ideal for beginners to the world of creating blogs and websites. But, that popularity means that hackers put a lot of time and attention into trying to crack WordPress installations.

So, users of WordPress need to install a range of security measures to keep the intruders at bay.


What Do Hackers Want From WordPress Installations?

There are the expected targets – financial institutions, retailers and others that may have payment card details etc. – anything that the hackers can sell to scammers, spammers and identity thieves. 

But there are also other reasons why hackers try to break into so many peoples WordPress sites, including:-

·         Use WordPress to secretly send out huge volumes of spam emails

·         Steal any personal information – from employees, customers, partners – email addresses, phone numbers, home addresses etc.

·         Use the website to launch distributed denial of service attacks on other target website

·         Redirects —hackers will redirect visitors from your site to other websites that generate affiliate income for them

·         Host criminal web pages on the website in hidden areas e.g. phishing pages

·         Deface The Site – this is only likely if the hackers are dumb teenagers with nothing better to do or people who distrust/dislike your business for whatever reason. It is sometimes doe for political reasons.

·         SEO – The hackers can host their own pages on your site and that will give them the benefit of your clean reputation and possibly significant Domain Authority. They can also simply add links into your pages to their own sites thus boosting their backlinks.

·         Distribute Malware - hackers can install malware on your site that will infect any readers of your site.  If that happens – your site may be blocked by the search engines and anti-malware companies as they will believe you are a scammer.  

A lot of times, hackers aren’t searching online for anything more specific than WordPress websites.

So, it’s a matter of luck whose website is attacked, but that means we must all take preventive measure even if our website appears to be of little interest to a hacker.

Automated Attacks

Manually trying to break into WordPress websites would be very time intensive so hackers use automated programmes to search out and test WordPress installations – looking for known weaknesses.  These programmes are similar to the ‘bots’ that the search engines use to track all pages in your website.

If weaknesses are found – that is reported to the hacker.

Survey of WordPress Site Owners

Research in 2016 by Dan Moen showed that most website makers do not know how the attack was made.  

Of the 1,032 survey respondents who answered this question, 61.5% didn’t know how the attacker compromised their website.

This is of concern as if you don’t know how the attack was made it is difficult to be sure you have blocked a repeat.

For the site owners who did figure out how the attackers entered, here is what the breakdown tells us:

1.       1. Plugins are the biggest risk

 2. Brute force attacks are a significant problem

Tips on How to Protect Your WordPess Site

1.       Change the admin login to an unexpected name.

2.       Add Security Plugins e.g. Wordfence or Jetpack or Bulletproof or iThemes

3.       Keep Plugins updated. They cannot keep your site protected if you miss updates.

4.       Only download plugins from reputable sites

If you are going to download plugins somewhere other than the official WordPress repository, you need to make sure the website is reputable.


It is simple for hackers to create fake plugins, fake reviews of those plugins and then make them available.


WordPress security is a constant battle – do not let down your guard and do not believe that hackers would not bother with your site – because they might.

Stay safe!

If you have any experiences with scammers, spammers or time-wasters do let me know – go to the About page then Contact Us. Also let me know if you have a website that has been attacked. 








Articles on Guidance