6 WordPress Security Issues that Expose your Site to Hacks


If you own a WordPress site and you have questions about internet security this article can help you understand the security loopholes that hackers can exploit to attack your website. Likewise, if you’ve already been through a hacking attempt or a successful attack on your site and need to understand how they were able to breach your site’s defences then this article aims to shed light on the weak links in your WordPress site’s armour that left your website vulnerable in the first place.


Why is WordPress Targeted by Hackers?

Hackers are going to hack and that is the ugly truth. It doesn’t matter where you have decided to build your website at, all websites are susceptible to hackers and cyber criminals at all times of the day.

WordPress sites have a high potential of being the target of hackers because it is one of the world’s most popular website builder. In fact, 32% of all websites across the internet are powered by WordPress.

With millions of websites across the internet and globe being powered by WordPress that makes them an easy target for hackers especially when exploiting weak or nonexistent security measures.

Hackers use different reasons for attacking websites. Sometimes a hacker in training will pick websites at random to exploit the weak points in their security and learn how to take down a site more efficiently. Other hackers are much more vicious and malicious intentions.

For example like launching a DDOS Attack in order to hold your website at ransom for a price, or spreading malware, spamming the internet, or using one website to attack another.

Now more than ever, having a cybersecurity plan with a backup plan is more crucial than ever. Your website needs top-tier security in order to thwart hackers and keep your website intact. Let’s look at the top security loopholes that hackers exploit in order to launch an assault on your website.


1. Insecure Web Hosting

Websites require internet real estate in order for them to be built and hosted within internet space. Like all these websites, WordPress sites are hosted on a server. While there is a myriad of hosting companies to choose from; not all hosting companies are equal in securing their hosting environments adequately. This leaves room for vulnerability and makes all websites hosted on their servers susceptible to hacking attempts.

Thus the hosting provider you choose is tantamount to your security, in fact, it is the first step to having internet security. A hosting provider that secures their servers and have built security features in place ensures that your WordPress site is hosted on a safe platform. A server that is secured properly can block many attacks before they are even allowed to take root on WordPress sites.

For extra protection when choosing a viable and secure hosting provider to opt for managed WordPress Hosting for an extra layer of security.


2. Creating and Using Weak Passwords

You want to ensure that the keys to your WordPress site are made of the best steel. Your passwords are your keys and thus should be created with some thought.

It is recommended that you use strong and unique passwords for your accounts as weak ones are loopholes hackers can exploit to gain full access to your website. The following accounts should have strong passwords made with a combination of letters, numbers and characters.

  • WordPress admin account
  • Web hosting control panel account (your cPanel)
  • FTP accounts
  • MySQL database used for your WordPress site
  • Email accounts used for WordPress admin or hosting account

These accounts are all password protected and thus need to have ironclad passwords that are all unique. Do not use the same password for each account instead use a variety of strong passwords when setting up these accounts. Change them frequently and keep them updated.

Remember the passwords are the keys to your WordPress site and you do not want to leave the door open for a hacker to come in and destroy all of your hard work.


3. Wp-Admin Directory: Unprotected Access to your WordPress Admin

The most commonly attacked area of a WordPress site in the wp-admin directory. Because it gives users complete access to perform various actions on a WordPress site. Leaving it vulnerable and unprotected allows hackers and cybercriminals to break into your website.

To circumvent this, add layers of authentication to our wp-admin directory.

The first step is to password protect your WordPress admin area to avoid breaches as the first line of defence. That way, anyone trying to gain access to your WordPress admin would have to enter an extra password.

If your WordPress site is multiuser or multi-author then you can simply enforce the use of strong passwords for all the users. Adding a two-factor authentication makes it harder for hackers to enter your WordPress Admin Area.


4. Not Updating WordPress, Plugins and Themes

There is a lot of fear and anxiety surrounding updating WordPress sites by users. They are under the impression that it will irreversibly break their site. However, not updating your WordPress site leaves it wide open to attackers for exploitation. With each new update, WordPress fixes security vulnerabilities and bugs.

The quick fix here is to back up your WordPress site first and then run an update. If something goes wrong you can easily revert back to the latest version of your site and try again.

Plugins and Themes

The same can be said for plugins and themes. Hackers exploit plugins as a backdoor into WordPress sites all the time. Using an outdated plugin or theme leaves your website vulnerable. Especially since security flaws and bugs are constantly found in plugins and themes.

So the key is to constantly update your Plugins when updates become available. Delete any old themes you aren’t using from your site.


5. Using Plain FTP instead of SFTP/SSH

FTP accounts are used to upload files to your website’s server using an FTP client. Most hosting providers support FTP connections using various protocols. You can connect using plain FTP, SFTP, or SSH.

Connecting to your site using plain FTP, sends your password to the server unencrypted. It can then be spied on and easily stolen by cybercriminals. Instead of using FTP, you should always use SFTP or SSH for an added layer of security.

There is no need to change your FTP client. The majority of FTP clients can connect to your website on SFTP as well as SSH. Simply change the protocol to ‘SFTP – SSH’ when connecting to your website to ensure your passwords remain private during transfer.


6. Not Securing WordPress Configuration wp-config.php File

The WordPress configuration file wp-config.php contains your WordPress database login credentials. Therefore if it is compromised, it will reveal information that could give a hacker complete access to your website.

To mitigate this you can add an extra layer of protection by denying access to the wp-config file using .htaccess. Simply add this code to your .htaccess file to add the protection.





<files wp-config.php>

order allow, deny

deny from all



Cleaning up a WordPress Site after it is hacked

If all else fails and somehow a determined hacker has still managed to breach your WordPress site, don’t panic. Simply revert to the latest back up of your site while you clean up the mess. Call your hosting provider and see how they can assist you. We’ve also written a comprehensive guide to clean a hacked WordPress site here [add a link to that article].



Internet Security and monitoring are important to all websites on the internet. Cybercriminals and hackers are becoming savvier at breaching sites in record time. We hope that this article has shed some light on the ways in which your WordPress site can be vulnerable and how to circumvent and fix those vulnerabilities fast and quick.