10 Reasons Your WordPress Site Got Hacked

Posted on 6 October, 2016

Learn more about why your WordPress site got hacked

WordPress is an excellent CMS, however, like with all web-applications, they require tweaking on the user’s behalf to make them bullet-proof against common web-threats.

If your WordPress site has been compromised or you’re just looking for some practical ways to secure it, be sure to read through these 10 unmissable reasons.

1. Your WordPress version is outdated
   Using an outdated version of WordPress can open you up to a world of vulnerabilities. The WordPress core is frequently updated with security fixes to improve and harden your WordPress site. Be sure to continuously check your WordPress site is up to date, additionally, we recommend subscribing to the WordPress Updates mailing list so you can be notified when a new version has been released.
2. You’re broadcasting your WordPress Version
   WordPress, by default, broadcasts its version in the ‘generator’ meta tag. Additionally, WordPress also includes two other identifiers, a ‘readme.html’ and a ‘license.html’ file. Combined, they can be a glory-hole for rogue bots scanning for WordPress specific sites. Once a bot has picked up your WordPress version, it can proceed to cross-check it with sites like Exploit-DB or Secunia to view the associated vulnerabilities.
3. You’re using predictable WordPress table prefixes
   Throughout the WordPress installation process, you are asked to specify a table-prefix, with ‘wp_’ being the default. Attackers can leverage the default WordPress table prefix in an SQL injection attack to exploit your WordPress website.
4. You’re using insecure WordPress plugins
   There are thousands of insecure WordPress plugins out there. You need to be extremely cautious with the plugins you install as they could be poorly developed and open you up to a slew of severe vulnerabilities. Be sure to always check the release-date, reviews, downloads and if there are any associated vulnerabilities on Exploit-DB or Secunia before installing.
5. You didn’t lock down your WordPress wp-admin folder
   Your WordPress admin folder is something you don’t want exposed. Lock down your WordPress wp-admin folder to prevent unwanted brute force attempts by using password-protected directories or a plugin such as Limit Login Attempts to keep a tab on incorrect username / password combinations.
6. You’re granting all privileges on your database user
   In the case that your WordPress site is hacked, the last thing you want is the attacker to have full database privileges, i.e. the ability to completely remove the database or specific tables. To ensure that this doesn’t happen, you should only allow ‘INSERT’, ‘CREATE’, ‘ALTER’, ‘UPDATE’, and ‘SELECT’ for your WordPress database user.
7. Your WordPress theme is insecure
   Securi recently named and shamed insecure WordPress themes that didn’t sanitize data inputs correctly, allowing an attacker to perform SQL injections on the victims site. Be sure to do your research before settling on a WordPress theme. You can also cross-check the theme with the latest WordPress best practices and standards with a plugin such as Theme-Check.
8. Your WordPress permissions are incorrectly set
   By default, files are writable by WordPress. While this might be handy, it’s probably not a wise idea to leave them writeable in the case of an attacker gaining access to your site. Make sure you refer to the WordPress file permissions section for the correct file / folder permissions to set. Important: Set your wp-config.php permissions to 400. This way, only the user can read.
9. Your WordPress logins are weak and predictable
   Using the default ‘admin’ username and password-is-my-password combination will get you fast-tracked to the hacked database. Common brute force tools will default to using the ‘admin’ username on the WordPress login. Make sure you think of a unique username and password to minimize your chances of being compromised.
10. Your computer is infected
    You might be confident that your computer isn’t infected, however, the amount of users that have had their FileZilla plain-text-stored passwords stolen is alarming. Once these critical passwords are leaked, it won’t be long until an attacker connects to your account’s FTP and kicks up the dirt. Always check your local computers security to ensure this doesn’t happen.