How Did My WordPress Website Get Hacked?

WordPress is a complicated piece of software. It has half a million lines of code which make up the features we know and love like the ability to edit our content, the WordPress email notifications, and the dashboard that lets us control the site. The downside of this complexity is that the more features WordPress has, the higher the risk of a hacker finding one to exploit.

Bad Passwords

This is the most common way for a hacker to get into a WordPress site and vandalize it. Hackers can guess at your passwords an unlimited amount of times by default until they get in. Trying the top 10,000 worst passwords is a common practice by hackers. There are multiple passwords you need to secure for each website: the WordPress login, the cPanel login, the database, and probably more depending on the setup. All of these should be strong passwords, which means no dictionary words, do not use your business name in the password, and use special characters and numbers. Use a strong password generator and a password manager so you do not forget them for best results.
Strong Random Password Generator: Secure Password Generator
LastPass Password Manager: LastPass website

Too Many Plugins

WordPress lets us add features into it that are made by third parties, they are called plugins. Plugins do things like add a newsletter feature to WordPress, or adding an appointment scheduling feature. Plugins tend to have security flaws more often than the WordPress core, and each one adds a bit of risk to your site. The solution is to remove any plugins you can do without, and keep an eye on the ones you use for updates and reports of security flaws.

Didn’t Update WordPress

Security flaws are found all the time. In most cases the developers are notified and the problem is patched with a WordPress update to prevent hackers from using it against you. If the website is not updated in a timely manner then you will be open to attack from these type of security bugs. We recommend a security plugin like Wordfence that notifies you when updates are waiting.
Wordfence – WordPress Security Plugin: Wordfence website

Computer Virus

Our computers connect to our WordPress sites so we can edit the site and view pages. If the computer you use to access the site is infected with a virus, it could steal the passwords entered into your computer. It is important to run antivirus software on both Mac and PC. Malwarebytes is my go-to favorite for Mac and PC, with an optional ESET antivirus added for extra protection on PC.
Malwarebytes for PC: Malwarebytes
Malwarebytes for Mac: Malwarebytes Mac

Most of these problems are easy to prevent. Make sure your computer and website are well maintained, use strong passwords and a password manager. Have your developer simplify how many plugins you have on your site. Once your site has these, you will not be the low hanging fruit, and your chances of being hacked are much lower.