Home
Pricing
Login
How Business Websites Get Hacked (And Why Plugins Are the #1 Culprit)

How Business Websites Get Hacked (And Why Plugins Are the #1 Culprit)

Most small-business sites aren't hacked by a genius targeting you — they're swept up by automated bots probing for one outdated plugin. As AI makes attacks cheaper, the plugin pile-up on your WordPress site is the biggest risk you're ignoring.

Tan Wei LinTan Wei LinGeneral
26 Jun 26
10m

When a small business owner imagines their website being hacked, they picture a hooded figure personally targeting them. The reality is far more mundane and far more common: an automated bot, scanning millions of sites a day, finds that one plugin you installed three years ago and forgot to update — and walks straight in through the known hole. You were never targeted. You were just findable. And as AI makes these attacks cheaper and faster to run at scale, "findable" is becoming a much more dangerous thing to be.

Key Takeaway

Most business websites aren't hacked by someone targeting you personally — they're found by automated bots probing for known vulnerabilities at massive scale, and the single most common way in is an outdated, abandoned, or untrustworthy plugin. Every plugin you add is another third party you're trusting and another door that can be left unlocked. AI is making these mass attacks cheaper and faster, so the old "we're too small to be a target" assumption is now actively dangerous. The fix is mostly discipline: fewer plugins, kept updated, from sources you trust — plus basic hardening.

This is plain-language guidance for business owners, not a developer's deep-dive.

How do business websites actually get hacked?

Overwhelmingly through automation, not targeting. Bots crawl the internet constantly, fingerprinting what software each site runs and testing it against a list of known vulnerabilities — holes that have already been discovered and published. When the bot finds a site running a version with a known hole, it exploits it automatically. No human decided to attack you; a script found you matched a pattern.

This is why "we're too small to be a target" is the most dangerous sentence in small-business security. You don't need to be a target. The attacks are indiscriminate — they hit whatever is vulnerable, whether that's a bank or a bakery. A huge share of compromises trace back to known vulnerabilities for which a fix already existed but hadn't been applied.

~60%
of breach victims were compromised through a known vulnerability for which a patch was available but not applied

Think of it like a burglar who doesn't case neighbourhoods anymore — he just walks down every street trying every door handle, instantly, all night, on every street in the world at once. He's not interested in you. He's interested in the one door left unlocked. On a website, an outdated plugin is that unlocked door.

Why are plugins the number one culprit?

Because every plugin is a piece of someone else's code running inside your website, with access to your site — and the more you stack up, the more third parties you're forced to trust and the more doors exist to be left unlocked. WordPress powers a huge slice of the web precisely because of its plugin ecosystem, and that same ecosystem is its biggest attack surface. Security researchers consistently find that the large majority of WordPress vulnerabilities come from plugins, not the core software itself.

Here's where plugins quietly become liabilities:

Outdated plugins. A vulnerability gets discovered and published. The plugin author releases a fix. But you never updated — so now there's a public instruction manual for breaking into your exact setup, and bots have it.

Abandoned plugins. The author stopped maintaining it. No more fixes are coming, ever. A vulnerability found today will never be patched — the door can't be locked because nobody's making locks anymore. These are especially dangerous because the plugin keeps working, so you have no reason to notice it's been abandoned.

Too many plugins. Every plugin is another vendor you're trusting with code inside your site. Twenty plugins means twenty separate teams whose security practices you can't see, any one of which can be your downfall. More plugins isn't more capability for free — it's more risk you're carrying.

Plugins from untrustworthy sources. "Nulled" (pirated premium) plugins and ones from obscure sources sometimes ship with backdoors deliberately built in. You install what looks like a free feature and hand someone a key.

Plugin habitHigh-risk siteLow-risk site
Number of plugins20+, 'just in case'Only what's actively used
UpdatesRarely; 'don't touch what works'Applied promptly
Abandoned pluginsLeft installed for yearsRemoved / replaced
SourceNulled / obscureReputable, maintained
Unused pluginsDeactivated but still installedDeleted entirely

A deactivated-but-still-installed plugin is a subtle trap people miss: it's still on your server, still containing its vulnerable code, still reachable by a bot. Deactivating isn't removing.

Is AI making this worse?

Yes — not by inventing unstoppable new attacks, but by making the existing ones dramatically cheaper, faster, and more thorough. The economics of attacking small sites just shifted in the attacker's favour:

  • Scale and speed. AI-assisted tooling can probe and exploit more sites, faster, with less human effort — so the net is cast wider and the bakery gets caught alongside the bank.
  • Lower skill barrier. Tasks that once needed a skilled attacker can increasingly be automated, so more people can run these campaigns.
  • Faster exploitation of new holes. When a vulnerability is published, the window between "fix available" and "bots exploiting it everywhere" keeps shrinking. Procrastinating on an update is riskier than it used to be.

The takeaway isn't to panic about AI super-hackers. It's that the cost of being findable and unpatched has dropped for attackers, so the margin for laziness on your side has dropped too. Safeguards exist and help — but as the briefing for this piece put it, even with safeguards, people keep finding ways in. Reducing your attack surface is the durable defence.

Hours
how quickly newly-disclosed vulnerabilities are now probed at scale across the web

How do you protect your business website?

Most of it is unglamorous discipline, not expensive tools. The biggest wins come from reducing how many doors exist and keeping the ones you have locked.

How to reduce your website's risk of being hacked

Cut your plugins to the minimum — audit what's installed, and delete (not just deactivate) anything you don't actively use. Every plugin removed is a door removed.
Update everything promptly — core, plugins, and themes. Most breaches exploit holes that already had a fix. Turn on auto-updates where you safely can, and check monthly where you can't.
Remove abandoned plugins — if a plugin hasn't been updated by its author in a year or more, treat it as a liability and find a maintained alternative. No updates means no future locks.
Only install from reputable sources — never nulled/pirated plugins. The 'free' premium plugin is the most expensive thing you'll ever install if it ships a backdoor.
Add the basics — strong unique admin passwords, two-factor authentication on logins, and regular automated backups so you can recover fast if the worst happens.
Use a web application firewall and monitoring — a reputable security plugin or host-level firewall blocks the bulk of automated probing before it reaches your site.

If your site is heavy with plugins because it's trying to do jobs plugins aren't really built for — booking, lead capture, customer follow-up, payments — that's worth rethinking. Each of those bolt-on plugins is attack surface. Often the cleaner answer is to move those business-critical workflows onto a purpose-built, maintained platform instead of a stack of third-party plugins you have to babysit. Fewer doors, professionally maintained, is safer than many doors you're responsible for.

Frequently Asked Questions

Yes — because the attacks aren't aimed at you specifically. Automated bots scan the entire internet indiscriminately, testing every site they find against known vulnerabilities. They don't know or care that you're small; they only care whether you're vulnerable. 'Nobody knows about us' offers zero protection against a script that finds you by probing IP ranges and software fingerprints. Obscurity is not security. In fact small sites are often easier targets precisely because owners assume they're safe and skip basic maintenance.
Yes — security researchers consistently find that the large majority of WordPress vulnerabilities live in plugins (and themes), not in the WordPress core, which is well-maintained. The risk isn't WordPress itself; it's the dozens of third-party plugins running inside it, each maintained (or abandoned) by different people with different security standards. Every plugin you add is another team you're trusting and another potential hole. Reducing plugin count and keeping the rest updated is the single highest-impact thing most site owners can do.
No — deactivating isn't enough. A deactivated plugin still sits on your server with all its code intact, and in many cases its files can still be reached and exploited by an attacker even while 'off'. If you're not using a plugin, delete it entirely. The same goes for unused themes. The rule is simple: if it's not actively earning its place on your site, remove it completely so it can't become a door.
Promptly — ideally within days of an update being released, because the window between a vulnerability being published and bots exploiting it everywhere keeps shrinking. The safest setup is automatic updates for core and trusted plugins, plus a monthly manual check for anything you update by hand and a quick review of whether any plugin has gone stale. 'Don't touch what works' is the mindset that gets sites hacked — an unpatched site that 'works' is working for the attacker too.
Often, yes — both for security and reliability. Each plugin handling a business-critical job (bookings, forms, follow-ups, payments) is attack surface you're personally responsible for keeping patched. Moving those workflows onto a purpose-built, professionally maintained platform reduces the number of third-party doors on your site and shifts the security burden to a team whose job it is. You get fewer plugins to babysit and a more reliable system for the parts of your business that actually generate revenue.

The pragmatic takeaway

You don't need to become a security expert. You need to stop being easy. The vast majority of small-business compromises are automated, opportunistic, and entirely preventable with basic discipline: run fewer plugins, keep them updated, delete the abandoned and the unused, install only from sources you trust, and add two-factor plus backups. As AI pushes the cost of mass attacks down, that discipline is no longer optional hygiene — it's the difference between being passed over and being walked into.

The same logic that makes a plugin-stuffed website fragile is why we argue for purpose-built systems over bolted-together tools — see why most custom software projects fail and what digital process automation actually means for SMEs. If your site has become a tangle of plugins doing business-critical jobs, talk to us about moving those workflows onto something purpose-built and maintained — fewer doors, fewer worries.

The bottom line

Key Takeaway

Business websites are rarely hacked by someone targeting you — they're found by automated bots probing the whole internet for known holes, and the #1 way in is an outdated, abandoned, or untrustworthy plugin. Every plugin is another third party you're trusting and another door to leave unlocked, and AI is making these mass attacks cheaper by the month. The defence is discipline: fewer plugins, updated promptly, from trusted sources, plus two-factor and backups. Stop being the unlocked door on the street.

Ready to grow with Raion

Move off fragile plugins.

Run your bookings, leads, and follow-ups on one maintained platform instead of a stack of third-party plugins.

Continue Reading