How can a wordpress website get hacked?

Are you having a WordPress website and ever wondered how the site may get hacked? Worst part – your website is already hacked and you some how fixed it from the backups you have and you want to know the prevention techniques. Before understanding the prevention measures, you must understand how the hacking is done in the first place.

Here is a short video of how the vulnerability will get exploited.

As you can see in the video, the wpscan tool first retrieves important information about the WordPress installation such as version, the plugins and themes used, as well as other information like Apache version and others. Once the hacker gets the information and enumerates the users present in the WordPress installation, the next step is to brute force the system against the common and less strong passwords. With the master password in hand it will be very easy for the hacker to login, edit or delete the content, and also deface the website. If the server is also vulnerable then there is a chance to get the commands executed at the operating system level to wipe out the files.

To summarise, these are the main reasons the wordpress website hack might affect you

  • You are running an outdated version of the WordPress
  • The plugins and themes that you are using are outdated
  • Your hosting provider or your server is having a vulnerable server configuration, i.e the server hardening is not done
  • Your users are not using strong passwords
  • You do not take the backup of your website

What can you do to stop it?

There are very simple yet powerful activities that you can take care in less time.

  • Update your WordPress version as soon as the new version gets released are the latest stable version available
  • Update dependent plugins and themes when the updates are available
  • Most importantly, take regular backups of your site and the database
  • Install WP security plugin
  • Change the default administrator username from admin to something else
  • Have a strong password policy for your user accounts

The password of the administrator should be strong enough having one or two special characters, combination of upper and lowercase letters along with some numbers.