WordPress Security Mistakes That Get Sites Hacked
I’ll never forget the message I got from one of my client one afternoon he said me: “The website is not opening.”
When I opened the site myself, my heart Dropped a little. It really wasn’t loading. And when I finally got into the backend through cPanel, what I found was worse than I expected malware spread across almost every folder, strange redirect scripts, spam bots planted in random directories, and files I had absolutely never created myself.
That site took three to four days to fully recover. And the entire situation could have been avoided. Today I want to walk you through exactly what causes WordPress sites to get hacked, based on what I’ve personally seen and fixed not theory, real situations.
How I Found Out the Site Was Hacked
Looking back, there were warning signs before the actual hack happened. The site had been running slow for weeks. It would go down occasionally the server just wouldn’t respond. At the time I didn’t connect these signs to a security issue. I just thought it was normal hosting slowness.
Then came the day the site wouldn’t open at all. Front end completely blank. Admin panel showing nothing useful either. That’s when I went into cPanel directly and started checking folders one by one the wp-admin folder, the content folders, plugin directories. And that’s where I found it. Files that were clearly not part of any normal WordPress installation. Suspicious code injected into otherwise legitimate files. It was obvious within minutes that this wasn’t a glitch the site had been hacked.
The Reason This Happened And It Wasn’t What You’d Expect
Here’s the part that surprised me: the client’s password was strong. I had set up that properly by myself. The real problem was something most people never think about is the hosting.
This client had purchased extremely cheap and bad hosting. And cheap hosting often comes with a hidden cost that nobody talks about it. To keep the prices low, these hosting providers Add thousands of websites onto a single server and barely invest in security patches. The server doesn’t get updated regularly. Vulnerabilities stay open. And eventually, someone finds a way in.
I want to be clear about this because I think this is the most underrated security issue out there: your password can be as strong as you want, but if your hosting provider isn’t maintaining server level security, So your site is still at serious risk.
Common Mistakes That Make Sites Unsafe
Over the years of fixing WordPress sites and managing my own sites, I’ve noticed the same handful of mistakes showing up again and again. Here’s what actually puts a site at risk.
Using admin/admin or weak login credentials
I’ve had several clients come to me whose username was literally “admin” and password was “admin.” Usually this happens because a developer sets it up temporarily during the build process and just forgets to change it before handing the site over to the website owner. This is one of the easiest things for a hacker to guess, and it remains one of the most common mistakes I see.
Ignoring WordPress and plugin updates
In 2017, an old version of WordPress had a vulnerability in its REST API that hackers used to deface thousands of websites. That’s not an isolated case the outdated software is one of the most reliable ways hackers get in. I’ve personally seen client dashboards where there were over 60 pending updates that hadn’t been touched in months. Every single one of those updates left a door open.
Using the nulled or cracked themes and plugins
This one deserves special attention because the danger isn’t always obvious right away. Nulled themes and plugins often have hidden malware and backdoors built directly into their code. They can silently give a hacker access to your website, quietly steal user data, or run spam scripts in the background without you noticing anything different. I’ve heard of countless cases where this exact thing caused a site to get compromised and the site owner had no idea until it was too late.
No protection on the login page
If your WordPress login page has no protection, hackers can run what’s called a brute force attack repeatedly trying different password combinations until something works. Without any limit on login attempts, this becomes surprisingly easy for automated bots to pull off. Once they get into the admin account, they have full control over your site.
Too many admin accounts
I see this constantly, especially with sites that have changed developers or had multiple people working on them over time. Old developer accounts or former staff accounts often never get removed. Every extra admin account is another potential entry point. If even one of those accounts has a weak password or gets compromised somewhere else, your entire website is at high risk.
No SSL certificate
Without SSL, your website runs on HTTP instead of HTTPS, which means data isn’t encrypted. Login details and user information can potentially be intercepted. Browsers will also flag the site as “Not Secure,” which damages the trust with your visitors immediately.
Incorrect file permissions
I had this happen to me directly once. A file permission was set incorrectly something like 777 which essentially gave anyone unauthorized write access to that file. Attackers specifically look for writable files like this to upload malicious code. Getting file permissions right is one of those small technical details that has a big security impact.
What I Actually Did to Recover the Hacked Site
When I discovered the hack, here’s the exact process I followed, step by step:
First, I checked with the hosting provider. I wanted to rule out a server-wide issue, so I contacted support to ask if their server was down. They confirmed the server was fine the problem was specific to this domain.
Second, I changed the admin password immediately. Even before fully understanding the extent of the damage, locking down access was the priority.
Third, I checked for suspicious user accounts. Sometimes hackers create their own admin accounts to maintain access even after you think you’ve cleaned things up.
Fourth, I ran a malware scan. I did this two ways manually going through files folder by folder, looking for anything I hadn’t created myself, and also using a WordPress security tool to scan and confirm what I’d already noticed manually. Both methods pointed to the same infected files.
Fifth, I removed every infected file and cross-checked core WordPress files against clean versions.
Finally, I restored from a backup where one was available and fixed all remaining security gaps before bringing the site back online.
When I explained all of this to the client, they were genuinely shocked. At first they assumed I had made some mistake which is a completely understandable reaction when your site goes down. But once I explained that their cheap hosting was missing basic security patches, they understood the real cause wasn’t anything on my end.
What I Set Up After Every Hack Recovery
Fixing the immediate problem isn’t enough. After every hack recovery, I follow the same checklist to make sure the same vulnerability can’t be exploited again:
Change all passwords immediately admin panel, hosting account, FTP, everything.
Remove old, unused, or outdated plugins and themes that aren’t actively needed.
Update everything that remains to its latest version.
Install a proper security plugin like Wordfence, which works as both a firewall and malware scanner. It automatically blocks suspicious login attempts and detects malicious files before they cause damage.
Enable two-factor(2FA) authentication, so even if a password gets leaked somewhere, the hacker still needs a second verification step to get in.
Set up login attempt limits using a plugin like Limit Login Attempts Reloaded. This blocks an IP address temporarily after a few failed password tries, which stops brute force attacks before they get anywhere.
Change the default login URL from the standard /wp-admin or /wp-login to something custom, since hackers automatically target the default path on every WordPress site they find.
Set up regular automated backups, stored somewhere outside the main hosting account.
Some Honest Truths About WordPress Security
I want to address a few things I hear constantly from clients and beginners, because the misunderstandings around WordPress security are almost as dangerous as the mistakes themselves.
“My site doesn’t make money, so why would hackers target it?” This is one of the most common and most incorrect assumptions out there. Hackers don’t always want your money directly. Many use compromised sites to host spam links, phishing pages, or to abuse your server resources for their own purposes. A small blog with zero income is just as attractive a target as a large business site, sometimes even more so because the security is usually weaker.
“A security plugin makes my site 100% safe.” I wish this were true, but it isn’t. A security plugin is an important layer of protection, not a complete guarantee. If your plugins and themes are outdated, your password is weak, your hosting is insecure, or you’re running a nulled theme somewhere, a plugin alone won’t stop every possible attack. Security works best as a combination of good habits, not a single tool doing all the work.
“Once I fix a hack, it can never happen again.” Unfortunately, software constantly evolves and new vulnerabilities get discovered all the time. No developer can honestly promise a site will be 100% secure forever. What we can do is reduce the risk as much as possible through regular updates, strong passwords, proper backups, and consistent monitoring.
How Much Time Should You Actually Spend on Security?
For a normal WordPress site, spending two to four hours a month on security maintenance is a reasonable habit. This time should go toward checking for updates, verifying that your backups are actually working, and running a security scan to catch anything unusual early.
If you’re running a business website or anything with real traffic and reputation at stake, this monitoring should happen more frequently. The extra time investment is small compared to what you’d lose recovering from an actual hack.
If Your Site Gets Hacked Tomorrow Here’s What to Do
Take the site offline temporarily so the damage doesn’t spread further.
Change your admin password and hosting credentials immediately.
Use a malware scanner like Wordfence to identify every infected file.
Restore from a clean backup if one is available, and only bring the site back online once you’re confident it’s fully clean.
The One Security Habit Almost Everyone Ignores
If there’s one thing I’d ask every WordPress site owner to take seriously, it’s backups.
Most people spend all their energy trying to prevent a hack and completely forget to prepare for what happens if one occurs anyway. A clean, recent backup is genuinely the fastest way to recover from any security incident. Without one, you risk losing your entire website and all its data and that loss is often permanent.
Security isn’t about achieving perfection. It’s about consistently reducing risk through small, regular habits strong passwords, updated software, trusted plugins, proper hosting, and reliable backups. Get these basics right, and you’ll avoid the vast majority of problems that hackers rely on to get in.
Has your WordPress site ever been hacked, or are you currently worried about your site’s security? Share your situation in the comments I’m happy to point you in the right direction.
