Why So Many Nigerian Websites Keep Getting Hacked

Nigeria’s digital economy is now valued at $18.3 billion and contributes nearly 20 percent of GDP. Banks, government agencies, startups, and SMEs have all moved online with impressive speed. But the infrastructure supporting that growth has not kept pace with the threat environment around it, and attackers have taken notice.

Between January and September 2025, Nigeria experienced a documented surge in data breaches across banking, telecom, government, and healthcare sectors. Banking databases and telecom records were actively traded on dark web forums, with one listing claiming over 60 million Nigerian records. The Corporate Affairs Commission was breached, allegedly losing 25 million documents amounting to roughly 750 gigabytes of data. The National Social Investment Management System had credentials leaked. The ransomware group Killsec compromised Princeps Credit Systems. These were not isolated incidents but reflect a structural vulnerability that runs through how Nigerian websites are built, maintained, and funded.

The Software Maintenance Problem

A large share of Nigerian websites run on WordPress, which globally powers over 43 percent of all websites. That ubiquity makes it a permanent target. When a vulnerability is found in any popular plugin, automated bots begin scanning the entire web for sites still running the affected version, within hours of a patch being released.

The problem is that many Nigerian site owners never apply those patches. Outdated plugins account for roughly half of all WordPress vulnerabilities that get successfully exploited. The reasons for delay are often practical: developers who built a site and moved on, hosting environments with no automated update process, and business owners unsure whether an update might break something. None of those reasons reduces the risk. They compound it.

Research specific to the Nigerian context shows that many SME sites run on shared hosting packages costing between ?5,000 and ?15,000 per year. At that price point, server-level security, malware scanning, and dedicated support are rarely included. A site built on budget shared hosting with unpatched plugins and a default “admin” username, a combination that remains strikingly common, presents almost no obstacle to an automated attack.

Weak Credentials, Weak Access Controls

Beyond outdated software, weak authentication is among the most consistently exploited entry points. Many Nigerian business sites still use predictable usernames and simple passwords. Brute force bots run continuously across the internet, cycling through common credential combinations with enough speed that even moderately weak passwords will eventually fall.

Two-factor authentication, which would neutralize most brute force attempts, is rarely enabled. Role-based access controls, ensuring that, say, a content editor cannot modify a site’s core files, are frequently absent. Staff with no technical training are often given administrative credentials they have no need for and no means to protect.

These are solvable problems. But solving them requires both awareness and investment, and Nigerian SMEs have historically treated security as a cost rather than a function.

The Developer Handoff Gap

There is a well-known pattern in the Nigerian web development market: a freelance developer builds a site, collects payment, and hands over login credentials with no ongoing relationship. The business owner receives a website but no maintenance plan, no security baseline, and often no documentation.

When WordPress releases a security update, hackers immediately understand what vulnerability existed in the previous version. Every site still running the old version becomes a target. Without a developer relationship or internal IT capacity, many Nigerian organizations simply never get that update.

This is not a problem unique to Nigeria, but it is more acute in a market where formal IT procurement is rare at the SME level and cybersecurity is still widely perceived as something that happens to bigger organizations.

Government Sites and Systemic Gaps

The vulnerability extends well beyond the private sector. The Guardian’s investigation into recent attacks on Nigerian government infrastructure describes “coordinated and sophisticated” threat actors successfully breaching critical systems, with service outages and data exfiltration as documented outcomes. Officials from the National Information Technology Development Agency confirmed cybersecurity incidents at multiple agencies.

Government websites face a specific challenge: they are often built on legacy software, procured years ago through processes that emphasized functionality over security, and maintained by civil servants without specialized cybersecurity training. The incentives to prioritize patching are weaker in public sector procurement than in private enterprise.

A cloud misconfiguration at Remita, which processes government salaries, taxes, and payments, reportedly exposed roughly three terabytes of data. The technical cause was human error, not sophisticated hacking. That distinction matters: most successful attacks against Nigerian websites do not require advanced capabilities. They exploit gaps in basic security hygiene.

Regulatory Momentum, Enforcement Lag

Nigeria has made legislative progress. The Nigeria Data Protection Act 2023 introduced mandatory breach reporting requirements, and the Cybercrimes Amendment Act of 2024 strengthened the legal framework around unauthorized access. In 2024, Fidelity Bank was fined ?555.8 million for privacy violations. Meta and WhatsApp faced a $220 million penalty.

These are significant signals. But the Nigeria Data Protection Commission now reports over 4,000 cyberattacks weekly, with financial losses reaching ?12 billion in 2024 alone. The enforcement apparatus, however improving, is not yet proportionate to the volume of incidents. The gap between regulation and implementation remains wide, particularly for SMEs that lack compliance teams and may be unaware of their obligations under the NDPA.

What Needs to Happen

The Nigerian Communications Commission estimates the country loses approximately $500 million annually to cyber-related offences. That figure will not improve until security is embedded earlier in how websites are designed, procured, and maintained.

That means software updates are treated as routine operational tasks rather than discretionary projects. It means hosting procurement that includes minimum security requirements. It means developers who build websites also document and hand over a maintenance baseline. It means government agencies conducting regular security audits of public-facing infrastructure. And it means regulators with the capacity to follow through on the framework they have built.

Nigeria’s digital economy has achieved genuine scale. The security architecture around it has not yet caught up.