Don't Let Hackers Exploit Your Hospital's Website | Understanding the Risks of WordPress

An image of hackers hard at work to gain access to a hospitals WordPress website through outdated WordPress plugins so they can skim credit card data and steal patient information.

Many hospitals rely on WordPress for their website, but are unaware of the inherent security risks that come with it. This blog aims to inform hospitals of these risks and provide options to improve their website's security and performance, ensuring the protection of patient data and their digital presence.

Cody Strate
Don't Let Hackers Exploit Your Hospital's Website | Understanding the Risks of WordPress

Cody Strate


With 20+ years of experience, Cody Strate is a go-to expert for hospitals looking to improve their digital presence and patient experience.

March 14, 2023

Article Published


Hospital websites built on WordPress are commonplace; this is especially true for small community and critical access hospitals, many of which haven't updated their website in years. But the rise of digital interaction has caused the standards for hospital sites to be raised - now, outdated sites look archaic compared to other large hospital networks or well-known consumer brands. This alone should encourage hospitals to upgrade their digital presence, however, there are more pressing concerns when it comes to security. With these vulnerabilities in mind, it's essential that information technology and marketing teams understand the risks associated with using WordPress and take necessary steps to mitigate them so as to not fall prey to cyber-attacks or data breaches. In this blog, we'll discuss the various threats posed by WordPress and provide strategies on how best to defend against them.

WordPress Hacking By The Numbers

Before we dive into some of the specific security concerns let’s set the stage for the scope and scale of the problem we’re dealing with here. 

  • 43.2% - Percentage of websites on the internet use WordPress (W3Techs, 2022)
  • 65.2% - Percentage of websites using a content management system (CMS) use WordPress (W3Techs, 2022)
  • 60,000+ - free WordPress Plugins available (WordPress, 2022)
  • 31,000+ - free and premium WordPress themes available (WordPress, 2022)
  • 18.5 billion - blocked password attack requests by Wordfence in the first half of 2021 (Wordfence, 2021)
  • 2,800 - attacks per second targeting WordPress sites in 2020 (Wordfence WordPress Threat Report, 2020)
  • 602 - new security vulnerabilities across WordPress core, themes, and plugins in the first half of 2021 (Wordfence, 2021)
  • 97% - of vulnerabilities of WordPress websites come from plugins and themes (WPScan, 2022)

Understanding the WordPress Threat Landscape

While WordPress is a powerful and popular content management system, it is important to understand that it alone is not enough to accomplish your digital objectives. In order to create a website that meets your specific needs and goals, you will need to use themes and plugins in addition to the core WordPress software. These themes and plugins introduce the greatest points of vulnerabilities for your website and organization.

WordPress Themes

Themes are pre-designed templates that determine the overall layout and design of your website. They provide a way to customize the look and feel of your website in a WYSIWYG fashion without needing to know how to code. There are thousands of free and paid themes available, with Divi and Elementor being two of the most popular.

WordPress Plugins

Plugins are additional software that can be installed on your website to add functionality and features that are not included in the core WordPress software. There are plugins for everything from contact forms to e-commerce, social media integration, SEO optimization, and more. Just like themes, there are thousands of free and paid plugins available.

In summary, while WordPress provides a solid foundation for building a website, it is not enough to accomplish all digital objectives on its own. Themes and plugins allow you to customize the look and feel of your website and add additional functionality, but it's important to be aware of their potential security vulnerabilities.

What Hackers Are Trying To Accomplish By Hacking A Hospital's Website

A. Skimming Credit Cards | Pay a Bill or Donate to our Foundation

Understand that hackers are trying to make a buck. As such they’re going to look for points of financial transaction on your website so they can insert well hidden malicious code (often Javascript) that will skim your patient’s credit card information when they go to do common tasks like “pay a bill” or “donate” to your foundation. The transaction will occur as normal, but the hacker gets your patient’s credit card info in the process. According to Sucuri Sitecheck, WordPress is the number one site with detected credit card skimmer malware.

A chart from Sucuri SiteCheck presenting data that shows WordPress is the website builder with the most identified credit card skimmers from hackers
Image Source

If hackers gain access to your website then they could go a more direct approach where they create a fake page that they reroute patients to when they click on “pay a bill”. This fake page simply takes the charge as normal, but the payment is directly routed to the hackers.

B. Accessing PHI through Portal Access

The vast majority of hospitals utilize a portal like Epic’s MyChart, or portals from MEDITECH, or Cerner. Similar to the credit card skimmer methodology, hackers could skim a patient’s login credentials to then potentially gain access to the patient’s electronic chart directly within your portal. Obviously, the financial and reputation repercussions of this kind of breach is extremely serious.

C. Disrupting Operations or Altering Patient Data

Hackers gaining access to a hospital's electronic medical record system, initiate a denial of service (DOS) attack, and demand a ransom payment to unlock it is a common occurrence in the news. These attacks can result in the system being locked down, leaving hospitals unable to access important patient data. If the ransom is not paid within a specific timeframe, the hackers may threaten to completely wipe out the system, causing irreparable damage. Essentially, they can do the exact same thing for your website. While the implications of having your website and domain destroyed is not nearly as weighty as having your EHR locked down, the damage to your reputation and cost in terms of community trust is nothing short of extreme.

What Do You Do If You have WordPress

If you’re reading this it’s very likely that your hospital uses WordPress, and you might be thinking about what you should do. Here are a few things that you can consider.

Move Away from WordPress | Consider Webflow

At Novel Koncept, we understand that creating a seamless and engaging digital experience for patients is vital, which is why we build hospital websites on Webflow's "no-code" platform. But, while aesthetics are important, they shouldn't come at the cost of security. That's why we choose Webflow over WordPress. Webflow offers a superior platform in nearly every aspect, but when it comes to security, the difference is stark. By eliminating the use of plugins and themes, all interactions are end-to-end encrypted, SSL is standard, and Webflow is SOC 2 Type II compliant, providing an unparalleled level of security for our hospital clients.

Hide Your WordPress Login Page

If your hospital’s website uses WordPress do the following….

  1. Go to your hospital's website in a browser
  2. At the end of your hospital’s URL type in “wp-admin” or “wp-admin.php”
  3. Hit “enter” or “return” on your keyboard

If you’re carried to a WordPress login page for your website then you’ve got a problem, and you should change this straight away. It’s simply things like this that hackers can easily exploit through methods like brute force attacks.

Auto-Upgrade WordPress Core, Themes, and Plugins

Given that out of date WordPress themes and plugins are the source of entry for 94% of website hacks it’s imperative that you keep your WordPress core, themes, and plugins updated at all times. Simply set your WordPress settings to auto-update.

Scan Your Site

Use tools from companies like SecurityScorecard or Sucuri SiteCheck to monitor your site for any signs of malicious code.


The popularity of WordPress as a content management system makes it a prime target for hackers. With millions of websites running on WordPress, hackers have a large pool of potential victims to choose from. And since many WordPress websites are similar in structure and functionality, once a hacker figures out how to exploit a vulnerability on one website, they can often repeat the process on multiple other sites with little effort. This makes WordPress a high-return-on-investment target space for hackers.

Furthermore, since WordPress is open-source software, the source code is publicly available for anyone to view and study. This makes it easier for hackers to find and exploit vulnerabilities in the software. Additionally, many users of WordPress do not properly secure their websites, which makes them an easy target for hackers.

At Novel Koncept, we understand the importance of creating a modern, high-performance digital presence while also ensuring maximum security. We invite hospitals to contact us to learn more about how we can help improve their digital presence and security posture. We exist to exclusively serve community and critical access hospitals to ensure the value you bring to your community is accurately reflected in your digital presence.

Cody Strate


With 20+ years of experience, Cody Strate is a go-to expert for hospitals looking to improve their digital presence and patient experience.

Cody Strate

Design blog for creative stakeholders