[WordPress Security Statistics] 4 Major Reasons Why WordPress Sites Get Hacked and How to Prevent it

Powering 34% of all websites on the internet and having a 60.8% market share in the CMS market, WordPress, without a doubt, is the most popular content management system in the world. However, this immense popularity also comes with a cost.

Years by years, WordPress security has always been a burning issue. As to the Sucuri study, among 8,000 infected websites, 74% of them were built on WordPress.  Wordfence also found out that there are up to 90,000 attacks on WordPress sites every minute.

So why is WordPress highly-targeted by hackers?

There are plenty of reasons why WordPress sites get hacked. In this article, we will focus on the 4 major reasons along with actual WordPress hack statistics sifted through various sources. Besides, we also provide some useful advice on how to ensure WordPress security.

Let’s dive in!


Insecure Web Hosting


“41% of WordPress sites get attacked because of the vulnerable hosting platforms.”

Similar to any website, WordPress is hosted on a web host or server. Most WordPress site owners seem not to take serious considerations in choosing web hosting. Commonly, they host their websites on a shared hosting plan as it’s more affordable. This unfortunately turns out to be the lucrative prey for attackers.

Any successful hacking attempt on that shared server can potentially lead to your site’s vulnerability, as hackers can gain access to your site through that hacked site.

Weak Passwords

This is one of the most frequent causes of successful brute force attacks. WP Smackdown proves that 8% of WordPress sites get hacked because of weak passwords.

Surprisingly that even up to this date, people are still using simple-to-guess and common passwords like “123456” or “password” to protect their sites. NordPass has summed up top password usage in 2020 and what they reveal will make you flabbergasted.

Top 10 passwords Numbers of users Time to crack it
123456 2,543,285 Less than a second
123456789 961,435 Less than a second
picture1 371,612 3 Hours
password 360,467 Less than a second
12345678 322,187 Less than a second
111111 230,507 Less than a second
123123 189,327 Less than a second
12345 188,268 Less than a second
1234567890 171,724 Less than a second
senha 167,728 10 Seconds


Their research pointed out that users tend to set easy-to-remember numbers or letter strings as their passwords. Plus, they tend to reuse the same password for multiple accounts because of convenience. What matters the most is the easier-to-remember passwords, the more highly vulnerable they are to be cracked.

Outdated WordPress Versions

An outdated WordPress version is among one of the biggest reasons why a site gets hacked. A study by Sucuri shows that 36,7% of hacked websites have run outdated versions.

New versions will add better-advanced features and fix the vulnerabilities of the old ones. However, some users even disable the self-updating feature. According to WordPress, only 32.2% of WordPress users have updated their sites to the latest version-5.6.

Why do users refuse to bring their sites up to date?

The main excuses are:

  • They tend to delay or forget the update notifications due to their busyness (or laziness).
  • They worry that the update will affect the performance of their sites.

But you know what, sometimes, ignorance costs you a lot. The hack into Reuters blogging platform in 2012 is such a typical lesson.

Reuters forgot to keep the WordPress installation up-to-date giving hackers chances to attack their site. They stuffed numerous false posts on Reuters’ website, including an alleged interview with the Siberian rebel army leader. At that time, Reuters was using version 3.1.1 instead of 3.4.1.

Outdated or Nulled Themes and Plugins

Lots of website owners have experienced attacks due to theme and plugin vulnerabilities. While WordPress instantly updates its core with security patches, that improvement doesn’t apply to its plugins.

According to a statistic of WP Scan, up to 2020, there have been 21,936 WordPress vulnerabilities. Among them, 52% and 11% of WordPress vulnerabilities reported are respectively related to plugins and themes, while WordPress core accounts for the rest.

WordPress vulnerability-by-component pie chart

What’s more, in the Wordfence 2020 WordPress report, Wordfence emphasized that malware from nulled plugins and themes poses a threat to WordPress security. Both WP Scan and Wordfence agree that Cross-site Scripting and SQL Injection are the most popular vulnerability types in WordPress plugins and themes.

See the top 10 most vulnerable themes and plugins listed by Wpwhitesecurity (last updated on October 08th, 2020) and you will be surprised.

Top 10 most vulnerable plugins:
Top 10 most vulnerable plugin chart

In the graph above, Nextgen Gallery, Ninja Forms, and WooCommerce lead the top 3 with more than 20 vulnerabilities. Even a security plugin named  “All In One WP Security & Firewall” shows up in this list, meaning that security plugins can be targeted by hackers as well.

Top 10 most vulnerable themes:
Top 10 most vulnerable theme graph

The attached graph shows that themes don’t cause many vulnerabilities compared to plugins. The highest number of vulnerabilities is five and falls on the Echelon and Traveler theme. That is because themes don’t involve extending functionality as plugins do. They mainly take responsibility for the look and the feel of the WordPress sites.

How to Ensure WordPress Security

From the alarming WordPress security statistics and facts above, we have concluded 5 viable solutions to help you ensure your WordPress security. What you need to do right now is:

  • Invest in your web hostings
  • Create unique passwords
  • Keep your site updated
  • Use WordPress security plugins
  • Avoid using nulled themes and plugins

Invest in Your Web Hostings

You get what you pay for. Opt for reliable web hosting will significantly reduce the likelihood of your site being hacked. High-quality web hosting will not only support the latest version of PHP and MySQL but also provide malware scans and regular backup.

A dedicated server is highly recommended as the most secure hosting option. Of course, it’s quite costly, but it’s super helpful if your site gets high traffic and contains sensitive data.

Stay away from shared hosting solutions. However, if you’re already using a shared hosting plan, switch to VPS hosting.

Create Unique Passwords

Secure passwords are necessary for not only WordPress admin accounts but also web hosting, FTP accounts, and MySQL databases.

To create a strong password, first, you need to avoid using common adjacent numbers or letters, such as “1234567” or “abcdef,” and repetitive characters, including “abc123” or “111111111.”

Along with that, refrain from using the same passwords for different websites. You should come up with a long, complex, and robust password with at least 8 characters for each account.

An ideal password should be mixed between words, numbers, and symbols, for example, !wdf34*de5. Don’t forget to reset your passwords regularly after every 90 days.

Keep Your Site Updated

To avoid being the second Reuters, what you have to do is to update your WordPress site to the latest version. Pay attention to the update notifications in your dashboard.

If you’re afraid the update will break your sites, you should create a backup before running an update and test the update on your staging site.

Use WordPress Security Plugins

Installing WordPress security plugins is the simplest yet most effective solution for protecting your site from any type of attack, including malware.

Opting for a security plugin that allows you to scan for vulnerabilities, enforce strong passwords, block malicious networks, implement a firewall, and so on. There is a wide range of reliable WordPress security plugins in this field, which several big shots are Sucuri, Wordfence, and BlogVault.

Avoid Using Nulled Themes and Plugins

Nulled plugins and themes are the hacked version of the premium ones, which lacks a license-checking feature. Normally, that feature is disabled or removed from these plugins and themes, which leads to potentially malicious malware.

We can’t deny that nulled plugins and themes are tempting, considering they are free and easy to download. However, please take into account this idea: if you use these pirate copies, there are no security fixes, since they won’t have any available updates from their developers.

Therefore, we suggest you download original plugins or themes from trusted websites or invest your money in premium ones. Think about them in the long run, you can both secure your site and receive new features or further support in security fixes.


This article has walked you through 4 major reasons why WordPress gets hacked with actual figures. The provided WordPress hack statistics aim to highlight how important to tighten your WordPress security.

We’ve also put forward useful advice on how to prevent WordPress from potential attacks. “Precaution is better than cure.” You should pay special attention to choosing your web hosting, updating your WordPress core, plugins, and themes, as well as creating strong passwords.

Are there any WordPress hack statistics that you hope we share in this article but we missed out on? Have you had any experience with website exploitation? Feel free to share with us in the comment section below!