How Did My WordPress Site Get Hacked? The Usual Suspects
By Glenn Lyvers · Updated · 6 min read
Most WordPress sites get hacked through an outdated plugin or theme with a publicly known security hole. Stolen or guessed passwords come second. Behind those two sit the pirated "premium" themes with malware baked in, compromised hosting accounts, and forgotten old WordPress installs rotting quietly on the same server. It is almost never a person targeting you. It's automated software scanning millions of sites for one specific weakness, and yours happened to have it.
"How did this happen?" is the first question every client asks me, usually with a note of guilt in it, as if they'd left the stove on. So let me say this up front: you didn't do anything shameful. You missed an update, or reused a password, like nearly everyone does. I've cleaned sites for developers, agencies, even an IT security instructor. This stuff is nobody's moral failing.
The short answer: probably a plugin
When a security hole is discovered in a popular plugin, two clocks start ticking. One is the developer releasing a fix. The other is attackers building a bot that finds every site still running the broken version. That second clock runs fast; working exploits often circulate within days of a disclosure, sometimes hours.
The bots don't care that your site is a small bakery in Ohio. They query search engines and scan IP ranges for the fingerprint of the vulnerable plugin, and they hit everything that matches. If your slider plugin had a hole and you were three updates behind, that's the whole mystery. On the majority of the cleanups I do, the timeline in the logs points at exactly this.
Themes work the same way, with one extra wrinkle: people deactivate old themes but don't delete them, and a vulnerable file can be reachable even in a theme you stopped using years ago.
Stolen passwords are the quiet second place
The second most common entry I see is simpler: someone logged in as you. Maybe the password was Summer2019! and a bot guessed it. More often the password was decent but reused, and it leaked from some unrelated service years ago. Attackers feed those leaked email-and-password lists into login bots and try them everywhere, a technique called credential stuffing. WordPress login pages, hosting dashboards, FTP accounts, all of it.
The tell in the logs is that there's no exploit at all. Just a normal login, from an IP in a country you've never visited, followed by a plugin upload. When I see that pattern, the cleanup conversation includes a password manager and two-factor authentication, because no amount of file cleaning fixes a password the attacker already owns. My security best practices guide covers what sensible login hygiene looks like.
The free premium theme that wasn't free
Nulled themes and plugins, the pirated copies of paid products passed around on sketchy download sites, deserve their own paragraph because the infection method is so tidy: you installed the malware yourself. Nobody had to break in. A large share of nulled software ships with a backdoor already inside, waiting to phone home after activation.
I don't say this to scold anyone. I say it because when a client tells me the trouble started a couple of weeks after they installed a free copy of a $60 theme, I already know where to look, and I'm rarely wrong.
Sometimes it's your hosting account, not your website
WordPress gets blamed for a lot of break-ins that happened one level up. If an attacker gets your cPanel or FTP credentials, they can drop files into your site without ever touching a WordPress vulnerability. Cheap shared hosting adds another wrinkle: if the server is configured badly and a neighbor's account gets compromised, infections can occasionally spread sideways.
And then there's my personal favorite, the forgotten install. The /old/ or /test/ or /backup2019/ folder holding a WordPress copy nobody has updated since it was abandoned. It's still reachable from the internet, it's years out of date, and once it's compromised the attacker can usually reach everything else in the account. I find one of these on a remarkable number of cleanups. If you have old installs lying around, deleting them is the cheapest security win you'll ever get.
What it almost never is
Worth a quick word, because worried owners spend energy on the wrong suspects. It's almost never your hosting company getting "hacked" at the datacenter level; genuine host-wide breaches happen, but they're rare and make the news. It's almost never a competitor paying someone to take you down; that's a movie plot, not a Tuesday. And it's almost never your phone or your home Wi-Fi, though an infected personal computer can absolutely leak your saved passwords, which is the kernel of truth in that worry.
I bring this up because the boring explanation is the actionable one. You can't do much about imagined datacenter espionage. You can update a plugin and stop reusing a password today.
Can you find out exactly how it happened?
Often, yes, and it's worth doing, because a cleanup that doesn't answer this question is a cleanup that gets repeated. The method is unglamorous: find the earliest malicious file on the site, note its timestamp, then read the server access logs from that window. A POST request to some plugin file you've never heard of, seconds before the first bad file appeared, is about as close to a signed confession as this work gets.
The catch is that logs don't live forever. Many hosts keep them for days, not months, which is why I tell everyone: preserve the logs on day one, before anything else. My hack detection and indicators guide lists what evidence to grab and where it hides. If the logs are already gone, we can still make a strong educated guess from the malware's location and style, but "strong guess" is the honest ceiling.
What to do with the answer
Knowing the entry point changes the fix. A plugin exploit means updating or replacing the plugin and checking for backdoors left behind. A stolen password means rotating every credential and adding two-factor. A nulled theme means removing it entirely, no exceptions. A hosting-level breach means the host gets involved too.
If your site is currently hacked and you want the whole thing handled, that's literally my day job. My malware removal service is US-based and done by hand, and part of every cleanup is establishing how the attacker got in and closing that specific door. You can get started here, or run my free scanner first if you're still in the "is it really hacked?" stage. Either way, the answer to "how did this happen" is almost always more boring, and more fixable, than it feels right now.
Common questions
Was my website targeted personally?
Almost certainly not. The overwhelming majority of WordPress hacks are carried out by automated bots scanning huge numbers of sites for one known vulnerability or trying leaked passwords. The bot doesn't know or care what your site is about. Genuinely targeted attacks exist, but they're rare and usually aimed at large or high-profile organizations.
Which WordPress plugins get hacked the most?
There's no permanent list; it changes as new vulnerabilities are disclosed. Historically, the worst incidents have involved very popular plugins like sliders, form builders, page builders, and file managers, simply because millions of sites run them. The pattern that matters isn't which plugin, it's any plugin that's out of date after a security fix has been published.
Does changing my password get the hacker out?
It closes one door, and you should absolutely do it, but it's not the whole fix. If the attacker already planted a backdoor file on your site, they can get back in without any password at all. A real cleanup rotates every credential and finds the backdoors and the original entry point. Password changes alone are why so many sites get reinfected.
Can my web host tell me how I got hacked?
Sometimes. Hosts can usually provide a malware scan report and, more usefully, the raw access logs, but they rarely do the detective work of connecting the two. Ask for the full file list and the logs as early as you can, because many hosts delete logs after a short retention window, and those logs are the best evidence of the entry point.
If I update everything now, does that fix the hack?
No. Updates close the hole so it can't be used again, but they don't remove whatever the attacker already installed. Malware, backdoors, and rogue admin users all survive an update. Think of it as fixing the broken lock while the burglar is still in the house. Update as part of the cleanup, not instead of one.
How do hackers find vulnerable websites in the first place?
Mostly with scanners. Attackers use automated tools and search-engine queries that fingerprint sites running a specific plugin, theme, or WordPress version with a known flaw, then work through the list of matches. That's why an obscure small site gets hacked the same week as thousands of others: they were all on the same list.