Why Websites Get Hacked?

December 25, 2017 | Security | by Mihovil Mikulec
why websites get hacked

When you mention a potential hack attack to your new client, in most cases you get the same answer(s), I call them the “unholy trinity”:

  1. My sites were never hacked before, don’t worry.
  2. My site is not that interesting to hackers.
  3. What would the attacker gain from hacking my website?

My sites were never hacked before, don’t worry

Before September 11th 2001, planes never hit World Trade Center buildings before. The point is, not only that you never know what might happen and you should always prepare for the unexpected (if you can, obviously), but a lot of stranger things happened than someone’s website being hacked.

Because you personally wouldn’t hack someone’s website, that doesn’t mean someone else is sharing your thoughts, feelings, moral values and life experiences.

My site is not that interesting to hackers (What would the attacker gain from hacking my website?)

There are many reasons why websites get hacked, we’ll put them in 3 main categories:

  1. Financial gain
  2. Personal challenge
  3. Hacktivism

Hacking for financial gain

You might think: “But my website has only a few articles/products, I don’t make any money with it!” That might be true but that doesn’t change a thing, your website still can be used for financial gain:

a) You or your hosting provider don’t have a website backup? Attacker can back up your website, deface (visually destroy) the live version and ask you for money in order to provide you with the working version of your website – yes, that is a ransom. Never thought of that, did you? Well, some of the hackers did.

b) Your website can be used as an online weapon. Today you can witness a lot of DDoS attacks aimed towards websites which are being against someone’s agenda. This can be related to various things, but in most cases it is about business and political competition. In short, DDoS stands for “distributed denial of service”. For example, your website/server is compromised, infected with a malicious script which is (with other scripts from other compromised servers) performing the DDoS attack.

Hackers are in many cases getting paid from some third party to get some web service or website down with this type of attack, for their agenda. In short, your website can be sold as an online weapon and used as such, without you even knowing it. This can also happen to your personal computer.

We could easily put “brute force” attack into this category as well. Brute force attack could easily be translated into “password guessing” attack. If the attacker takes over enough servers and sets up brute force scripts, there is another online weapon to be used/sold to a third party buyer.

c) Your website server (or compromised PC) can be used as a storage / distributing tool for various illegal and malicious content: spyware, illegal pornography etc.

d) Black Hat SEO (SEO spam) – Hackers often insert fake SEO information into your website, which you probably won’t even see. This content is not related to the content of your website but to a third party websites, which are in most cases related to (shady) pharmaceuticals, gambling and pornography.

In some cases, your website might even redirect your visitors to the third party website, so they may see something they don’t want to see or didn’t expect to see. Because of that, search engines like Google and Yahoo may block your website from being indexed.

e) Credit card info – Are you hosting a web shop and storing your client’s credit card numbers on your server? Hopefully, you won’t need to explain to them why some happy hacker is buying a new furniture with their credit cards. 🙂

f) Compromised user data such as usernames, real names, e-mails and passwords can be sold on a black market. Great example of this is Linkedin breach, where 117 million user accounts were compromised and data sold on the black market.

For example, your clients’ emails from your newsletter list could be compromised and sold on black market for spam purposes. You don’t have to be a “big shot” for this to happen on your website/server.

Specific user data can even be used for various identity theft schemes.

Hacking as a personal challenge

Sometimes hacking is done for a simple reasons which are not related to finances. This could be done out of curiosity, boredom, for fun, for a bet, for bragging rights or even as a practice for future hacking related “projects”.


Hacktivism can be related to religion, nationalism, anti-globalism, human rights etc. Most cases of hacktivism are related to page defacements. For example, instead of original website content, attacker publishes some message or an image such as logo or a flag. In some cases of hacktivism, server data is compromised and publicly shared.


OK, it is not that bad. But for the start, you need to realize that web is not just a wonderful land of endless opportunities. Once you understand that every website can be hacked, you can start to work on protection and good everyday practices to make your site more secure and your clients and visitors happy. 🙂

If you are a developer or system admin struggling with your clients not being aware of this subject, feel free to link this article to them and help them understand that their website security is important. After all, they wouldn’t leave their office door unlocked at night, right?

In case you own a WordPress website, you can start by checking our WordPress vulnerabilities section and see if your site has exploitable vulnerabilities, which hackers can use against you.

Need someone to take care of your WordPress website?

The easiest way to describe WordPress care services is to say that they bring peace of mind to WordPress site owners and save their time. But not only that, proper WordPress maintenance and monitoring can prevent a lot of potential problems on your website and make it perform faster and better, helping you attract and convert new clients.

  • Speed
  • Security
  • WP updates
  • Daily backups
  • Hosting
  • Uptime monitoring
  • Spam protection
  • SSL certificates
  • Malware removal
  • Form testing
  • SEO blacklist checkup
  • Database optimization
  • Activity monitoring
  • Technical support
  • Free migrations
Mihovil Mikulec
Mihovil Mikulec
Thank you for reading! I am owner of Soulstudio, WordPress developer with 10 years of experience behind me. My primary focus is on WordPress hosting, security and performance. You can contact me directly at [email protected]


Who we are

What started in 2010 as a one-man web development operation is now a small and devoted team of web developers and server administrators.

Our focus is on WordPress hosting and WordPress care services such as speed optimizations, bug fixing and security hardening.

We are located in Croatia (Europe).

Our mission

Our mission is to provide fast, stable and secure hosting environment for your WordPress websites, as well as professional WordPress care services and ongoing user support.

We believe that everybody deserves safe, stable and affordable hosting services. That is why our dedication, commitment and constant learning are reflecting that philosophy.