TL;DR: People hack into websites for multiple reasons and even small businesses are at risk. We explore why before outlining some common points of entry. 

We hear about cyber security attacks all the time. In 2021 alone, some of the world’s largest companies—from Colonial Pipeline to SolarWinds to Twitch—were infiltrated.

It’s becoming increasingly clear that the security of multinationals’ online assets is incredibly vulnerable. But what about smaller businesses owners?

When these large-scale attacks hit the news, we can be lulled into a false sense of security. It makes sense that they would want to go after multi-billion dollar companies. Small WordPress websites, on the other hand, are simply too small to bother with… right?

Unfortunately, that’s simply not the case.

If you are a small business owner running a WordPress website, you are just as likely to be a target of malicious actors.

tiles spelling out the word why.

Why do people hack into websites?

We’ve spoken before about how WordPress’s large market share makes it a target for malicious actors, as well as common points of entry.

If you want to assess your current WordPress security status and find out the key initial steps you need to take, check out that post for more information. 

There are wide-ranging motivations for why individuals try to hack into websites, which we can group into three broad categories.

Whitehat hackers

Generally, whitehat hackers are web developers or security professionals hired by larger companies to help find existing security weaknesses within their systems or software. 

As an example, hackerone exists for this very reason, where hackers can be paid a bounty for finding and reporting security issues. Large companies, including Automattic, the foundation behind WordPress, actively use services like hackerone to help improve the security of the systems you use every day.

In general, whitehat hackers won’t be attempting to hack into your website directly.


Next, we have those whose motivation is more political or social in nature. Their main goal is to bring about some sort of change by accessing classified information and exposing it. 

While most small business owners likely don’t have to worry about hacktivists breaking directly into their websites, oftentimes they will gain access and expose your personal information, including email addresses and passwords that you might be using for multiple systems or services. To keep up with what information of yours might be exposed, we highly recommend checking out Have I Been Pwned? and subscribing to get alerts when your data is exposed. 

Blackhat hackers

This is the group that we generally refer to when we talk about “malicious actors.” They are the exact opposite of the whitehat hackers. While they also try to find website vulnerabilities, their main goal is to exploit the weaknesses for personal gain.

Why does my WordPress website appeal to blackhat hackers?

When individuals hack into websites, they are looking for any data and information that can be useful to them. This can include: 

  • Credit card details.
  • Contact information.
  • Username and passwords.
  • Classified information.
  • Information used to discredit competitors, whether individuals or organizations.
  • Adding malvertising or affiliate spam directed at visitors.
  • SEO spam directed at search engines.

Financial gain

Most of this information above can be used in some way or another for unethical financial gain. 

The most obvious would be to steal customers’ credit card information, including the CVV and billing address. If a hacker gets hold of this information, they will be able to directly steal from your customers by making unauthorized purchases. 

But this isn’t the only way they can use your website’s vulnerabilities to make money. Any information that your customers provide can also be exploited. For example, if the hackers get control of your customers’ email addresses, they may choose to sell these details on to unethical marketers. 


What’s important to note is that all the sensitive information you have on your website can be extorted. You may think your website is too small for anyone to be interested in tapping into your traffic. And if it was only your website, that may be the case. But cybercriminals will often use the server resources of several websites to make the scale of their attack worthwhile. This is common in SEO spam, pharma hacks, or defacements, for example.

Protecting against website malware

When it comes to the overall safety of your business, there are several methods malicious actors use to attempt and access your information. However, when talking specifically about your website’s security, it’s important to protect against website malware. 

Website malware is the general term for malicious software that intentionally harms a website or makes illegitimate monetization possible. What’s more, the software that hackers use has become increasingly complex over the years. Now, many are able to avoid being detected even after infiltrating your website. 

photo of someone unlocking a door with a digital keycard.

Common points of entry

Unfortunately, attackers will use any means possible to access your website. Effectively protecting against these attacks requires a concerted and comprehensive security effort. Some of the most common vulnerabilities include:

1) Credentials and access control 

Locking down who has access to what and how is vital to protecting your website. Hackers use brute force attacks to attempt guessing login credentials and gaining access to your systems. In the worst case, they can gain control of your hosting control panel, server or your content management system (such as WordPress). The main way to avoid this is by using strong passwords, implementing multi-factor authentication, and being careful with granting third-party user access. 

2) Software vulnerabilities

A frequent point of entry comes from failing to update software or plugins. If any known vulnerabilities are discovered, bad actors will automate their attacks and can infect thousands of websites with frightening speeds. This is why it’s so important to always keep your website and CMS up to date and run the latest security patches. You can also use a Web Application Firewall to better protect you. 

3) Nulled third-party components

A “nulled” WordPress plugin or theme is one that is sold by a third party as opposed to the original developer at a lower price than the original.

While installing a nulled third-party component doesn’t necessarily mean it will contain malware, the chances of it being compromised are much higher. In fact, a WordFence report claims that they were the most common source of malware injection in 2020.  

Even if the component doesn’t harm your website, the fact that they remove the licenses and sell them at a lower price raises a number of ethical questions. To avoid this, we recommend doing your research and ensuring you’re downloading your component from a trusted website. As a general rule of thumb, if you find a free component which you would usually pay for, it is a serious red flag. 

4) Various third-party integrations or scripts

Third-party scripts (such as plugins) are commonly employed to enhance a website’s functionality. Unfortunately, each added plugin increases the risk profile of your website. As the number of third-party scripts installed grows, it could prove more and more difficult to identify a compromise if one were to happen.

In general, try to keep third-party integrations to a minimum and carry out extensive research on each before installing them on your production website. 

risk dial and meter set to the maximum setting.

5) Risks of insecure hosting 

When it comes to choosing a hosting provider for your business, price should be the last factor weighted into your decision. Generally, the majority of cheap host providers (those charging less than a cup of coffee a month for unlimited everything) tend to not have the best security practices in place. Their antiquated shared hosting setup often leaves your website susceptible to security threats due to improper segregation of websites on overstuffed servers. With this poorly configured setup, if just one website is compromised, all websites can be put at risk and contaminated. 

The best way to protect your business is doing some research to be sure you choose the best hosting provider you can afford. We recommend finding a managed hosting provider you can trust and that provides the right balance of security, performance and support to meet your business needs. Although you will find these options to be more expensive, what you gain in safety, performance, and overall experience will make it worth the extra expense. 

The impact on your business

There are countless scams, tactics, points of entry, and individuals willing to exploit your website, but the impact on your business is always the same. You will either lose your customers’ trust or take a financial hit. In the worst cases, it can mean having to close your business indefinitely.

That’s why it’s so important that even small business owners take their WordPress security seriously. You can’t assume that you are too small to matter or that you will fly under the radar. It simply doesn’t work that way. 

About The Author
Justin Korn

Justin is the founder of Watchdog Studio, and former Director of IT at both Wells Fargo Securities and AirTreks. A prodigy of the dotcom era, he now provides businesses in Oakland, California and the surrounding Bay Area with honest, expert website services to drive growth.