Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

How Attackers Gain Access to WordPress Sites

This entry was posted in General Security, Learning, Research on March 23, 2016 by Dan Moen   78 Replies   

On this blog we write a lot about different vulnerabilities that could lead to site compromise. In our Learning Center we go deep on a myriad of important topics related to WordPress security. Our handy checklist, for example, includes 42 items you really should be paying attention to. But surely not all 42 items are equally important, right? In today’s post we dive into some very interesting data we gathered a couple of weeks ago in a survey, letting the facts tell us what matters most.

The question we asked in the survey was:

If you know how your site was compromised please describe how the attackers gained access.

The answers were free form text, so we manually categorized the answers. If the respondent expressed any doubt in their answer, we categorized them as uncertain.

Most Site Owners Don’t Know

Of the 1,032 survey respondents who answered this question, 61.5% didn’t know how the Attacker compromised their website. That is a not a huge surprise given that the large majority of respondents cleaned their sites themselves, but it is troubling. It is impossible to be confident that you have cleaned your site completely or that the vulnerability doesn’t still exist without knowing how the site was compromised in the first place.

For the site owners who did figure out how the attackers entered, here is what the breakdown looks like:


In the balance of this post we’re going to focus primarily on the top two risks. Because if you can protect yourself against plugin vulnerabilities and brute force attacks, you are accounting for over 70% of the problem.

Plugins Are Your Biggest Risk

Plugins play a big part in making WordPress as popular as it is today. As of this writing there are 43,719 plugins available for download in the official WordPress plugin directory. That is an incredible selection of plug and play software. But you obviously need to be careful with them, as plugin vulnerabilities represented 55.9% of the known entry points reported by respondents.

Some tips for avoiding plugin vulnerabilities:

Keep them updated

Reputable plugin authors fix vulnerabilities very quickly when discovered. By keeping them up to date you insure that you benefit from fixes before attackers can exploit them. We recommend that you check for updates at least weekly. In addition we recommend that you pay attention to the alerts generated by Wordfence scans. Wordfence alerts you when your plugins need to be updated.

Don’t use abandoned plugins

You are relying on the plugin developer to insure that their code is free of vulnerabilities. If they are no longer providing updates there is a high likelihood that there are vulnerabilities that have not been fixed. We recommend avoiding plugins that have not been updated in over 6 months. For plugins you have already installed we recommend you conduct an audit at least quarterly to make sure none of your plugins have been abandoned by their authors.

Only download plugins from reputable sites
If you are going to download plugins somewhere other than the official WordPress repository, you need to make sure the website is reputable. One of the easiest ways for attackers to compromise your website is to trick you into loading malware yourself. An attacker will do this by setting up a website that looks legitimate and getting you to download a compromised or ‘nulled’ plugin.

Use these tips to help determine whether a site is a reputable source or not:

  • Eye Test – Is the site itself professionally designed and uses clear language to describe the product? Or does it look like it was thrown together quickly by a single individual?
  • Company Information – Does the site belong to a company with the company name in the footer?
  • TOS and Privacy Policy – Do they have terms of service and a privacy policy?
  • Contact Info – Do they provide a physical contact address on the contact page or in their terms of service?
  • Domain Search – Google the domain name in quotes e.g. “example.com“. Do you find any reports of malicious activity. Add the word ‘theme’ or ‘plugin’ next to the quoted domain name in your search and see what that reveals.
  • Name Search – Do a Google search for the name of the plugin and see if any malicious activity is reported. Add the phrase “malware” or “spyware” to the search which may reveal forums discussing a malicious version of the theme being distributed.
  • Vulnerability Search – Do a search for the theme or plugin name or the vendor name and include the word “vulnerability”. This will help you find out if any vulnerabilities have been reported for the product you’re interested in or for the vendor. If they have fixed the vulnerability in a timely manner, that usually indicates they are a responsible vendor who is actively maintaining their product when problems arise.

Brute Force Attacks Are Still A Big Problem

A brute force attack is a password guessing attack. The attacker needs to both identify a valid username on your website and then guess the password for that username. Despite the availability of methods and technology that are 100% effective, this type of attack is still a huge problem, representing 16.1% of known entry points in our survey.

Some tips for avoid a hack via brute force attack:

Use Cellphone Sign-in

Also referred to as two factor authentication, this approach requires the user to not only know their password, but to have possession of their cell phone as well. This technology is 100% effective in preventing brute force attacks. Wordfence premium includes this feature today.

Don’t Use Obvious Usernames

The most obvious usernames to avoid are ‘Admin’ and ‘Administrator’, they are the most common usernames attempted in brute force attacks. Also avoid using your domain name, company name and the names of people who are writing for your blog or are listed elsewhere on your website.

Enable Login Security in Wordfence

The free version of Wordfence provides a long list of login security features. By making sure they are enabled, you benefit from the following features:

  • Enforce strong passwords
  • Locking users out after a defined number of login failures
  • Locking out users after a number of forgot password attempts
  • Locking out invalid usernames
  • Preventing WordPress from revealing valid usernames in login errors
  • Preventing username discovery through author scans
  • Immediate blocking of IPs that try to sign in as a defined list of usernames.

Other Steps to Secure your Site

Keeping everything up-to-date is key. There are no serious known vulnerabilities in the current version of WordPress core. There are however, a large number of known vulnerabilities in older WordPress versions. So keeping WordPress core up-to-date is very important. The WordPress team responds quickly when an issue is reported and so should you.

Many of our respondents indicated that their hosting account was compromised in some way. Make sure that you have a strong password policy for your CPanel account and any other server or hosting related accounts. Also ensure that you remove any applications on your server, like phpmyadmin, that aren’t absolutely necessary. If you don’t, you will have to maintain them too and ensure they’re updated and secure. Each application is another endpoint that can be attacked. The less you have to protect, the lower your risk.

Secure your workstation by keeping your operating system and applications up-to-date. Running an old vulnerable web browser, or an old version of Flash or Adobe reader can make you vulnerable to phishing attacks that can compromise your workstation. Once you workstation is compromised, an attacker can easily install a keyboard logger to capture usernames and passwords. They will gain access to much more than your WordPress website.

Store passwords securely. Do not store them in plaintext in a document online that may be compromised. You can use a product like 1Password which provides an encrypted ‘vault’ to store your passwords in.

Finally, as we’ve said before, delete any old data you don’t need from your website. This includes backup files you don’t need, log files, applications you don’t use or anything else you don’t need on your site. Old data is one more possible entry point that needs to be protected and if you can remove it, you reduce risk.


WordPress security is a battle fought on many fronts, as evidenced by the 42 items on our checklist and the depth and breadth of subjects in our ever evolving Learning Center. But knowledge is power, and this survey data allows us to focus on what matters most. We hope that you take the opportunity to make improvements in how you select and manage plugins on your website. We also hope that you review your approach to brute force attack protection. Small investments in these areas will pay big security dividends. Stay safe!

Did you enjoy this post? Share it!

Your rating:

78 Comments on "How Attackers Gain Access to WordPress Sites"

Jacob March 23, 2016 at 9:47 am • Reply

Thanks as usual for the informative articles! The main problem with plugins/themes is the general low quality of the developers, which is a pity since WordPress powers about 20% of all the websites in the world.

mark March 23, 2016 at 9:54 am • Reply

25%. I'd say that the top plugins have some very talented developers. I think the long tail is a bigger concern and it's worth looking at each plugin individually because there are some really great devs who do an awesome job of maintaining their product, and then as with anything, some not so much.

vinod March 23, 2016 at 9:50 am • Reply

I use your plugin . no problem. it thwarted my hack attempts. but many plugins are not updated. mainly because author has no motivation because of lack of revenue?

Mark March 24, 2016 at 1:28 pm • Reply

Yes, that's the problem -- plugin owners do all this for free (for the most part) so what's their motivation. That's why I always opt for paid plugins when I can. People who whine about low plugin fees and want everything for free shouldn't own websites.

yozz March 23, 2016 at 9:53 am • Reply


Marcelo March 23, 2016 at 9:55 am • Reply

Excellent article, thanks. It would be great to have a feature on wordfence alerting for possibly abandoned plugins periodically.

mark March 23, 2016 at 9:56 am • Reply

Thanks Marcelo, we're considering it.

Michael March 23, 2016 at 9:55 am • Reply

The advice not to use abandoned plug-ins is excellent. I'd go further: before downloading a plug-in check how many versions there have been and how responsive the team are to support requests.

Even apart from the security issue, it can be very time-consuming trying to deal with issues for plug-ins whose developers have moved on.

David Wilks March 23, 2016 at 4:31 pm • Reply

I absolutely agree, Michael. Developer responsiveness is a key determination and that is reflected both in the number of updates/versions and also answered support requests.

However, there are some plugins where the 'Pro' version is fully supported while the 'freemium' version is not. I will always pay for the pro/premium version of a plugin if it is available. I also believe strongly in supporting the 'free' plugin developers in order to encourage future maintenance and development. Even $2 makes a difference when it is multiplied a thousand times.

Godson March 23, 2016 at 9:59 am • Reply

Thanks for putting up this tips. I totally agree with you, before hacker gain access to your website they first run check to see if there are outdated plugins. From there they can enforce penetration hack.

It is advised to keep your plugin updated and deactivated the unused one. As the writer said, having fewer plugins also decrease the chance of your site being hacked.

Isby March 23, 2016 at 10:03 am • Reply

What about deactivated plugins? Are they still a threat?

mark March 23, 2016 at 10:05 am • Reply

Absolutely. Many vulnerabilities and their exploits target individual PHP files that are included with a plugin. If you deactivate a plugin, it's PHP files are still accessible via the web and are therefore still exploitable. You must remove all deactivated plugins as standard operating procedure.

Chris March 23, 2016 at 10:56 am • Reply

I'm guessing that the vulnerability to deactived plugins lies in part to the fact that the plugin itself is still present in a subdirectory with a known path?

I'm wondering whether some functionality that would CHANGE the name of the plugin directory upon deactivation (perhaps to a random string - like /wp-content/plugins/my-plugin/plugin.php, changed to /wp-content/plugins/e54g587$2/plugin.php) would provide some level of protection? Does such a functionality exist out there?

There are many cases where I de-activate occassionally-used plugins (like a database search-and-replace, or a broken link detector) to reduce server load, but I do not want to actually delete the plugin. Of course I can manually change the plugin directory name as described above but it sure would be handy for that to be done automatically - in a secure way of course :-)

mark March 23, 2016 at 11:09 am • Reply

Hi Chris,

That's an interesting idea. Another method would be for WordPress core to add a .htaccess rule (and/or file) that blocks access to that directory until the plugin is reenabled. I actually think that's such a great idea that you should propose it to the WordPress core team. We could certainly add that functionality too. I'll share the idea with our team.


Chris March 23, 2016 at 11:19 am • Reply

Thinking on it and reading a few threads out there on the topic of changing the name of a plugin directory, I'm guessing that one potential problem would be in monitoring and automatically updating deactivated plugins. Maybe that's just a URL re-mapping issue so that internally WP (and WordFence) would still know where those installed plugins are, but the location would be obsfucated to anyone outside.

I'll drop a note to the WP team for them to consider. In the meantime if WF blazed the trail that would be awesome!

mark March 23, 2016 at 12:49 pm • Reply

Thanks Chris, have shared with the team.

Steven Hong March 23, 2016 at 11:38 am • Reply

How about changing the name of the wp-content directory itself? If that were renamed, then direct access would be gone. Perhaps this could be a feature of WP itself, renaming wp-admin, wp-content, wp-includes.

mark March 23, 2016 at 12:48 pm • Reply

Thanks Steven. In general we try to avoid 'security through obscurity' and are focusing on blocking attacks even if they target the correct directory name, username, correct login page and so on. That way we don't risk breaking site functionality and can keep sites secure.

Chris March 23, 2016 at 11:39 am • Reply

Submitted to WP:

Chris March 24, 2016 at 5:01 pm • Reply

Sadly, the reaction over at WP.org was that this was a pretty silly idea.

I certainly "get" that changing the directories of working parts of the WP installation is perilous, since much of the code and certainly plugin code assumes that things will be in specific known locations.

Other than trying to allow for disabled plugins to continue to be scanned for available updates (and then updated without re-activating), obfucating the directory of a disabled plugin would not break the WP install since by definition the disabled plugin would not be operational.

The idea is simply to address the potential for a security hole left by operators who mistakenly assume that simply deactivating a vulnerable plugin eliminates the vulnerability. The proposed obsfucation would be automating what can certainly be done manually by directly accessing the WP directories via FTP or hosting control panel.

Viktor Vedmak October 14, 2016 at 2:15 am • Reply

But it is a silly idea. There is already data that changing login page address does not deter people. Changing plugin location directory is no different. There was a plugin I tried while back, Hide WP or something, and it did not reduce number of brute force attempts I get at all, but it did conflict with and break functionality of large number of other plugins I was trying to use alongside it.

Bas March 23, 2016 at 10:09 am • Reply

Honest question as I don't know much about these things. How can they hack your website with a plugin? I mean how can a plugin that creates slides on your website be at risk?

mark March 23, 2016 at 10:15 am • Reply

Hi Bas,

When you install a plugin, you are adding new PHP code to your website. That means that, in a way, you're adding a new application to your site. The plugin integrates tightly with WordPress and is useless without it, but adding all that new code adds new logic to your site that an attacker can use to fool your site into giving them access they shouldn't have. Sometimes the attacker does this by accessing WordPress directly and using the new logic the plugin added to trick WordPress into giving them access to the site. Other times, the attacker will access individual plugin files directly which execute on their own and can be tricked into giving them access they shouldn't have.

Hope that helps.


Alastair March 24, 2016 at 8:53 am • Reply

If a plugin contains functionality that permits the uploading of files (e.g. a contact form with an "upload file" field, or a slider form that allows image uploads) and a hacker can trigger it into uploading a php file for example, that opens the door for them to run their code on your server without your knowledge. If that uploaded php file can access your wp-config.php, it can "dial home" with your database settings and provide a hacker with further useful information to help them compromise your server without your knowledge.

Graham Armfield March 23, 2016 at 10:14 am • Reply

Great article - as always.

One question that the stats beg - is how a site owner would know how the hacker got in. Maybe a future article could feature the tell-tale signs of how the hacker might have gained entry - the broken glass on the floor by the back door if you will.

mark March 23, 2016 at 10:18 am • Reply

Thanks Graham, interesting idea. I'll let the team know. In some cases our respondents cleaned their own site and figured that out. In others, they used a site cleaning service and got the data from then on how the intrusion occurred. We excluded a lot of responses (I think we mention this) where they either don't know or their response makes it clear they're unsure.

Fred March 23, 2016 at 11:09 am • Reply

In the case of two WP sites I've managed and supported, I found out that they'd been hacked by messages from both the hosting company and Google (I'm signed up to Google Webmaster Tools) that the site was sending out shedloads of spam. On another site, although the desktop version was fine, the mobile version was hacked into redirecting users to a porn site!

Since installing Wordfence on sites, incidences of hacking have been few and far between, and detected very quickly by WF flagging up dodgy files which, when looked at in a text editor, were full of base64 code which was a giveaway.

Robert March 23, 2016 at 4:09 pm • Reply

Hi Fred,

I had the same. "On another site, although the desktop version was fine, the mobile version was hacked into redirecting users to a porn site!" the problem was that this was not detected by my monitoring tools as this checked the desktop version of my websites.

So it took a while to detect... The hacker attacked my sites by bruteforce, and a new redirect file. the hacker was dr. demon. the A**hole place on every site a new redirect file.
The beginning of the .htacces file was still the original file followed by a lot of returns ad the far end of the file there was the redirect code in of base64.

After installing WordFence and cloudflare I still see a lot of attacks.
Most of them are brutefore, using admin or administrator, or you domainnames as user name. for me the most attacks come form amazon, hosting. so I completely block the amazonaws.

Bill Peschel March 23, 2016 at 10:16 am • Reply

I see I have another task to put on the list: Check my installed plug-ins and see if the developers are still supporting them.

At least I use the limited log-in option (they get one chance), a really complex password (I work from home so I don't mind saving my passwords on my computer), automatic updating of plug-ins, and your Wordfence alerts.

Imran March 23, 2016 at 10:17 am • Reply

A few years back my websites were compromised due to the vulnerability in Revolution Slider. But then I hired a professional to cleanup my websites. And later he advised me to use Wordfence. And Alhamdulillah that was the start to my happy days. I am really really thankful to Wordfence that I am able to concentrate on growing my business rather than having sleepless nights :)

mark March 23, 2016 at 10:24 am • Reply

That's great news Imran and that's exactly what our goal is: To make your site safer so that you can focus on doing what you're really passionate about!

Walt Stringer March 23, 2016 at 10:48 am • Reply

One other tidbit for those that are questioning how to keep your WP site safe...never login to wp-admin from a public wi-fi, unless you've modified your site to run https.

Chard March 23, 2016 at 10:57 am • Reply

Are legitimate plugin upgrades available when I log on as administrator ? If yes, where?

mark March 23, 2016 at 11:07 am • Reply

Yes I think you may have misunderstood. Most plugins in the repository are just fine and that's where you're upgrading from when you sign-in as admin and go to Plugins in your WordPress admin panel. There are around 40,000 plugins there and most of them don't have vulnerabilities. Those that do, if the author is responsive, are fixed quickly. What you should be careful of is websites that are distributing plugins that are malicious and we give you a few ways to evaluate a plugin website in the post above.

Glenn Lyvers March 23, 2016 at 11:13 am • Reply

Mr. Obvious says, deactivate and delete plugins you don't use--including things you tested or switched away from. I've personally been asked to repair damage done by hackers, only to find that the plugin they gained access from wasn't even necessary to the functioning of the website.

Users ought to only have plugins active (or even installed) that they actually need. The law of mechanics is at play. The more parts, the more likely something will breakdown. Sometimes a breakdown means more than loss of function. It means code theft, vandalism, or spying. Some of the best hackers don't destroy anything. They steal data for as long as they go unnoticed.

This tip was missing from the article, probably because it's stupidly obvious.

Remove what you don't use.

mark March 23, 2016 at 12:51 pm • Reply

Thanks Glenn, we actually do mention this in the post and link to this previous blog post where Mike Dahn who I interviewed and who's a well known CSO suggests the same thing: https://www.wordfence.com/blog/2016/03/get-rid-of-data-to-secure-it/

In the security world we think of this as reducing the 'attack surface'.

Brian Riley March 23, 2016 at 11:19 am • Reply

I was one of the ones that were hacked by a plugin. All plugins are not equal problems on this, the ones that are the main problem are the ones that allow you to upload files (slider plugins for example). Those are the ones you really have to watch. You really have to be careful about themes for the same reason.

Ian Blackford March 23, 2016 at 11:22 am • Reply

An excellent read - thanks for the survey and the summary.

I always delete old themes from my installs, I leave only the theme I have active and the latest official WordPress theme. I also delete all disabled plugins.

The one thing I haven't done is conducted an audit of all my plugins. I do carefully choose them though, anything that hasn't been updated in the last few months is ignored.

I used wpremote.com on all my sites so I can bulk update my installs - this is a BIG time saver.

Jesmine March 23, 2016 at 11:34 am • Reply

We had 17 of our wordpress sites hosted with Godaddy hacked. The process we used was to change all user names and password. We manually went through every site and deleted all files except the wp-content, htaccess and wp-config.php. Then did a manual reinstall of wordpress on all sites. Updated all necessary plugins and deleted all inactive.
After we cleaned each site we install wordfence and sucuri.
We are kind of paranoid now and are running wordfence on level 4.

David March 23, 2016 at 11:37 am • Reply

I am amazed at how many times a month my site is brute force attacked. Prior to using Wordfence I guess I was oblivious to the threat. Now with the proper settings I feel 100% safe!

Robert March 23, 2016 at 11:38 am • Reply

Excellent Article. Started using WordFence on Business and Personal sites a couple years ago, and I've never looked back. Cell-phone sign in is a must for any Retail/E-Commerce site.

Valerie March 23, 2016 at 11:39 am • Reply

I started adding WordFence to the 60+ sites I manage last year (most with premium keys). I'm happy to report that I've had almost no problems. Of the two sites that got hacked (and hacked BAD) (both with the same hosting company), one vulnerability was introduced by previous developer. The other site had been migrated by the host and they left the migration folder in root directory, complete with the entire old version of WP and all the outdated plugins. Disaster! WF doesn't scan there.

Np March 23, 2016 at 11:44 am • Reply

With regards to usernames, I've noticed that quite a few people with blogs will actually use their main"admin" account to post with... Guess who's name shows up as the author? Yeah, the sites actual administrators valid username. Sigh. No wonder so many get brute forced. They are willingly giving that info away.

Andrew March 23, 2016 at 11:49 am • Reply

I've been using WordFence on all my sites and it truly is a sobering experience. Ignorance really is bliss and its only when you actually see how many attempts are made that you start to realise just how vulnerable the Pre-WordFence era was.

One feature I'd like to see would be the "Advanced Blocking" functionality to appear inside my WordFence account area. That way I could block IP ranges on all my sites from a central panel, instead of having to do it on a site-by-site basis. That or a way to connect sites inside the WordFence options in Wordpress - again to facilitate blocking IP ranges across all my sites.


websitedefender March 23, 2016 at 11:50 am • Reply

Hi Mark and all, nice blog post! Any breakdown in how many of the bad plugins came out of Repository, and how many were from outside Repository? My takes is that the Repository system is flawed and needs better system for vetting plugins, but perhaps I'm wrong and most of the bad plugins come from without?

Also, this constant hammering about keeping all plugin updated to latest version, is that a theory or real? Are not most of the plugin vulnerabilities found in the latest versions?

mark March 23, 2016 at 12:47 pm • Reply

Hi. We have no data on repo vs external vulnerabilities. Yes vulnerabilities are found in the newest version, but usually some time after the release which means that you need to get the fix as soon as it comes out.

Ishee March 23, 2016 at 12:18 pm • Reply

Can't Wordpress have better audit of plugins in its repository? Also, they need to put some kind of limit on the age of abandoned plugins. If a plugin crosses that age then it should not be available to download anymore.

Dan March 23, 2016 at 12:49 pm • Reply

I knew those plugins were a major culprit! This is why I am limiting the amount of plugins that I install. I now check all other options before I decide to install a plugin, because not only do plugins open up another entry-point for vulnerability, many of them also slow down your website significantly. Thanks for all your invaluable information!

mark March 23, 2016 at 12:52 pm • Reply

You're welcome. We do the same internally and we actually do code audits on the plugins we run on our production site (this website).

Jakob March 23, 2016 at 1:46 pm • Reply

Great article!

It's not always easy to update plugins to latest version. If they are bundled with the theme that can be a problem and updating plugin required by the theme may break the site.

Quite often Visual Composer or Rev Slider (and some others) are included in the theme. I think that this was a huge component to all the sites that got hacked last year (or the year before that) via Rev Slider.

mark March 23, 2016 at 2:13 pm • Reply

True Jakob. Same issue with Timthumb when that was a problem.

Han Balk March 24, 2016 at 12:59 am • Reply

It's a real shame that premium themes at Themeforest are sold with updates and support but you'll never ever be notified about an update! There's an Envato Updater plugin at GitHub that does the update but lacks the notification. If you are using a Themeforest theme you'd better take a look at: https://github.com/envato/envato-wordpress-toolkit

Sven from WPUP March 23, 2016 at 2:15 pm • Reply

Hi Mark, great article as always. I also agree that the WP Repository needs a better management, especially with number of plugins that haven't been updated in years. It's so easy to find a plugin that helps take care of a short term problem and not think about the implications of installing it. This is why, plugins are the number one thing we check and update for our clients, on a daily basis.

Nigel Mackintosh March 23, 2016 at 2:45 pm • Reply

Is it really worth worrying about the usernames you use? I thought it was trivial for someone to list all the usernames in use?

mark March 23, 2016 at 3:06 pm • Reply

Yes you should worry about that and Wordfence specifically protects against attackers listing your usernames.

John D. March 23, 2016 at 2:56 pm • Reply

Great thread. Begs the question... Is there a clearing house or central location listing the most vulnerable (or least vulnerable ) plugins? A ranking or some way to check before installing what the community has experienced in the way of hackability? Just curious.

Chesio March 24, 2016 at 3:22 am • Reply

Hi John,

You can search https://wpvulndb.com/ by plugin/theme name to find out if there is or was a known vulnerability to the plugin/theme.


Captain Jack R March 23, 2016 at 3:09 pm • Reply

I think WF fails at notifying webmasters of attempted hacks of our plugins. For example, I have had a few hackers try to scan for vulnerable plugins which end up creating a 404 error. I use 404 to 301 plugin https://wordpress.org/plugins/404-to-301/
to redirect to my 404 page. It also does quite a good job at logging URL path, IP, and User agent of the offender. WF has the same capability but failed to log. Thankfully I wasn't using any of the vulnerable plugins, and added the IPs to my blocked list.

As we just learned from this article, that poorly designed plugins are the most vulnerable to hacking. I think WF should put more resources in tracking these vulnerability scans so we can take first responder steps to make our sites more secure until vendors make updates to their plugins.

mark March 23, 2016 at 6:56 pm • Reply

Pssst, Captain Jack. Don't tell anyone. But check out our beta for Wordfence 6.1.1. It'll be released to production in the next couple of weeks and it's scaaaary how good it is at exactly what you've asked for - blocking attacks and telling you about them. Hint: Once you've installed it, go to Live Traffic and click on "Blocked by Firewall" to see attacks that were blocked.


Lets keep this our little secret. And remember that it's a beta, which means that it's still in testing. But it's running on this site right now and has been for a few weeks.

David Wilks March 23, 2016 at 4:37 pm • Reply


As always, this is a great resource. I've been hacked previously and it is an enormously expensive exercise to regain both your email and search credibility. I thought I was on top of security issues but you have highlighted a real weakness for me... I have never checked the currency of all my plugins. I have simply relied on update notifications without it occurring to me that some may, in fact, have been abandoned.

I know what I'll be doing today :(

Have a nice Easter.

Steve March 23, 2016 at 4:55 pm • Reply

Great article again.

Philip Miller March 23, 2016 at 5:42 pm • Reply

The brute force is the easiest to avoid. There are some very very simple rules for unbreakable passwords. Then change the login sequence using a secret sequence pattern. I'm not sure you provide this very simple but extremely powerful tool. Otherwise, Wordfence is a top rate plug-in

Alexander Smoljanovic March 23, 2016 at 6:09 pm • Reply


Thanks for the article.

What I do is allow only my iPhone 4G and home WiFi IP addresses to have access to login or admin area. Everyone else is redirected to my home page at http://loquaciouslair.com using .htaccess file

Beelissa March 23, 2016 at 6:45 pm • Reply

I guess I'm one of the 61.5%, and grateful for tools like WordFence. However, it makes me wonder if there's some way you can find out. Are plugins truly the thing that puts most websites at risk or is that only true of the ones where the site owners track down the thing that left them vulnerable?

My husband had a 4-hour nuclear stress test and was told everything looked good. Less than 12 hours after they told him that, my husband had a heart attack. I feel like your survey is kind of like that test -- able to tell us something, or why would they perform the test. But, obviously, not resulting in nearly enough data to prevent something that could have been fatal.

ankush das March 23, 2016 at 8:16 pm • Reply

Hi Mark,

Well, I always love to know about the detailed insights from WordFence blog to help protect my site. However, I was wondering if you could tell what do you mean by "Old Files" (in the info graph). How are they a reason of the site being compromised? I didn't get that.. And, I would put you a request to try explaining the points - "Insider" "Workstation" "File permissions" may be in the next articles to let us know better about the rest of the reasons.

Cameron March 23, 2016 at 8:21 pm • Reply

We had numerous sites hacked. Still unsure how they gained access. They uploaded their own index file over-riding the exisiting index file. Hacked into the DB and changed the user names. Also changed the character encoding to UTF-7. Was not too bad to restore just time consuming. Strong passwords are used everywhere for the sites and the server where it is hosted 16-20 characters long. Since then have tried beefing up the firewall security on the server to only allow certain countries access.

Han Balk March 24, 2016 at 1:20 am • Reply


Pls take a look at: http://www.wpbeginner.com/wp-tutorials/how-to-disable-php-execution-in-certain-wordpress-directories/.

An additional .htaccess-file in your /wp-content/uploads/ directory may help you.



Frits March 23, 2016 at 11:23 pm • Reply

Well, since plugins are the highest risk, I think there's a task for the guys maintaining the WordPress Plugin Repository. I don't understand why outdated plugins ("This plugin hasn't been updated in more than 2 years") and plugins that have a very low rating and lots of complaints in Reviews and Support sections are still made available.
A thorough clean-up of the WP plugin repository and after that a monthly clean-up is in order, I think.

Enrique March 24, 2016 at 3:03 am • Reply

your are so right. I thought the same when I found hackers used a plugin to get into my site. If they know how to do it, there's probably someone else who knows this and makes it public. So Wordpress should ban this plugin until the update is ready, if it ever comes.

Josh G March 24, 2016 at 12:40 am • Reply

Any thoughts on avoiding brute force attacks by using the
Rename wp-login.php

Han Balk March 24, 2016 at 12:51 am • Reply


Thanks for another great article and help us keepin' out the bad guys with Wordfence. I'm not surprised that plugins are the main cause.

One of the things I do when I use a new plugin is checking the code (copy/paste) for known programming mistakes at: http://phpcodechecker.com/.

But so far I've never ever found one mistake. Is there anybody here who found something useful this way? Or am I wasting my time and can Wordfence do the same for me?



Enrique March 24, 2016 at 2:57 am • Reply

my case:

- started with wordpress 3 years ago, totally self taught. Have made since over 20 sites
- 6 months ago, 3 of my sites got hacked. I can't really tell how, I just found it the bad way: google banned access to the sites.
- started using Wordfence and iThemes: no hacked sites since that... BUT when running a check in the sites, and knowing at least one of them still had malicious files, the check didn't find anything. I deleted the site completely anyway, as I knew the backdoor was still there.

- One of the sites was hacked using, for what I saw and I might be wrong, a vulnerability in plugin MANUAL IMAGE CROP.

- One of the hacks ocurred while constructing the site, so one lesson I learnt: AFTER INSTALLING WORDPRESS AND BEFORE INSTALLING THE THEME, INSTALL A SECURITY PLUGIN.

- The most valuable tool for me is blocking bad logins. Other features like browsing files, php uploads, etc, are too complex for me to understand their value, but since I have enabled 100% of the iThemes and Wordfence features, and I have ZERO, NONE, ANY, hack since, I can say that this simply WORK. I don't know if iThemes and Wordfence conflict, but each one has its strengths, so I use both.

I spent many days surfing the web, learning about hacking (I can beleive there's so much information about how to hack a site!!), checking files, etc, to learn how to solve the problems.

And after living this nightmare (especilly when customers blame you, and they want to kill you even if they are too elegant to say it), there's only one thing I can say: INSTALL A SECURITY PLUGIN NOW (did I already tell you this?) and make a back up right after your site is delivered to your customer, so in case the site is hacked after that, it's super easy to get it back to work (and find the backdoor used, which is always tricky if not imposible)

a rooky designer with a lot to learn

Craig March 24, 2016 at 3:44 am • Reply

Hi great posting and updates are excellent.
One thing i wonted to point out also is that be very carefully whom you host with as in some of our cases with Hostgator reseller they have terrible support and recently have a big problem with there mod_userdir, directory which most users don't have access off unless on a dedi server.
this mod_userdir, automatically uses that ~ temp folder when you setup a new clients accounts but its way open to Phishing by placing a load of spam reported files which you can not see or control.
Our advice is to ask your shared host to disable this as most don't use it and its become a major issue over the last 4 to 8 weeks. just a heads up.

Terry Dunn March 24, 2016 at 4:12 am • Reply

Good article. I would never have guessed that plugins are the major cause. Keeping everything up-to-date has a downside: a recent core code update by WordPress caused my website to crash. It wasn't until a potential customer told me our site was down, that we realised there was a problem. I thought at first we'd been hacked again. But this time, it was a core Wordpress upgrade that was responsible. There were some files that were not updated - for whatever reason - and when they removed, the site came back up again. I don't like the automatic update by Wordpress. I prefer to do it manually, while I was watch proceedings.

Zo Nicholas March 24, 2016 at 10:48 am • Reply

Excellent post. Clearing up a messed up website is time-consuming.

Johan Linder March 25, 2016 at 1:50 am • Reply

I use a plugin to help me check how old plugins are. The wp-version it has been tested with is written after the plugin name in wp-admin/plugins.php. Good idea?


John G March 25, 2016 at 5:09 pm • Reply

One attack that i have noticed was through revolution slider plug in. They do Arbitrary file uploads. And some how make new users with admin access and start linking to none friendly sites. Point of the story, becareful what plug-ins you use and make sure all plug ins are up to date.

Eric Barnes April 5, 2016 at 6:15 am • Reply

Really informative article. Thanks for the heads up. I have been a little Leary about plugins, but it seems they are a "necessary evil" if you will. I will put your advice about old plugins to use and comb through mine!

Leave a Reply

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.