Why is My Site Getting Hacked?
Are you getting hacked and you're not sure why? In this article we'll explain some of the most common ways a website gets hacked and what that means relative to a server's general security.
99% of successful web application exploits and attacks are not caused by the web server or PHP issues, but are accomplished via security breaches due to the specificities of how an actual application is written.
Although there are some measures, like the PHP hardening project Suhosin, you can take to prevent some attacks, those options can also be compromised if a hacker obtains filesystem access through the software that is being exploited. Suhosin may block the ability to do certain things in PHP, but with access to the filesystem you can disable Suhosin for the account, making any protections it previously provided completely ineffective.
It is extremely important to keep web software up-to-date and make sure that no plugins or themes are vulnerable to the most common types of attacks:
Remote code execution/inclusion
Directory traversal attacks (least likely to succeed these days)
This means that, for example, even if you boost the core PHP/Apache system with tweaks that secure them, in the end, if your WordPress blog is using a plugin that uses a deprecated/old MySQL connection system (such as the 'mysql_connect/mysql_query model': http://us1.php.net/function.mysql-connect) without correctly "sanitizing" (processing) user input, your website will most likely be compromised at some point.
Unfortunately, without sufficient testing, it is very hard to predict if a plugin you install is vulnerable or not. You should only install plugins and themes from professional developers or enthusiast programmers that are following security practices that prevent the most common types of attacks.
Modern coding practices strongly advise filtering user inputs, which really helps to eliminate a lot of security issues, however some themes and plugins may still be written using the "old ways". This is very prevalent in the PHP world, as PHP is the most widely used programming language for web applications.
Protect Your Website
So, to help protect your website from getting hacked see our detailed 'What to Do If You're Hacked' article.
For more info, take a look at our guide to hardening WordPress: Secure Your WordPress.
See also What to Do If You're Hacked