WordPress.com raises the alert on security with some dizzying figures. Its Web Application Firewall (WAF) has blocked close to 12,000 requests per second of unwanted or malicious traffic in the last twelve months, in addition to 165 requests per second linked to attempts to exploit vulnerabilities.
According to WordPress.com, increasing security does not require sophisticated engineering. Outdated plugins and themes remain the favorite entry point for cybercriminals, especially when known unpatched flaws exist.
On top of this comes the chronic weakness in passwords and the lack of two factor authentication. In our experience, this fits with what we have seen over the years. If the CMS is not governed and evolved well, it accumulates technical debt and attack points that are then hard to close. We see it daily when a project stays anchored to extensions that prevent updating the core, which skyrockets the risk of hacking, spam or covert mining, so applying updates is not optional.
There are more risks according to Automattic, first, granting excessive permissions. A granular role model limits the impact of a compromised account, by clearly separating who creates, who edits and who publishes.
Second, unreviewed custom code. When templates are touched, external APIs are integrated or custom fields are added, it is advisable that a good professional who knows very well what they are doing handles it.
What measures should be prioritized today? Update the core and extensions regularly, remove unnecessary plugins or those of dubious origin, enable two factor authentication, audit roles and permissions, and refresh passwords from time to time.
Security is not a project, it is a process. In practice, we recommend a maintenance cycle that combines frequent patches, quarterly permission reviews, off production backups, restoration tests and performance and error monitoring.
* Original article written in Spanish, translated with AI and reviewed in English by Jorge Mediavilla.
Leave a Reply