At WordPress Doctor, we perform malware removal and security measures on behalf of more than several hundred sites per year.
Based on this experience, we would like to share with you the characteristics of sites that have been hacked, hijacked, or defaced.


WordPress is said to be used by 30% of all websites, and probably more than 5 million sites are operated on WordPress in Japan.

Therefore, even if the percentage of hacked sites is extremely small (e.g., 0.1%), the result is that a very large number of sites (5,000 sites) are defaced, and it appears that a large amount of hacking damage is occurring.
However, more than 90% of this 0.1% are sites that, in our experience, have certain characteristics. We will explain five of the most common characteristics.
In other words, if you avoid these characteristics, you can prevent more than 90% of the hacking.

1 Sites that have been abandoned for several years

The most common sites that have been tampered with are abandoned sites. If there is an abandoned site on the server that no one has logged in to for several years, the risk of being hacked is high.
Recently, 60% of WordPress sites are hacked and malicious files are embedded by exploiting vulnerabilities in plug-ins and WordPress itself, so there is a possibility that multiple vulnerabilities have accumulated on abandoned sites.

If you have unnecessary sites on your server, please delete them, and if they are necessary even if they are abandoned, please update WordPress itself and plugins and take security measures.

Reference
Five free WordPress security measures

2 Sites that have not been updated

If the plug-ins and WordPress itself have not been updated for a long period of time, vulnerabilities may have accumulated as in 1.
However, some production companies may tell you not to update your WordPress or plug-ins, and sometimes updates can cause problems, making it difficult to update frequently in reality.

In such cases, it is common practice to try applying the update once on a test site, check that it works, and then apply the update to the production version of the environment. Another method is to only check for vulnerabilities and apply updates to vulnerable plug-ins with the highest priority.

↓Try a security plugin that can perform vulnerability checks.
Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal].

WordPressDoctor provides experienced professionals who can safely update your WordPress system on your behalf. Please feel free to send us your inquiries.

3 Sites with easily predictable passwords for admin users

If the password for the WordPress administrator privilege is weak, the administrator privilege may be taken away by a brute force attack (an attack in which tens of thousands of login attempts are made by brute force to log in with the administrator privilege). If the password for the WordPress administrator is weak, the administrator privileges can be taken away by a brute force attack.

The safest WordPress administrator password is the one generated by WordPress. If you are using a simple password, please go to Administration > Users > Edit to generate and use a stronger password.

4 A large number of unneeded programs are left on the server.

Are there unused plugin themes, test sites, site backups (PHP files), program remnants, preview sites, phpmyadmin, old movable types, or other unused php program files left on the server in large numbers?

Hackers can find these files via search engines or by tapping on the URLs and exploit the vulnerabilities.

Unused themes and plug-ins can be removed from the WordPress administration page, so be sure to delete them from the server.

5 Webmasters who believe that their sites cannot be hacked

It is dangerous to think that your site cannot be hacked based on the following assumptions.
If any of the above applies to you, we recommend that you take security measures.

Dangerous Security Considerations for Site Operation

The number of accesses is small, so it cannot be hacked.
→If a site can be accessed via search engines, it can be hacked regardless of the number of accesses.

You can’t be hacked because you have security plug-ins installed.
→60% of the reasons why WordPress is hacked are due to program vulnerabilities. Most security plug-ins do not have functions to close vulnerabilities, and even plug-ins with such functions (e.g. Wordfence) have limited functions, and there is no way to prevent newly discovered vulnerabilities.

Even if you have a security plugin, you can still be hacked.
→WordPress is hacked only less than 20% of the time. 60% of WordPress is hacked due to program vulnerabilities, and even if the security of the administration screen (login screen) is strengthened, this vulnerability cannot be closed, so it is possible to be a victim of hacking.