Why do WordPress websites get hacked? (part 1)

Hacking is a profitable business, illegal and profitable. Most business owners believe that the purpose of hacking a website is to steal information or money. Since they do not have anything valuable on the site, they feel like they are not the right target for an attacker. In reality, very few websites are subject to a targeted attack. Most of the websites are hacked by automated bots that look for weak prey. Why?

Malware attacks

According to Sucuri 62% of WordPress websites hacked in the first half or 2023 have been injected with malware. Malware – Malicious Software – is a set of files that sit on your web server and perform various tasks on behalf of the hacker. Most often they do not even interact with your site. Your WordPress website provides them with computing power and access to the internet. The best way to understand that is to imagine a criminal that, instead of breaking into your house to steal jewelry, breaks into your basement, stages some of their contraband in the remote corner, and freeloads on your electric bill. Your family might not even notice them and they have no intention of bothering you.

This type of malware distributed across hundreds of thousands of websites can then be used to perform high target attacks that you would later read on the news about.

SEO spam

This type of attack affects your website by injecting unwanted content – links, images, ads to your pages and posts and accounts for about 42% of all infections. Even here, the primary objective is not to hurt your site but to boost the ranking of another site – most likely one that the hacker’s client paid for. Since the malicious SEO content is on your site it will end up negatively affecting your score by associating you with the illegal site you are now promoting through the injected content.

Attack tactics

Now that you understand the motivation behind the hackers actions let’s look at their mode of operation. One can get control of a website by cracking the password, hacking into the hosting service, attacking the WordPress Core software, or exploiting a vulnerability in the theme or a plugin. Out of all these methods, over 90% of the sites are hacked by exploiting a plugin vulnerability. Out of these over 90% are free plugins. 

Cops and Robbers 

Hackers constantly monitor the plugins that are available for download and look for poorly written code they can exploit. When such code is detected they can sell the information about the vulnerability to other hackers that use it to create attack bots. The security companies (like WordFence for example) also scan all plugins for the same problems but they contact the plugin developer and request a patch – a code that fixes the security issue. By the time a security company announces a vulnerability in a plugin the hackers have already had weeks or months to exploit it.


I’ll discuss the various levels of protection in the second part of this article. The 3 biggest takeaways so far are:

  • No website is “safe” from attacks.
  • Free plugins pose the most risk to your site.
  • You must monitor your plugins and update as soon as the patch becomes available.

Not sure how to get started? Watermelon offers a Security and Performance plan that helps to keep your site updated.

Image by Pete Linforth from Pixabay

Work With Us

We've been building websites for over twenty years, and have learned a thing or two about how to make web projects go smoothly.