Why WordPress Sites Get Hacked: The Five Most Common Entry Points in 2025

Most WordPress hacks are not sophisticated operations. Attackers run automated scanners across millions of domains, identify known vulnerabilities, and move on. If your site presents one of five common weaknesses, it gets added to a queue. What follows is a practical breakdown of those five entry points, what attackers do with each one, and what you can do about it before the scanner finds you.

1. Outdated plugins and themes

Seventy-four percent of hacked WordPress sites were running outdated plugins at the time of the breach, which makes plugins the most exploited entry point on WordPress. The attack pattern is consistent: a vulnerability is disclosed publicly, a patch is released, and attackers immediately scan for sites still running the old version. The window between disclosure and mass exploitation is often measured in hours.

The Elementor Pro vulnerability disclosed in March 2023 is a clear illustration. It allowed authenticated users to upload arbitrary files and achieve remote code execution. Patches were available quickly, but sites that delayed updating remained exposed for days or weeks after the exploit was being actively used.

The fix is automatic updates. In your WordPress dashboard, go to Plugins, edit each plugin, and enable automatic background updates. For themes, do the same under Appearance > Themes. If a plugin or theme has not been updated by its developer in over twelve months, treat it as abandoned and find an alternative.

2. Weak or reused admin passwords

Credential stuffing sends over 16 billion login attempts against WordPress sites every year. Attackers take username and password combinations leaked from other breaches and try them against WordPress login pages at scale, requiring no technical skill whatsoever. Tools that automate the process are freely available, and breach databases containing billions of credentials are traded openly. A single successful login to your admin account gives an attacker complete control: they can install plugins, create backdoors, redirect your traffic, or exfiltrate customer data. If you reuse a password from any other service that has ever been compromised, your WordPress admin account is already a target.

Two changes address this immediately. First, install a plugin such as WP 2FA and require two-factor authentication on every admin account. Second, use a password manager to generate a unique, random password for your WordPress login. If you are also running WooCommerce, apply the same standard to any accounts with Shop Manager or Editor roles, since those roles carry enough permissions to access order data and customer records.

3. Unpatched WordPress core

When a core vulnerability is patched, the fix is visible in the public changelog. Attackers read that changelog and immediately target sites still running the previous version, so running anything below the current stable release means running known, publicly documented vulnerabilities. The WordPress security team publishes advisories for every core release. The problem arises with major version updates, which require manual action, and with hosting environments where automatic updates have been disabled — WordPress core updates are applied automatically for minor releases by default, but that protection only holds if your host has not switched it off.

Check your current version under Dashboard > Updates and update immediately if you are not on the latest release. Confirm with your host that minor version auto-updates are enabled. Major version updates should be tested on a staging environment first, but they should not be deferred for months.

4. Exposed file managers and upload directories

File manager plugins give you a browser-based interface to edit, upload, and delete files on your server. Convenient as they are, they carry serious risk when left active between uses. The wp-file-manager plugin vulnerability disclosed in September 2020 affected over 700,000 sites and allowed unauthenticated attackers to upload malicious PHP files and execute arbitrary code.

The same principle applies to your /wp-content/uploads/ directory, which should serve static files only. If PHP execution is permitted there, an attacker who uploads a malicious file can run it directly. Add a rule to your .htaccess file inside the uploads directory to block PHP execution:

<Files *.php>
deny from all
</Files>

Deactivate and delete file manager plugins between uses. A plugin that is installed but inactive can still present risk if it contains an exploitable flaw in code that runs on load.

5. Misconfigured file permissions

The Permission Settings That Give Attackers a Direct Path to Your Files

File permissions control who can read, write, and execute files on your server. The correct settings for WordPress are 644 for files and 755 for directories. When permissions are set too loosely, for example 777 on directories, any process running on the server can write to those directories, including other sites on the same shared host.

wp-config.php deserves particular attention. That file contains your database credentials, and a world-readable copy means any compromised process on the server can read your database password and gain direct access to all your data. Set its permissions to 600 or 640, and check and correct all permissions via your hosting control panel’s file manager or via FTP using a client such as FileZilla.

Quick wins checklist

• Enable automatic updates for all plugins and themes
• Enable two-factor authentication on every admin and editor account
• Set a unique password on your WordPress login using a password manager
• Confirm WordPress core is on the latest stable release
• Deactivate and delete file manager plugins when not actively in use
• Add a PHP execution block to your uploads directory .htaccess
• Set wp-config.php permissions to 600
• Set all directories to 755 and all files to 644

One thing site owners frequently overlook: the attack surface does not shrink on its own. Every plugin you add, every new admin account you create, and every permission you loosen for convenience is a change that needs to be reviewed against these five vectors. A site that passes all five checks today can fail them tomorrow after a single careless update or a new user account with a recycled password.

If you want me to audit your WordPress site against all five of these entry points and fix what I find, book a security audit. Given that credential stuffing alone generates over 16 billion login attempts annually, the question is whether your site gets caught in that sweep before the audit is done or after.