WordPress runs roughly 43% of the public web. That number is also what makes it the most-targeted CMS by automated attack scanners. Most hacked WordPress sites are not the result of a sophisticated, targeted attack. They are the result of an automated scanner finding one of five common weaknesses.
The five things that get sites hacked
1. Out-of-date plugins
This is the cause of most WordPress compromises by a wide margin. A plugin patches a vulnerability, the patch is published, attackers reverse-engineer it, and within hours they are scanning for sites still running the old version. The fix: update plugins weekly. Not "when you remember." Weekly.
2. Weak admin passwords
Brute-force login attacks are constant background noise on every WordPress site. The successful ones are not because the attacker is clever — they are because the password was "summer2023" or the admin username is "admin." Use a password manager. Disable the "admin" username if it exists. Limit login attempts.
3. Compromised hosting accounts
If your shared hosting account is compromised at the hosting level (hosting password leaked, hosting support social-engineered, etc.), every site on that account is in trouble. Use 2FA on the hosting control panel. If your host does not offer it, switch hosts.
4. Unmaintained themes
Free themes from sketchy sources are a known attack vector — they sometimes ship with back doors built in. Even premium themes can become unmaintained and stop receiving security patches. If a theme has not been updated in 18+ months, replace it.
5. Wide-open wp-content/uploads
The default WordPress upload folder allows arbitrary file types. Combined with a vulnerable plugin that accepts uploads, attackers can place a PHP shell in your uploads directory and execute it. Block PHP execution in uploads/ via .htaccess on Apache or equivalent on nginx.
The five fixes (in priority order)
- Weekly updates on a schedule, with a rollback plan when an update breaks something. This is the single highest-leverage habit.
- Force strong passwords + 2FA on every admin user. WordPress has plugins for this; pick one and enforce it.
- Monitor file integrity. Wordfence, Sucuri, or any equivalent tool that alerts when files change unexpectedly.
- Off-site backups, verified weekly. Backups that have never been test-restored are not really backups.
- Block PHP execution in uploads. One
.htaccessfile. Five minutes. Massive risk reduction.
What to do if you cannot do this yourself
Most small business owners cannot realistically do all five every week. Maintenance plans exist for exactly this — the work is not glamorous, but it is the difference between a site that runs for a decade and a site that gets hacked, recovered, hacked again, and abandoned within two years.