No one likes to have to deal with their website getting hacked. In the WordPress community alone, over 500 websites are hacked each day! However, it does happen, even if you think the WordPress updates you did last month, and the security plugins you used may have not turned up anything. Most hacks occur at random. You’d have to piss off some hackers for it to become personal, and you’d more than likely know it was personal even if the hacker doesn’t tag their work.
So, what are the reasons why some WordPress plugins and themes get hacked, if you’re not targeted?
2 Huge Reasons Why Some WordPress Plugins and Themes Get Hacked
- You didn’t update your plugin or theme as recently as you thought you did.
- The plugin or theme became vulnerable to being hacked.
You didn’t update your plugin or theme as recently as you thought you did.
Plugin and theme developers in the WordPress community don’t necessarily coordinate a specific time to collectively update code. This can happen at any time, and just means that you could have updates for a few plugins or your WordPress theme one day of the week, and then a couple days later, see updates for your other plugins or a theme. Some will be updated frequently, and others once in a while.
Malware waits for no one. In fact, over 61% of websites are hacked due to lack of updating.
It seems like a pain to keep on top of updates, and for the most part, WordPress has given you the ability to allow automatic updates. However, allowing automatic updates can be a risk, since something could go wrong during an update. Your server might glitch, or the update process could get held up and cause the site to show some type of error.
This being said, updates are super important for your website’s security, and you should try to keep on top of that. However, it is possible that you may have a plugin that had a security patch added, but you already did your updates for the week, and let the new updates be on hold for a few days. It’s during that time that the site could become vulnerable.
In this case, just make sure your security plugin scans daily and sends you a report via email. Some security plugins will let you know if a plugin or theme has an update available.
The plugin or theme became vulnerable to being hacked.
Hackers are always experimenting with coding ways to infiltrate a site and make it do unexpected tasks. WordPress isn’t the only content management system out there that faces security issues, but most of the popular plugins and themes in the community are usually updated to reduce hacks from occurring. Drupal, Joomla, and other platforms also have experienced similar security exploits.
Is WordPress secure?
As long as you keep your plugins, theme, and WordPress core files updated, and also create a strong password (both with WordPress, FTP/SFTP, email, and web host), WordPress itself is secure. It’s what you add to WordPress that could possibly make it not so secure.
For example, some plugins like File manager plugins or htaccess file plugins may open up your hosting to malicious code or unexpected file uploads. A file manager plugins allows you to upload or edit files without needing to log into your web host or use FTP (File Transfer Protocol.) A htaccess or .htaccess file allows you to add code to redirect URLs or give permissions to access specific parts of the website or server’s features (like turning on gzip compression or optimizing your website to load faster.)
These types of plugins, if left activated after you use them, may actually open a hole for a hacker that has accessed your site due to a weak password. While it’s best not to use them, if you do, make sure to deactivate and remove them when you’ve finished using a WordPress file manager plugin or a WordPress htaccess plugin.
Why didn’t your WordPress security plugin turn up anything in the scan?
Unfortunately, sometimes WordPress security plugins can fail in finding some hacks. It may be because the hack is new, or the scanner is not programmed to seek a specific type of malicious code. Some hacks might be links added to your posts and pages. It might be a script to redirect the website to another one.
If your site isn’t behaving as expected, and your WordPress security plugin doesn’t seem to turn up anything in the scanner, you can try using others like Virus Total, Sucuri SiteCheck, and Quttera Online Website Malware Scanner. Additionally, if you’ve submitted your website to Google Search Console, sometimes you may receive an email letting you know if there’s malicious code or SEO spam links.
Before you make any updates, hopefully you made a backup of WordPress prior to the hacking. In some cases, you can overwrite the hack and then make the necessary updates to prevent your site from being hacked again.
So, hopefully this article will help you know a couple main reasons why some WordPress plugins and themes get hacked. If you’ve been hacked and don’t know what to look for, I do clean hacked WordPress sites.