Sucuri, one of the largest and most-respected internet security firms, has released a report about website hacking trends, providing details about what kinds of sites get hacked and how the hackers gain access to the site. One thing is very clear from the report: out-of-date plugins are the most common way for hackers to infiltrate a WordPress site.
Your first thought is probably, “I don’t need to worry – why would anyone want to target my little website?” The answer to that is simple: if your site is running WordPress, your site is a target. Hackers don’t care how much traffic you get. Any WordPress site is a target, because WordPress powers 25% of the internet. Hackers will spend their time and energy on the biggest target, because that gives them access to the most websites. So any WordPress site is a potential target for hackers, regardless of its traffic or content.
So if your site is a target, what is the easiest thing you can do to protect it from hackers? Sucuri’s research shows that the most common way for hackers to gain access to a WordPress site is by exploiting vulnerabilities in out-of-date plugins. That means that the most important thing you can do to keep your site safe is to keep your plugins up to date.
Why do out-of-date plugins make your site vulnerable? Plugin developers are constantly searching for and fixing security vulnerabilities. When a security problem is fixed, there is often an announcement about it: sometimes it’s just a little mention in the plugin’s changelog, sometimes there might be some blog posts alerting users to the vulnerability. This tells hackers that versions prior to the security fix are vulnerable. Some plugins have some very widely-known security flaws, others are more obscure.
You should always keep your plugins up to date. We recommend logging in to your WordPress site at least once a week and updating all of your plugins. This is the simplest and most effective thing you can do to prevent your site from getting hacked.