Protecting Your Website: How Hackers Exploit Old Themes, Plugins, and Code

Jul 11, 2023 | Security

Protect your website Adelaide

In today’s digital landscape, having a strong and secure online presence is crucial for businesses. However, hackers are constantly looking for vulnerabilities to exploit and gain unauthorised access to websites. One common avenue for their attacks is through old themes, plugins, and website code.

In this blog post, we explain in (fairly) simple terms how hackers can exploit these outdated components and provide recommendations to safeguard your website’s security.

Understanding the Threat:

Hackers are actively seeking out vulnerabilities in popular website building platforms like WordPress and Web Servers with poor security measures. They exploit security flaws in themes, plugins, and outdated website and server code to gain access to websites without needing a login. These vulnerabilities can give them complete control over millions of sites, posing a significant risk to your business.

Exploiting Old Themes and Plugins:

Themes and plugins add functionality and design elements to your website. However over time, hackers can find ways to exploit pieces of code. If these components are not regularly updated, they can become security liabilities.

Hackers search for known security holes in outdated themes and plugins, allowing them to inject malicious scripts or backdoors into websites. Once they gain access, they can manipulate site settings, steal sensitive information, or even deface your website.

Exploiting Sever Configurations:

Your server is where your website lives (is hosted) on the internet. Unfortunately not all servers are created equal and depending on who hosts your site and how familiar they are with security vulnerabilities, hackers can also exploit your server independent of your website security.

WordPress optimised servers such as our hosting partner Siteground have top level security in place, including daily site scans for malware to automatically identify threats with the option on higher security plans to automatically quarantine any files uploaded directly if that are flagged as malicious.

Server directory and upload protection disabling back door file uploads and access to the folders on your server and keeping PHP (server code) updated to the latest versions is also crucial.

Case Studies:

Several real-world incidents highlight the risks associated with exploiting old themes, plugins, and code:

Elementor Pro Vulnerability:

In March 2023, a critical vulnerability was discovered in the Elementor Pro plugin, which is used by millions of WordPress sites. This vulnerability allowed attackers to create administrator accounts and gain full control over affected websites. This case greatly emphasizes the importance of promptly installing security patches and updates for themes and plugins.

WordPress Themes and Plugins with Malicious Code:

In 2022, businesses saw a 38% rise in hackers injecting malicious scripts into themes and plugins. By targeting known security vulnerabilities, hackers can infect thousands of websites and redirect users to malicious content. This tactic highlights the need for caution when selecting and updating themes and plugins from trusted sources.

Exploiting Outdated WordPress Plugin:

In a separate incident, hackers leveraged an outdated WordPress plugin called Eval PHP to gain backdoor access to websites. The plugin’s lack of updates for over a decade made it a prime target for attackers, who injected malicious code into compromised websites. This case demonstrates the importance of regularly updating all components of your website, including removing or replacing older themes, plugins, and underlying code.

If you have a website that is on a WordPress version from 5 or lower, you must upgrade as soon as you possibly can as your site is at significant risk.

Protecting Your Website:

To safeguard your website against hackers exploiting your website, consider implementing the following best practices:

Regular Updates:

Stay up to date with the latest versions of themes, plugins, and the underlying CMS (Content Management System) like WordPress. Updates often include security patches that address discovered vulnerabilities.

Website Boss offer a range of Website Care Plans that frequently update your plugins, theme and WordPress, as well as keeping your website backed up daily and secure.

Trusted Sources:

Only download themes and plugins from reputable sources, such as official marketplaces or trusted developers. Avoid using pirated or nulled versions, as they may contain hidden malicious code.

Vulnerability Monitoring:

Implement a monitoring system to detect and alert you to any potential vulnerabilities or security risks in your website’s components. Regularly scan your website for outdated themes, plugins, or code and take prompt action to update or replace them.

Security Plugins:

Consider using security plugins, like iThemes Security or Wordfence, that offer features such as file integrity checks, brute force protection, and firewall capabilities.

These security plugins can add an extra layer of defence against known vulnerabilities. Website Boss puts significant investment into technology each year to have the best and most up to date security plugins, programs and procedures give our sites the highest level of protection for clients on our Care Plans.

Daily Website Backups:

No website can be 100% protected from hackers, however adding as many layers of security and deterents as possible minimises your risk. In the event that a hacker does get through however it’s important that you have daily backups and that your site can easily be cleaned and restored quickly.

Firewalls and IP Blockers:

Many security plugins and servers now offer IP blockers and firewalls that hide your site from hackers, and keep a live updated database of the addresses used by hackers to attack sites, blocking those addresses from accessing your site.

Passwords and 2FA:

While not directly related to outdated plugins and themes, a basic security measure for all sites should be to regularly update your password, make sure your password is 15 characters long and contains numbers, letters and special characters.

Having 2 Factor Authentication (2FA) also means that if your password gets exploited they still need a second level of verification (such as a text message or Authenticator app) to login in.

Server Security:

Ensure your server company has top shelf security features, like daily site scanning for Malware, IP blocking, directory protection and daily backups as a minimum.

Making sure your own computers are safe:

It’s not only your website and server you need to worry about, making sure you office computers are safe is also a priority. Any malware accidentally downloaded to your computer from a phishing email or corrupt file can search your computer for logins and gain access to your website or server from your computer.

Making sure you have an up to date virus and malware scanner on all computers is critical.


By understanding the risks associated with outdated website components and following best practices, you can significantly enhance your website’s security and minimise the risk of a successful attack. Regular updates, trusted sources, vulnerability monitoring, and security plugins are crucial in mitigating the risks and keeping your website safe from unauthorised access.

Something final to note is that hackers typically are not looking for a motive behind hacking your site and using it to link to malware/viruses. They are simply looking for any target to replicate and cause as much damage as possible, so whether you’re in the finance, education, construction or any other industry, your site is capable of being a target.

Remember, a proactive approach to website security is essential to protect your business and maintain a trusted online presence. Contact Website Boss if you have any questions and may need help with keeping your site secure!