Three Mistakes I See in Almost Every Hacked WordPress Site
Authored by: Ramon Horst
I run a WordPress security scanner called GuardingWP. Over the last year I’ve watched a lot of sites go from healthy to compromised, and three patterns show up so often that I’ve stopped being surprised when I see them.
Here’s the thing: it’s almost never the exotic zero-day everyone worries about. The boring stuff is what gets people.
1. They treat plugin updates as optional
Every site I’ve seen get hacked had at least one plugin running a version that was 6+ months out of date. Not because the owner was reckless — usually because “updates broke the site once” so updates got disabled.
This is rational at the individual level and catastrophic at the population level. Public CVEs in WordPress plugins typically have working exploits within days. If you’re three months behind, you’re not getting hacked by genius attackers. You’re getting hacked by a bot running a list of known vulnerabilities against a list of WordPress sites.
The fix isn’t “update everything immediately.” It’s “have a staging environment so updates aren’t scary.” Most managed WordPress hosts give you one for free now. Use it.
2. They protect the front door and leave the back open
A surprising number of sites have a strong admin password and 2FA on /wp-admin — and then a forgotten FTP account from a developer they fired in 2023, with credentials that have been in a leaked dump for years.
When I scan a site, I look at all the entry points: WordPress users, FTP/SFTP, hosting panel, database, deployment keys. The weakest one is the one that gets used. I’ve seen sites with airtight WordPress security taken down through a hosting panel password that was reused on a forum that got breached.
Audit everything that can write to your filesystem. Rotate it. Delete what you don’t need.
3. They mistake “no visible problems” for “secure”
A compromised WordPress site rarely defaces itself. Modern attackers don’t want you to know they’re there. They want to use your server to send spam, host phishing pages, or boost their SEO with hidden links.
I’ve scanned sites where the owner swore everything was fine, and we found PHP webshells that had been sitting in /wp-content/uploads for over a year. Google was already starting to penalise the domain, traffic was sliding, and nobody connected the dots until someone ran a deep scan.
If you haven’t done a file integrity check or a malware scan in the last 90 days, you don’t actually know if your site is clean. You just haven’t looked.
The boring conclusion
There’s a temptation in security to chase the dramatic — APTs, supply chain attacks, sophisticated zero-days. For 99% of WordPress sites, that’s not the threat model. The threat model is a bot, a known CVE, and a site that’s six months behind on patches.
Boring discipline beats clever defence. Update on a schedule. Audit your access surface. Scan even when nothing looks wrong. That’s most of it.
Author Bio: Ramon Horst, Webdeveloper, Ramon Horst Media