5 Reasons which make WordPress vulnerable to cyber-attacks


WordPress is the fastest-growing, most popular CMS in the world because of its user-friendly features, but is when it comes to the security of WordPress websites, are they really safe? According to a study by Sucuri, out of 8000 infected websites, 74% were built on WordPress.Here are  3 reasons which make WordPress vulnerable to frequent cyber attacks.

1. The price of popularity

WordPress powers over 43.3% of all the websites on the Internet. Hence, being the most widely used CMS platform across the globe, WordPress is a popular target for data breaches, hacking attempts, malware and Trojans attacks. Below are the statistics showing the popularity of WordPress as compared to other Content Management Systems. According to Sucuri, 83% of all CMS based websites, which are hacked, are built on WordPress. According to WordPress, there are about  22.9 million page views on WordPress sites per month. This makes WordPress an attractive target for hackers’ attacks. The way they see it, the more the audience, the more the potential damage an attack can incur.

2. PHP and WordPress

The bulk of the core WordPress software is written in PHP. PHP is an open-source, server-side scripting and programming language that's primarily used for web development.  PHP is known for dropping new versions within a short span of time packed with new updates, enhanced security features, and most importantly ending the life of previous or outdated versions. End of life refers to those versions that will no longer have security support and could be exposed to unpatched security vulnerabilities. As of December 31st, 2018, PHP 5.6 reached its end of life which officially marked the end of the era of WordPress 5 which was launched 14 years ago from a security perspective. As of November 30, 2020, PHP 7.2 reached its end of life. According to the official WordPress Stats page, over 35% of WordPress users are still on PHP 5.6 or lower. If we combine this with PHP 7.0 and 7.1, a whopping 64% of users are currently using PHP versions that are no longer supported as of December 2019, in short, 64% of WordPress users are currently using PHP versions that are no longer supported! This is not only bad from a security perspective, but also because there is still a large portion of WordPress sites that aren’t taking advantage of the additional performance enhancements with PHP 7. 

3. Unsecure themes and plugins

According to WPScan, 52% of WordPress vulnerabilities are due to WordPress Plugins. And in one study, it was reported that 4000 websites were infected by malware due to a fake SEO plugin. B. The Panama Paper Leak, in which 4.8 million emails were exploited, was due to WordPress Plugin vulnerability. Every day, between every update there are plugin vulnerabilities. Every plugin that we add increases the chances of issues with our site. It also means there is more potential risk for one of them to 'brick' our site. It’s like heavy clay bricks on a construction site, one brick on its own doesn’t have much use, apart from acting as a door stop. Simply put, more plugins mean more vulnerabilities exposed which in turn makes WordPress websites more prone to breakdowns and crashes, especially during the peak hours when the traffic is very high.  

4. Ease of access  

The default backend login page for any given WordPress site is relatively easy to find. Anyone can simply take the site’s main URL, append /wp-admin or /wp-login.php to the end, and they’ll gain access to the login page. Thanks to the ease of access, Attackers can easily gain access by pairing the default “admin” username with a simple, common password which paves way for unauthorized logins. Unauthorized logins are typically performed by “brute force.” In a brute-force login, the attacker uses a bot to quickly run through billions of potential username-password combinations. If they’re lucky, they’ll eventually guess the right credentials and gain access to the protected information. If we don’t customize the default login page, attackers can easily gain access and attempt a brute-force entry

5. Open Source Application 

WordPress runs on open source code and has a team specifically devoted to finding, identifying, and fixing WordPress security issues that arise in the core code. An open source license may either expressly or implicitly include an affirmative grant of rights relating to patents, such as the right to use, modify, distribute, and (under some open source licenses) sub-license software covered by the patent. Absent such a license, the developer, distributor or user would be infringing the patent owner’s intellectual property rights without permission, and could therefore be sued by the patent owner. Although,. Unlike proprietary software, open source projects are transparent about potential vulnerabilities. Open source is generally easier to hack than closed source projects. The source code availability and frequent use of other open source components add to the risk. The combination of flexibility and availability makes open source project hacking an opportunity that criminals are willing to seize.


WordPress has become a frequent target for hackers especially because of the factors mentioned above. We must go the extra mile to ensure our site’s safety as it’s the online face of our business. A hack-proof site will surely embed trust in your potential customers and hence, aid in the growth of our business.