tech background with a padlock symbolising wordpress website security

3 Real Reasons Why WordPress Websites Get Hacked?

By Shaun Killian


To understand the best way to stop your WordPress website from being hacked, you need first to learn how websites like yours get hacked in the first place. Discover the 3 most common hacks – the answers may surprise you!

1. Session Hijacking

When you log into a website, you do not have to log in again whenever you visit a new page. Sometimes, you can even close your internet browser, open it again and you remain logged in.

When you log into a website, your browser downloads session cookies. These are small snippets of code that allow you to ‘stay logged in’ for a time.

Renowned security expert Thomas J. Raef published an extensive study that revealed hijacking stolen session cookies was responsible for 60% of WordPress website hacks in 2023.

Why? Because the widespread use of two-factor authentication (2FA) made other ways of hacking sites much harder.

How to Protect Yourself Against Session Hijacking

There are 4 things you can do to protect your website against session hijacking:

  1. Protect your devices (computers, phones, etc.). Hackers use malware on your computer to steal session cookies. So, install security software on your devices. There is a range to choose from. Personally, I recommend Bitdefender Total Security.
  2. Never Click ‘Remember Me’. When you log into a website, you are often given the option to ‘remember me’. Clicking on this option can extend the lifespan of session cookies up to 14 days. Please don’t do it.
  3. Always Log Out. When you are finished working on your website, always log out. This ends the lifespan of your session cookie.
  4. Don’t Use Unsecured Wi-Fi. Other people may be able to access your computer when you connect to public, unsecured Wi-Fi.

2. Plugin Vulnerabilities

Raef’s study also revealed that 33% of hacks came through vulnerabilities in your website’s code. This is the second most common way hackers get into WordPress websites.

Websites are built using different types of code, in much the same way as your home is built using different materials. This code includes:

  • WordPress core code
  • Theme code
  • Plugin code

Hackers find vulnerabilities in code in much the same way that burglars find weaknesses in parts of your house – e.g., a broken latch.

Technically, hackers can find and exploit vulnerabilities in any code. But, according to security expert Oliver Sid, plugin code is far more likely to contain security vulnerabilities.

How to Protect Yourself Against Plugin Vulnerabilities

There are two things you can do to protect your website against plugin (and other code) vulnerabilities:

  1. Update: Keep your plugins (and other code) updated.
  2. Patch: Apply virtual patches to known vulnerabilities.

My maintenance plans do both of these for you.

3. Stolen Credentials

Finally, Raef’s research revealed that 7% of hacks used stolen login credentials.

How do hackers steal your username and password?

One common mistake people make is using the same username (email) and password for multiple accounts. If you do this, and one of those accounts is hacked, hackers can access all your accounts.

Check known hacks involving your email address at

How to Stop Hackers Using Stolen Credentials

There are 2 things you can do to stop hackers from using stolen credentials to get into your website:

  1. Unique Passwords: Use a completely different password for each of your online accounts. Given the number of accounts people have, you should use a secure password manager to track them all.
  2. 2FA or Two-Factor Authentication: Set up a system where, after entering a username and password, your website sends a code (e.g., to your phone). This way, stolen credentials, on their own, will not be enough to access your website.

How Do WordPress Websites Get Hacked in a Nutshell?

But session hijacking, plugin vulnerabilities and stolen credentials accounted for nearly all of the successful hacks in 2023.

shaun killian (aka the WP Wheelie) profile

Shaun Killian (aka the WP Wheelie) has been working with WordPress since 2007.

I'm here to help you with your WordPress website.

I call myself the WordPress Wheelie (WP Wheelie) because I am:

An expert in WordPress.

Confined to a wheelchair (no legs).

contact me