How WordPress Sites Actually Get Hacked: 7 Real Attack Paths
By WP Vanguard Team
In 2025, researchers found 11,334 new vulnerabilities in the WordPress ecosystem, a 42% jump from the year before. Sucuri scanned 70.8 million websites and flagged over 1.1 million as infected. Wordfence blocks 55 million exploit attempts every single day.
These are not abstract numbers. They represent real sites owned by real people who woke up to malware warnings, lost search rankings, or found their customers redirected to scam pages.
Here are the seven ways it actually happens, backed by the latest data.
1. Outdated Plugins With Known Vulnerabilities
This is the number one attack path. According to Patchstack's 2026 State of WordPress Security report, 91% of all WordPress vulnerabilities come from plugins. Not core. Not themes. Plugins.
The timeline is brutal: once a vulnerability is publicly disclosed, 20% of attacks begin within 6 hours. By 24 hours, 45% of vulnerable sites are being targeted. Within a week, 70% have been hit.
The worst part: 46% of vulnerabilities never get fixed by the developer. The plugin just sits there, exposed, and the site owner has no idea.
What happens: Automated bots scan millions of sites for known vulnerable plugin versions. When they find a match, they exploit the flaw instantly. No human involved. The bot injects a backdoor, and the attacker returns later to install malware.
What stops it: Version detection and CVE matching. A scan from WP Vanguard checks your plugin and theme versions against four vulnerability databases (Wordfence Intelligence, Patchstack, WPScan, and WPVulnerability.net) covering 38,000+ known CVEs. If your Contact Form 7 is two versions behind and has a known SQL injection, the scan flags it.
2. Weak Passwords and Brute Force Attacks
Sucuri's data shows that insecure or stolen passwords are behind a large share of WordPress compromises. Wordfence blocks 65 million brute force login attempts daily, but many sites have no rate limiting at all.
Attackers use credential stuffing, taking email/password pairs from data breaches at other services and trying them against WordPress login pages. If you reused a password from LinkedIn or Dropbox, your WordPress admin is already compromised.
What happens: Automated tools cycle through thousands of password combinations against wp-login.php. Some use leaked credential databases. Once inside, the attacker creates a new admin account (so they can return even if you change your password) and installs a backdoor plugin.
What stops it: Two-factor authentication, strong unique passwords, and login rate limiting. The $1 deep scan audits all admin accounts on your site, flags recently created users, and checks for suspicious app passwords that could indicate an existing compromise.
3. Nulled Themes and Plugins (Pirated Software)
This one is self-inflicted. Site owners download "free" versions of premium plugins from unofficial sources. These nulled copies almost always contain backdoors inserted by whoever cracked them.
The backdoor is part of the plugin code itself, so it survives updates (if you even get updates from a pirated source). Some nulled plugins look completely normal for weeks before activating their payload to avoid detection.
What happens: You install a nulled plugin, and it works perfectly. Meanwhile, hidden code phones home to the attacker's server, registers your site, and opens a backdoor. Weeks later, the attacker uses that backdoor to inject malware, redirect visitors, or add your server to a spam botnet.
What stops it: Never use nulled software. If you suspect you have one, the WP Vanguard deep scan checks file integrity and flags PHP files with obfuscated code patterns common in nulled plugins.
4. Abandoned and Sold Plugins (Supply Chain Attacks)
In 2024, the Balada Injector campaign alone infected over 149,000 websites. It exploits vulnerabilities in legitimate plugins, many of which were abandoned by their developers or quietly sold to new owners who injected malicious code.
Patchstack found that 46% of disclosed vulnerabilities had no developer fix at the time of disclosure. Some of those plugins have thousands of active installs and their developers have moved on.
What happens: A popular plugin stops getting updates. A known vulnerability is published. The developer does not respond. Thousands of sites running the plugin become targets. In the worst case, the plugin is sold to a new owner who pushes a "security update" that actually installs malware.
What stops it: Regular scanning catches vulnerable abandoned plugins before attackers do. The WP Vanguard surface scan checks your plugins against databases that track not just vulnerabilities but also plugins that have been removed from the WordPress.org repository.
5. File Upload Vulnerabilities
Patchstack's data shows arbitrary file upload vulnerabilities accounted for nearly 3% of all WordPress vulnerabilities in 2025, but they are among the most dangerous because they give attackers direct code execution on your server.
A recent example: the WP User Frontend plugin (4.2.8 and earlier) had an authenticated file upload vulnerability with a CVSS score of 8.8. Any user with Author privileges could upload arbitrary files, including PHP backdoors.
What happens: An attacker exploits a file upload flaw in a plugin to place a PHP web shell in your uploads directory. The web shell gives them full control: they can read your wp-config.php (getting database credentials), create admin accounts, modify any file, and install persistent backdoors that survive plugin updates.
What stops it: The WP Vanguard surface scan checks for PHP files in your uploads directory (they should never exist) and flags exposed upload paths. The deep scan goes further, scanning every directory for web shells, obfuscated PHP, and files with suspicious timestamps.
6. SEO Spam and Database Injections
Sucuri detected 422,741 instances of SEO spam across their scans in 2024. The three most common types: Japanese keyword spam (117,393 detections), hidden content spam (114,318), and gambling spam (79,817).
This attack is particularly insidious because it is designed to be invisible to site owners. The spam pages only show up in search results or when Google crawls your site. When you visit your own site logged in as admin, everything looks normal.
What happens: Attackers inject thousands of spam pages into your database, targeting pharmaceutical, gambling, or Japanese keywords. These pages hijack your domain authority to rank the attacker's content. Google eventually notices and flags your site as hacked, tanking your legitimate search rankings. Some injections also add hidden redirects that send mobile visitors to scam sites.
What stops it: The surface scan checks your site's visible content for SEO spam patterns, suspicious redirects, and hidden iframes. The deep scan examines your database directly, looking for injected content in posts, pages, and options tables that would be invisible from the outside.
7. Exposed Configuration Files and Debug Logs
This is the simplest attack path and the most preventable. Many WordPress sites leave wp-config.php backups (wp-config.php.bak, wp-config.old), debug.log files, and database backups accessible via direct URL.
These files contain database credentials, security salts, and sometimes complete error traces with file paths, query strings, and internal logic. An attacker who finds your debug.log may not even need to exploit a vulnerability; the log file hands them everything they need.
What happens: Automated scanners check for common backup file patterns: wp-config.php.bak, .sql files in the root directory, debug.log in wp-content. If found, the attacker downloads your database credentials, connects directly to your MySQL server (if the port is open), and has complete access to your site data. With security salts, they can forge admin session cookies.
What stops it: The WP Vanguard surface scan probes for 15+ exposed file patterns including debug logs, config backups, database dumps, and directory listings. This check runs on every free scan and catches the issue before an attacker does.
The Common Thread
Every attack path above shares one trait: they exploit the gap between when a vulnerability exists and when the site owner finds out about it. That gap averages days to weeks. For many site owners, it stretches to months.
Regular scanning closes that gap. A free surface scan at wpvanguard.com takes 30 seconds and checks for the most common attack surfaces: outdated software with known CVEs, exposed files, malicious scripts, and suspicious redirects.
If something looks wrong, the $1 deep scan connects via SSH to examine every file, database table, and user account on your server. And if malware is confirmed, the $49 cleanup service removes it within 24 hours. First cleanup is free.
The data is clear: WordPress sites do not get hacked by sophisticated zero-day exploits. They get hacked by known vulnerabilities in outdated plugins, weak passwords, and exposed files. All of which are detectable and preventable.
Related reading
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site FreeGet weekly WordPress security tips
Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.