How Hackers Break Into WordPress Sites (And How to Stop Them)

Hacking is illegal. We do not promote or encourage illegal hacking.

WordPress powers over 40% of websites globally, making it a prime target for cyberattacks. If you’re a site owner, knowing how hackers infiltrate WordPress is essential to defending your platform. From brute force logins to exploiting outdated plugins, attackers use known weaknesses to take control of sites.

Understanding these threats is the first step toward a secure WordPress installation. Additionally, many site owners face situations where they lose access—due to forgotten credentials, email issues, or admin corruption. This article also covers ethical methods to regain control in such cases.

Before taking any recovery steps, make sure you’re authorized to manage the site. Unauthorized access is illegal and can lead to serious legal consequences.

Why WordPress Sites Are Common Targets:

Why Hackers Love WordPress

WordPress powers a large portion of the internet, which naturally makes it a high-priority target for hackers. Its flexibility is unmatched, but its open ecosystem also introduces multiple entry points for attackers. Below are the main reasons WordPress sites are frequently targeted:

1. Open-Source Code Base

The WordPress core is publicly accessible, which helps developers but also gives attackers a map of how the system works. Hackers can analyze code changes and updates to spot newly patched vulnerabilities. If they find a weak point, they often deploy bots to scan thousands of sites for the same flaw.

2. Widespread Use of Plugins and Themes

Third-party plugins and themes add functionality but also increase the attack surface. Many plugins are abandoned or rarely updated, leaving behind security holes that are widely documented. Hackers actively look for known vulnerabilities in outdated versions and use them to compromise sites.

3. Outdated Software and Weak Passwords

Failure to update WordPress, themes, or plugins leaves known vulnerabilities exposed. Many site owners also use default admin usernames or simple passwords, making brute force attacks more effective. A single missed update can be enough to invite an intrusion.

4. Missing Security Plugins

Many WordPress installations are launched without basic security tools in place. Without a firewall, malware scanner, or brute-force blocker, your site is defenseless against automated attacks. Basic security hardening is often overlooked until a breach occurs.

5. Misconfigured Hosting and Permissions

Shared hosting environments can allow one infected site to affect others on the same server. Incorrect file or folder permissions—like allowing public write access—make it easier for hackers to upload malicious scripts. Misconfigured .htaccess or wp-config.php files can also leak sensitive data.

6. Lack of Awareness

Site owners often believe that only big or high-traffic websites get targeted. In reality, most attacks are automated and indiscriminate, seeking any site with weak defenses. Even small blogs or inactive domains can be used to send spam, host phishing pages, or distribute malware.

Common Ways Hackers Break Into WordPress Sites

Hackers use a mix of automation and manual techniques to break into WordPress websites. Understanding these common methods helps you take preventive steps before your site is compromised.

1. Brute Force Attacks

This method involves trying multiple username and password combinations until the correct one is found. Attackers use scripts to attempt thousands of logins quickly. Using strong passwords and enabling two-factor authentication reduces the risk. Learn more from Wordfence’s guide to brute force attacks.

2. The MySQL way

This occurs when an attacker injects malicious SQL queries into form fields or URLs to access the database. If your site does not validate or sanitize inputs, attackers can retrieve user data or even gain admin access. Read more from OWASP on SQL Injection.

You can use this method to change the username or password of an existing user or to create a new account. To do this, you will need cPanel access or direct MySQL access to the site’s database.

Here is a guide on how to change the password of an existing user.

1. If you are accessing from cPanel, then log in, locate and open phpMyAdmin. If you have direct access to MySQL, connect to that.

2. Select the Database from the list of available databases. If you have multiple databases, make sure you select the database associated with your WordPress site.

If you are not sure about the database name, you can check it in the WP-Config.php file.

3. There will be a list of tables on the left, from which you need to find a table that ends in _users, which will probably be wp_users. If you have changed the table prefix before installing the WordPress, you can replace wp with the prefix in the table name. Again, if you are not sure, you can check the $table_prefix field in WP_Config.php.

If you are connecting via MySQL from an external client like SQLyog, then follow the same procedure. You can change the password when you locate the table and the actual user record.

4. You might have noticed that the password is saved in the user_pass field, it will be hashed using the MD5 algorithm.

5. To change the password, click on Edit. Enter the new password and select MD5 from the functions. Click on Go to update the password in the table.

Now you can log in with your new password.

3. Cross-Site Scripting (XSS)

XSS attacks involve injecting malicious scripts into pages that are then viewed by other users. These scripts can steal cookies, hijack sessions, or redirect visitors to unsafe sites. Protect your site by escaping user inputs and using plugins that block untrusted scripts. More info at Acunetix XSS overview.

4. Plugin and Theme Vulnerabilities

Many plugins and themes are not audited for security. When vulnerabilities are discovered, they are often published in public databases. Hackers scan for outdated versions that have not been patched. Always download themes and plugins from trusted sources like the official WordPress repository.

5. Misconfigured File Permissions

If directories or files have incorrect permission settings, attackers can upload or modify site files. Directories should typically be set to 755 and files to 644. Avoid giving write access to public users, as this opens up major risks. You can check permissions using your hosting control panel or FTP client.

6. XML-RPC Exploits

The XML-RPC feature in WordPress allows remote connections and automation. Hackers use it to launch DDoS attacks or send multiple login attempts through a single request. If you do not use this feature, it is best to disable it. Kinsta’s XML-RPC security guide explains how.

7. Phishing and Social Engineering

Hackers may trick site owners or users into revealing login credentials through fake login pages or emails. These attacks depend on human error more than technical flaws. Always verify links before clicking and avoid logging in through suspicious forms. Visit Google’s phishing safety tips to stay informed.

💡 Protect Your Site in Seconds

Run a free vulnerability scan with Security Ninja. It checks for weak passwords, outdated software, and insecure settings.

Still on method #2 – creating a new user

Creating a new user is a slightly more complicated procedure but can be done in under a minute.

To do this, you can reach to phpMyAdmin with the help of instructions mentioned above. After this follow the steps mentioned below:

1. Create a new user with the help of Copy function. Click on Copy and update the values for user_login, user_pass (hashed, using the MD5 function described above) and user_email. The other fields need not be filled. After saving this record, MySQL will generate a unique ID, which is the number in the ID field. Save this number for later purposes.

2. Now, go to the _usermeta table. The table’s prefix has to be the same as the user’s prefix, for example, wp_users and wp_usersmeta. You will be editing the wrong table if the prefixes are not the same; this will result in your new account not working.

3. You need to create two new records. You can use the copy function and create a record. For the first record, you can ignore the umeta_id field; a user_id field is to be filled with the new ID value from the user’s table. Set meta_key to wpct_user_level and meta_value to 10.

4. For the second one ignore the umeta_id field, the user_id field is to be filled with the new ID value from the user’s table, meta_key to wpct_capabilities and meta_value to a:1:{s:13:”administrator”;b:1;}.

5. Save them both, and you are ready to login with your new user account!

The functions.php way

You can use this method by either editing functions.php through cPanel, or by using an FTP client for the same. If you are using cPanel, then find File Manager and open it.

1. Go to public_html/wp_content/themes folder. Find and choose the folder with your theme. Open the folder and edit functions.php.

Copy/Paste the code given below to the end of the file. Add the closing ?> PHP tags if you need them. This should be on the last line, hence insert code before them.

$new_user_email = 'myemail@domain.com';
$new_user_password = '12345';
 
if(!username_exists($new_user_email)) {
 $user_id = wp_create_user($new_user_email, $new_user_password, $new_user_email);
 
 wp_update_user(array('ID' => $user_id, 'nickname' => $new_user_email));
 
 $user = new WP_User($user_id);
 $user->set_role('administrator');
}

To reflect the new account, edit the first two line. If another user in WP has the same email, you won’t be able to create a new account. Hence make sure to make a new and unique one.

It is better to change the password too, just to be on the safe side. Then save the file and open it in your site.

The code will be run, and the new administrator privileges will be created. You can then log in to it.

Once you can log in, then, you need to delete the code from the functions.php.

When You Might Need to Regain Access Ethically

There are times when even the rightful owner of a WordPress site loses access. Whether it is a forgotten password or corrupted admin data, you may need alternative recovery steps to get back in.

1. Lost Username or Password

This is one of the most common scenarios. If you cannot recall your admin credentials and password reset emails are not working, you will need to reset them manually. Using a MySQL-based method or editing the theme’s functions file can help, as covered later in this article.

2. Forgotten Email Access

Password resets require access to the email linked with the WordPress account. If that email is inactive or compromised, the recovery link cannot reach you. In such cases, using phpMyAdmin or FTP-based methods is necessary.

3. Failed Reset Links

Sometimes the reset link does not work, or it leads to a page that shows errors. This can happen if core files are corrupted or a plugin interferes with the reset process. You may need to disable plugins or fix core files via FTP or hosting panel access.

4. Corrupted Admin Credentials

Site hacks or plugin errors can overwrite admin roles or delete user meta fields that grant admin rights. You may still be able to log in, but find that your admin privileges are gone. In this case, you will need to either create a new admin account or repair user roles directly in the database.

⚠️ Important: Only use the following recovery methods if you are the verified owner of the website or have written permission from the site owner. Unauthorized access is illegal.

Method 1 — Regaining Access via MySQL

Reset WordPress Admin Using phpMyAdmin

If you have access to your hosting control panel, you can reset your admin login directly through the database using phpMyAdmin. This method is helpful when email recovery fails or the WordPress login page is blocked.

1. Locate the wp_users Table

Log in to your hosting account and open phpMyAdmin. In the left panel, find your WordPress database. Inside it, locate the table labeled wp_users. The prefix might differ, but it always ends with _users. Click on this table to view your user accounts.

2. Update the Password Using MD5 Hash

Find your admin user and click “Edit.” In the user_pass field, select “MD5” from the function dropdown. Then, enter your new password in plain text and save. phpMyAdmin will hash it before storing it. Note that MD5 is outdated, but WordPress will upgrade the hash automatically at next login. Reference: WordPress MD5 recovery method.

3. Create a New Admin User via SQL

If your admin account is corrupted or deleted, you can create a new one with a direct SQL command. Paste the following code into the SQL tab in phpMyAdmin and run it:

INSERT INTO wp_users (user_login, user_pass, user_email, user_registered, user_status, display_name)
VALUES (‘newadmin’, MD5(‘YourNewPassword’), ‘youremail@example.com’, NOW(), 0, ‘New Admin’);

INSERT INTO wp_usermeta (user_id, meta_key, meta_value)
VALUES (LAST_INSERT_ID(), ‘wp_capabilities’, ‘a:1:{s:13:”administrator”;s:1:”1″;}’),
(LAST_INSERT_ID(), ‘wp_user_level’, ’10’);

Change the placeholders with your actual details. This will create a fully functional admin account.

4. Confirm the New Admin Account

Log in using the new credentials you just created. Once logged in, you can remove or fix your original admin account. Make sure to delete unused accounts and update security settings.

🧩 Need Help? Your hosting provider’s support team can assist you with accessing phpMyAdmin or your database tools if you are unsure how to begin.

Method 2 — Regain Access with functions.php

Create Admin Access Using Theme’s functions.php File

If you cannot access phpMyAdmin, the theme’s functions.php file offers another way to create an admin user. This file runs on every page load, so adding a script here will execute automatically.

1. Access Your Files via File Manager or FTP

Log into your hosting control panel and use the File Manager, or connect with an FTP client like FileZilla. Navigate to wp-content/themes/your-theme-name/. Locate and open the functions.php file of your active theme.

2. Insert a Temporary User Creation Script

At the end of the file, add this code snippet:

function create_new_admin_account() {
$username = ‘newadmin’;
$password = ‘NewPassword123’;
$email = ‘youremail@example.com’;

if (!username_exists($username)) {
$user_id = wp_create_user($username, $password, $email);
$user = new WP_User($user_id);
$user->set_role(‘administrator’);
}
}
add_action(‘init’, ‘create_new_admin_account’);

Replace the username, password, and email with your own. Save the file.

3. Log In with the New Admin Credentials

Go to your WordPress login page and use the new admin details. After logging in, immediately remove the code from functions.php to prevent accidental re-creation of the user or exposure of login data.

4. Clean Up and Restore File Integrity

Return to the File Manager or FTP and delete the script you added. Verify that your theme functions normally. Leaving user creation code in place poses a long-term risk, so remove it once your access is restored.

📘 For full documentation, check WordPress Codex on user roles.

Alternative Access Recovery Methods

Other Legitimate Ways to Regain WordPress Access

If database edits or theme modifications are not possible, there are still legitimate ways to recover access to your WordPress site. These methods require that you are the confirmed owner or have administrative rights.

1. Use the Emergency Recovery Script

The Emergency Recovery Script (ERS) is a standalone tool from the developers of WP Reset. It can reset passwords, disable plugins, and fix core files. You upload a single PHP file to your root directory, access it through your browser, and follow the prompts. This is useful when the dashboard or login page is broken. Visit the official tool page at WPReset’s ERS.

2. Contact Your Hosting Provider

Web hosts often keep backup copies of your site and can restore access. Most providers offer support through live chat or support tickets. If you verify your identity as the domain or account owner, they can reset credentials or help restore your site to a previous version.

3. Use Backup or Staging Site

If you have a recent backup or a staging copy of your site, you can restore it to roll back any harmful changes. Most managed hosting providers like Kinsta, WP Engine, or SiteGround offer built-in tools to manage and restore backups quickly. This can return your site to a functional state without manual edits.

📌 Pro Tip: Make regular backups and store them both locally and on cloud services like Dropbox or Google Drive. Reliable backup plugins include UpdraftPlus and BlogVault.

What NOT to Do (And Why It’s Illegal)

Avoid These Practices — They Are Illegal and Unethical

Even if you are trying to recover access, certain actions are unlawful. Tampering with files or servers that you do not own is considered hacking and is punishable under cybersecurity laws.

1. Never Access Someone Else’s Site Without Consent

If you are not the confirmed owner or do not have written permission, do not try to gain access. Even if you believe you are helping, this is a violation of privacy and data protection laws in most countries.

2. Do Not Edit or Delete Files on Shared Hosting

On shared servers, changes made to one account can affect others. Editing the wrong directory could compromise multiple websites. Hosts may suspend your account or ban your IP if they detect unauthorized changes.

3. Avoid Exploiting Known Vulnerabilities

Public exploit databases list plugin or theme flaws. Using these exploits to force entry into a site—even one you used to own—is considered unauthorized access. If your admin role is removed, work with your host or legal channels to resolve it.

4. Understand the Legal Risks

Unauthorized access can result in criminal charges, lawsuits, and fines. Countries enforce strict rules under laws like the Computer Fraud and Abuse Act (U.S.) or the Computer Misuse Act (U.K.). Always stay on the legal side.

How to Secure Your WordPress Site (Proactive Steps)

Stop Hackers Before They Start

Once you have restored access to your WordPress site, the next priority is to prevent future attacks. Most security breaches happen because of overlooked basics. Follow these steps to strengthen your site before it becomes a target.

1. Use Strong Passwords and Two-Factor Authentication

Do not use simple passwords like “admin123” or “password.” Choose complex combinations with numbers, special characters, and uppercase letters. Add two-factor authentication using plugins like WP 2FA to make unauthorized logins more difficult.

2. Install a Trusted Security Plugin

A security plugin acts as your site’s defense system. Tools like Security Ninja scan for vulnerabilities, block suspicious IPs, and protect login pages. You can also consider Wordfence or iThemes Security for additional layers of protection.

3. Keep WordPress, Plugins, and Themes Updated

Each update includes patches for known issues. Delaying updates gives hackers time to exploit public vulnerabilities. Turn on auto-updates where possible, or use a plugin that alerts you when updates are available.

4. Limit Login Attempts

Brute force attacks rely on unlimited guesses. Limit login attempts using plugins like Limit Login Attempts Reloaded. This will lock out users after a set number of failed tries.

5. Set Up Regular Backups and Malware Scans

Schedule backups to run daily or weekly depending on how often your site changes. Use scanning tools like MalCare or Sucuri to detect malware early. This helps you recover quickly if your site is compromised.

6. Enable Firewall and Bot Blocking

Web application firewalls filter harmful traffic before it reaches your site. Most security plugins include this feature. Additionally, block bots and crawlers that try to overload your server or scrape sensitive data.

7. Monitor User Activity

Track who logs in and what they change. Activity log plugins like WP Activity Log keep a record of user actions, helping you identify suspicious behavior.

How to Test Your Site’s Security Today

Run a Full Site Check in 60 Seconds

Securing your WordPress site should not take hours. With the right tool, you can scan for vulnerabilities, check your core files, and activate protection in under a minute.

Try Security Ninja for Instant Results

Security Ninja offers a fast and comprehensive check of your site’s security health. After installation, it scans for over 50 known issues including weak file permissions, open ports, and outdated scripts.

Key Features You Can Use Right Now

• One-click security scan

• Firewall setup and bot protection

• Login form protection with delay and lockout features

• Scheduled scans and auto-fix options

Install and Scan for Free

The free version of Security Ninja provides immediate feedback and protection for core vulnerabilities. For more advanced tools like event logging and cloud-based firewall, upgrade to the pro version.

🔍 Ready to check your site?

Download Security Ninja for Free and start scanning within minutes.

Stay Informed, Stay Protected

WordPress is powerful, but with great flexibility comes great responsibility. Understanding how hackers break into WordPress sites helps you build a stronger defense. Whether through brute force attacks, outdated plugins, or weak file permissions, every vulnerability can be patched with proactive steps.

Always use recovery methods ethically and only if you are the verified site owner. Illegal access attempts, even with good intentions, have serious consequences.

Maintain a security routine by using trusted plugins, updating regularly, and educating your team on safe practices. Staying informed is your best defense against the next wave of attacks.

Written by Lars Koudal