Cómo los sitios de WordPress son hackeados: detén cada ataque eficazmente.
Este es un resumen del artículo. Si necesitas contexto adicional, aquí tienes el enlace original: https://teamupdraft.com/blog/how-wordpress-sites-get-hacked/
Your WordPress site probably will not be hacked by a genius in a hoodie targeting you personally. Understanding how WordPress sites get hacked is far less glamorous than the movies suggest: the overwhelming majority of attacks are automated, opportunistic and aimed at whichever sites left a door open. In this post we break down the four entry points behind most WordPress compromises and show you exactly how to close each one, usually in minutes.
Key Takeaways
- Almost all WordPress hacks are automated and opportunistic, not personal or sophisticated
- 91% of new WordPress vulnerabilities found in 2025 were in plugins, with only six low-priority issues in WordPress core
- The four most common entry points are outdated plugins and themes, weak or reused passwords, forgotten admin accounts and insecure hosting
- Routine defenses such as updates, strong passwords, login protection and two-factor authentication stop the vast majority of attacks
- Prevention is not enough on its own; you also need a way to detect anything that slips through
Why hackers target WordPress at all
WordPress powers over 40% of the web, so one working exploit can be replayed against millions of sites. Attackers are not usually after your content. They want to send spam from your server, inject SEO spam links, distribute malware to your visitors or recruit your site into a botnet.
That scale is why attacks are automated. Bots scan the entire internet for known weaknesses around the clock, which means an unpatched site gets found whether or not anyone has heard of it.
How WordPress sites get hacked in the real world
1. Outdated plugins and themes
This is the number one cause of WordPress compromises, and it is not close. According to Patchstack’s State of WordPress Security in 2026, 11,334 new vulnerabilities were recorded in the WordPress ecosystem in 2025, and 91% of them were in plugins. WordPress core itself accounted for just six low-priority issues.
The attack pattern is always the same. A vulnerability in a plugin or theme is publicly disclosed, a patch is released and bots immediately start scanning for sites that have not applied it. The window is brutal: mass exploitation can begin within hours of disclosure.
How to close this door:
- Update plugins, themes and WordPress core promptly, or enable automatic updates for anything you do not test manually
- Delete deactivated plugins and themes entirely, since their code can still be exploited while it sits on your server
- Avoid abandoned plugins that have not been updated in over a year and never install nulled (pirated) plugins or themes
2. Weak or reused passwords
Automated scripts test millions of leaked username and password combinations against WordPress login pages every day. If a password you use has ever appeared in a data breach, a bot somewhere is trying it against your site right now. This is not an exaggeration: in a single year, Wordfence reported blocking tens of billions of password attacks across the WordPress ecosystem.
Remember that your site has more than one set of keys. Your hosting control panel, SFTP account, database and admin email all unlock the same kingdom.
How to close this door:
- Use a long, unique password for every account connected to your site, stored in a password manager
- Enable two-factor authentication for all users who can log in, especially administrators
- Turn on login lockout so an IP address is blocked after a few failed attempts, and consider hiding your login page from bots entirely
3. Forgotten admin accounts
Every admin account is a door into your site, and old doors get rusty. The developer who built your site three years ago, the intern who left last summer, the shared “admin” login everyone knows: each one is an entry point that no amount of firewall rules can protect if the credentials leak.
Attackers love these accounts because using them does not look like an attack. It looks like a normal login.
How to close this door:
- Audit your users list quarterly and delete or downgrade accounts that no longer need access
- Apply the principle of least privilege, so editors are editors and not administrators
- Never use “admin” as a username and never share one account between multiple people
4. Insecure hosting and file permissions
Less common than the first three, but a badly configured server can undo everything your site does right. Outdated PHP versions no longer receive security patches, overly permissive file permissions let attackers modify your files, and cheap shared hosting can allow one compromised site to infect its neighbors.
How to close this door:
- Choose a reputable host and run a supported PHP version (8.x)
- Set file permissions to 644 and folder permissions to 755, and block direct access to wp-config.php
- Use SFTP instead of plain FTP when transferring files
The four entry points at a glance
Almost every hacked site we see was hit by a bot exploiting a plugin flaw that already had a patch. Update automatically, turn on login lockout and 2FA, and you stop being the easy target the bots are scanning for.
What to do in the next 30 minutes
Notice what is missing from everything above: sophistication. Because attacks are opportunistic, routine defenses genuinely work. Here is the order we recommend:
- Update everything, then remove plugins and themes you do not use
- Change any password that is short, reused or shared, starting with admin and hosting accounts
- Enable login lockout, two-factor authentication and a firewall at the site level
- Review your users list and remove anyone who should not be there
- Set up monitoring, such as an activity log and malware scanning, so you find out quickly if something slips through
Conclusion
WordPress sites get hacked through a handful of predictable, preventable entry points: unpatched plugins, weak passwords, forgotten accounts and sloppy hosting. None of them require an attacker with skill, which means none of them require heroics to defend against. Close the four doors above and you are already ahead of the crowd the bots are looking for.
<!–
–>
Secure your site in minutes
All-In-One Security closes every entry point in this article from one dashboard: login lockout, hidden login page, firewall rules and two-factor authentication in the free version, with malware scanning to catch anything that slips through.
FAQ’s
How do most WordPress sites get hacked?
Through known vulnerabilities in outdated plugins and themes. Bots scan the internet for sites that have not applied available patches, which is why keeping everything updated is the single highest-impact habit.
Is WordPress itself insecure?
No. WordPress core had only six reported vulnerabilities in 2025, all low priority. The risk lives almost entirely in the plugin and theme ecosystem and in how sites are configured and maintained.
How do I know if my site has been hacked?
Common signs include unexpected redirects, new admin users you did not create, strange files in your uploads folder, browser warnings and a sudden drop in search traffic. An activity log and a malware scanner will surface these far earlier than your visitors will.
If you discover your site has already been compromised, follow our guide on what to do if your WordPress site is hacked to minimise damage and begin recovery.
Will a free security plugin protect my site?
Free WordPress security tools cover prevention very well: login protection, firewall rules, two-factor authentication and hardening. What free tiers typically do not cover is detection and response, such as malware scanning or removal, which tells you when something got through anyway.
About the author

Alexandru Bucsa
Alex is our All-In-One Security Product Manager. With more than six years of WordPress experience, he listens closely to what users need and works hard to make AIOS even better. Drawing on his background in forensic investigations, Alex loves diving into problems to understand their causes and find practical fixes that truly help our community.
Categories
AIOS
Comprehensive, feature-rich, security for WordPress. Malware scanning, firewall, an audit log and much more. Powerful, trusted and easy to use.
From just $44.50 for the year.
More stories
-

Best plugin to secure WordPress pages
Discover the best plugins for securing WordPress pages, restricting access, and protecting sensitive content from unauthorised users.
-

How to improve LCP in WordPress and pass Core Web Vitals
LCP is the metric that decides whether your WordPress site feels fast or broken. Here's what it measures and how to bring it down fast.
-

How to duplicate a WordPress site: Best plugins compared
Need a copy of your website? Learn how to duplicate a WordPress site for testing, redesigns, migrations, and more.
-

How to fix bypass URL secure link issues in WordPress
Troubleshoot bypass URL secure link issues in WordPress and learn how to keep protected content accessible only to authorised users.
The post How WordPress Sites Get Hacked (And How to Stop Each Attack) appeared first on TeamUpdraft.
Puedes consultar el artículo original aquí: https://teamupdraft.com/blog/how-wordpress-sites-get-hacked/



