WordPress Security in Practice — What Actually Gets Sites Hacked

When we clean up a hacked WordPress site, the first thing we do is figure out how the attacker got in. After doing this many times, a clear pattern emerges. The entry point is almost always one of four things. It is rarely the things that security plugins and guides spend the most words on.

How WordPress Sites Actually Get Compromised

1. Outdated plugins and themes with known vulnerabilities

This is the most common entry point by a significant margin. A plugin has a publicly disclosed vulnerability. A patch is released. The site owner has not updated. Automated bots scan for the vulnerable plugin version and exploit it before the owner has noticed the update notification.

This is entirely preventable. The fix is straightforward: keep plugins and themes updated. The reason it keeps happening is that updates are sometimes skipped because of a previous bad experience with an update breaking something. That is understandable, but the correct response is to test updates in a staging environment first rather than avoiding them entirely. This is exactly what our WordPress maintenance services handle, with updates tested on staging before being applied to your live site every time.

2. Weak or reused credentials

WordPress admin credentials obtained through phishing, password reuse from another breached service, or simple brute force on sites that have not rate-limited login attempts. We see this regularly. The admin email address is often the same one used for dozens of other services. If any of those services have had a data breach, the credentials may already be in circulation.

The practical fixes:

• Enable two-factor authentication on all admin accounts
• Use a strong, unique password for the WordPress admin email address
• Rate-limit login attempts or use a plugin like Limit Login Attempts Reloaded
• Change the default admin username if you are still using it
• Consider moving the login URL away from /wp-admin/ as a light deterrent against automated scanners

3. Compromised hosting environment

Sometimes the attack did not target WordPress at all. On shared hosting, a vulnerability in another site on the same server can be used to access files on your site. A compromised FTP or cPanel password achieves the same result. We see this less often than plugin vulnerabilities, but when it happens it is harder to identify because the WordPress installation itself is clean — the compromise came from outside it.

The mitigation here is using reputable hosting with good server-level security, not reusing passwords across hosting control panels and FTP accounts, and enabling two-factor authentication on your hosting account login.

4. Abandoned plugins and themes

A plugin that has not been updated in two years is not just missing features — it is potentially sitting on unpatched vulnerabilities. The plugin author may have abandoned it entirely. WordPress will not flag it as insecure unless it has been removed from the repository. You need to review inactive or long-stagnant plugins in your installation and either replace them with maintained alternatives or remove them.

What the Security Plugins Are and Are Not Doing

Security plugins like Wordfence and Sucuri are genuinely useful. They scan for known malware, monitor file changes, block known bad IP addresses, and provide a firewall layer. These are all worth having.

What they cannot do is protect you against zero-day vulnerabilities in plugins you have not updated, prevent credential stuffing attacks where valid credentials from other breaches are tested against your site, or secure a hosting environment that is fundamentally compromised at the server level.

A security plugin is one layer. The other layers are: keeping software updated, using strong unique credentials everywhere, using reputable hosting, and auditing your installed plugins regularly.

After a Compromise: What to Actually Do

If your site has been compromised, the standard advice of running a scan and deleting flagged files is not enough. A thorough cleanup involves:

1. Taking the site offline or into maintenance mode immediately
2. Taking a full backup of the current state before changing anything
3. Identifying and documenting how the attacker got in
4. Replacing all WordPress core files with a fresh download
5. Replacing all plugin and theme files with fresh downloads from official sources
6. Scanning the database for injected content, backdoors, and malicious user accounts
7. Rotating all passwords: WordPress admin, database, FTP, hosting panel
8. Reviewing and removing any unknown admin users
9. Addressing the original entry point before bringing the site back online

The step most people miss is the last one. Cleaning the site without fixing the underlying vulnerability means it will be recompromised within hours. We have seen sites that have been cleaned five times by different parties without anyone addressing the vulnerable plugin that was the entry point each time.

A Practical Security Baseline

If you want to make your WordPress site meaningfully more secure without spending a lot of time or money, these five things will cover the overwhelming majority of attack vectors:

1. Enable automatic updates for WordPress core minor versions and security releases
2. Update plugins and themes at least once a week and test on staging first
3. Enable two-factor authentication on all admin accounts
4. Use Wordfence or a similar plugin for file integrity monitoring and a firewall
5. Delete plugins you are not using rather than leaving them deactivated

If your site was built with security as an afterthought, our custom WordPress development service builds it properly from the ground up with secure code as the baseline, not a retrofit.

None of that is complicated. Most of it takes less than an hour to set up and then runs without ongoing effort. The sites we clean up most often are not the ones that tried security measures and failed - they are the ones where no one had thought about it at all.