Why do WordPress websites get hacked?

Back to Blog

The first thing you want to know when your website gets hacked is why someone would want to do this to you? You have to keep in mind that most of the time this is nothing personal and they are not targeting your site in particular. Attackers are constantly searching the web for possible targets, and they won’t turn down an easy one, no matter how small your website or business is.

Most of the attacks are carried out automatically. The attackers use scanning tools to search the world wide web looking for websites to attack and infect with their malicious code.
Just remember that you are not alone, thousands of websites are infected daily.
Google also noticed an increase of 32%  in the number of hacked sites back in 2016 compared to the previous year and unfortunately they don’t expect this trend to slow down this year.

Why are WordPress websites targeted?

Well, this is an easy question. Because it is extremely popular, and WordPress now powers over 28.9% of the web, currently running on over 75,000,000 websites worldwide, and it’s now by far one of the most popular content management system software out there. It is used by bloggers, small businesses and even large brands like The New Yorker, TechCrunch, Sony Music, MTV News, Time Inc. and many more.
Unfortunately, due to its popularity, WordPress is a frequent target for hackers and security researchers.

What do hackers have to gain from breaking my website?

The most apparent reason is an economic gain. Most of the times the attackers are not interested in your website at all, they are after the computer power of the web server that it’s running on which also comes with a high-speed internet connection and free electricity.

So right now you might be asking yourself what are they doing with the resources?

There are several things that they can do with your account:

1.SEO Spam

Once the attackers get a list of vulnerable sites that can be exploited, they automatically Injecting backlinks and spam keywords into your web pages that serve their interest. They can add hidden links in the footers of infected sites or create thousands of new pages with spammy content.
Most of the times they are trying to hide the malicious injections, making it undetectable to visitors or the website owner, yet visible to the web crawlers, like Googlebot so that they can benefit from your website SEO with higher rankings.

2. Mail Spam

Unfortunately, we all know what spam emails are, and everyone gets a few of these daily. Aldo the overall number of spam emails sent decreased in the past few years, this is still a big problem, according to the Kaspersky Lab report published for Q2 2016 over 57.25% of the emails they analyzed were spam.

So you might ask yourself from where are these emails being sent and why isn’t anyone stopping them? Well, the short answer is from your compromised website or account.

The spammers can send out thousands of emails in just a few minutes, which will come from your server or website. In these days spam equals money, there are still people who don’t delete the spam message as soon as they receive them, and do follow up on the emails received, supporting and encouraging this type of business.

3. Serve viruses to your visitors

The attackers can modify your website to serve viruses to your visitors, so the next time anyone checks out your websites they could be infected if they don’t have a security app installed on their computer of it the OS is not up to date.

They could, for example, serve a ransomware virus which will encrypt all your visitor’s files, and decrypt them only after payment.  According to Symantec, they blocked over 320,000 ransomware infections, in the first six months of this year, which is a significant increase over the last year.

4. Malicious Redirect

Attackers might insert malicious code that redirects your website visitors to other phishing or malware websites, and this can have a devastating effect on your website’s reputations as Google might start removing your pages from their search results if you don’t act quickly.

5. Cryptominning

You probably heard by now about Bitcoin and how valuable it is, however, what you probably don’t know is that It requires a lot of computing power to “mine” for a bitcoin or any similar digital currency. So what attackers do is to insert a code snippet into your website files which work in the background of visitors browser and mine coins by utilizing their computer resources.

How Do WordPress websites get hacked?

WordPress on its own is actually a very secure platform and being open source means that it is updated on a regular basis, there are numerous programmers who dedicate their own free time to making sure it receives regular updates and security patches, so you can rest assured that when an issue is discovered, a security patch is on its way.

So if it’s so secure how do the attackers break in?

In most cases, the vulnerabilities exploited by the attackers have little, if anything, to do with the core files of WordPress itself, but more with improper setup, configuration, and overall maintenance by the webmasters or owners.

According to Sucuri’s WEBSITE HACKED TREND REPORT the number one reason WordPress websites get hacked is that the site owners or developers don’t keep the WordPress installation or plugins updated.

While the leading cause of infections came from vulnerabilities found in the installed plugins and themes, out of the infected websites, Sucuri analyzed, 61% of the total WordPress infected websites, were outdated.

WordPress stats show that over 76% of WordPress installations are not up to date:

Plugins and themes which add functionality and design to your WordPress website could be vulnerable if they are not coded properly or don’t receive regular updates.

You need to pay extra attention when installing any WordPress add-ons, make sure that the author(s) pushes regular updates and security patches, if it hasn’t received any update in more than a year, it’s best to look for alternatives. Installing outdated plugins or themes is like an open door for anyone looking to break in.

While there are a lot of things, you can do to keep your website secured you must remember that the number one cause of infections is outdated software, either the WordPress core files, themes or plugins. The first step to keeping your website secured is to make sure everything is up to date; you can read more about how to configure auto updates and other security tips here.

Be proactive and stay informed

If the thought of having your websites hacked or compromised keeps your awake at night, it’s time to take your website security seriously. You have to keep in mind that regardless of what your site is used for or how popular it is it can always become a target for an attacker.

It is just a matter of time before your website is targeted by an attack and infected with malware if you don’t do regular maintenance and take security measures.
An excellent way to stay informed on the health of your website is by registering your website in Google’s Search Console (Gmail account needed), which is a free service and it’s the primary channel used by Google to communicate security issues like hacking and malware to the website owners or administrators.

Another method to stay on top of things is to monitor any file changes; luckily there is a free WordPress plugin that can help you with that, called iThemes security, this plugin is easy to set up, it only needs a few clicks to get it up and running. The “File Change detection” function included in the free version of the plugin will send you an alert message when a file has changed in your WordPress installation, this way you can take immediate action if unauthorized changes have been made to your website files.

How to Secure your WordPress site?

You have to keep in mind that the risk can’t be removed entirely but somewhat reduced, there will always be a risk. However being proactive and implementing the necessary security measures can drastically reduce the risk of a successful attack on your website or business.

To learn about how to secure your WordPress website, check out our blog post about WordPress Security.

Leave a Reply

Your email address will not be published. Required fields are marked *