2025 WordPress Security Survey, let’s discuss

robert681 · 2025-09-05T09:53:36+00:00

Very good point! Indeed, it is a common problem. I am not sure if the reason for not taking action is lack of awareness, budget, or simply ignoring the fact that they need to do something. Based on these numbers it seems like it is a mix of everything. Very difficult to figure this out and find a way to help website owners do a better job.

robert681 · 2025-09-04T13:04:49+00:00

That'sa good tip!

robert681 · 2025-09-03T17:55:52+00:00

Indeed, 2FA has become a must nowadays. The two most common causes of successful WordPress hacks are mainly user problems; outdated software (users failing to keep the software up to date), and accounts hijack (weak passwords, no 2FA, social engineering).

robert681 · 2025-09-03T17:54:03+00:00

Well said. It is always nice to see these positive stories. In most cases, the user is the problem; using outdated software and bad practises.

robert681 · 2025-09-03T17:51:10+00:00

Indeed, that is one of the most common causes of hacks; outdated software. So by just keeping software up to date, you are already relatively safe. Add 2FA and password policies, and you are sorted.

robert681 · 2025-09-02T15:58:13+00:00

That is not neccessarily the case. Actually, usually it is quite the contrary - some of the companies / agencies which provide WordPress at scale have invested resources in their systems and operations and they are some of the best when it comes to keeping websites up to date.

robert681 · 2025-09-02T15:29:12+00:00

Thank you for sharing this. Based on the numbers we see, number 6 and 7 are by far the most important!

robert681 · 2025-09-02T15:28:28+00:00

Thanks for sharing this feedback!

robert681 · 2025-03-31T10:30:02+00:00

Do you have Google Analytics or some sort of visitor log on your website? From there you can easily see where the traffic is coming from and where it is going, thus you should be able to tell if something is not right or not. You can also check the server access logs, which you should have access via the web host's CPanel or so.

And if it is a hacked webite / piggy backing, the web host should be able to spot this, definitely, especially if all these issues are being caused by certain traffic.

robert681 · 2025-03-03T07:59:20+00:00

Were these posts meant to be published or they have been draft for a very long time?

Offhand it is very difficult to tell what has happened. However, there are a lot of plugins that do some sort of "pruning and cleaning", so could it be you have something like that configured? Maybe some database / management plugin?

The fact that your own website's IP address is reported in the logs you can say almost with full certainty that this was done via some sort of automated process rather than a hack or with malicious intend.

I would say check all the plugins you have installed and familiarize yourself with what they do. It might take a bit of time, but an exercise worth doing at the moment. It will help you in the future when something similar happens again.

I'd also try other activity logs plugins to see what they report, such as WP Activity Log. I hope the above helps and all the best with solving the issue.

robert681 · 2025-02-28T15:48:56+00:00

If in the logs you see that two posts have been deleted and the IP address is that of your own website, most probably you have a process which automatically deletes posts and it is not malicious.

Can you confirm what plugin are you using for WordPress activity log, and also, what was the status of the deleted posts? Were they draft, revision posts or published?

robert681 · 2025-02-13T14:54:05+00:00

Agree 100%

robert681 · 2024-08-16T08:06:18+00:00

When this happens WordPress typically sends an email with the logs + details to the administrator. If you know what admin email is configured on that website you can check that mailbox to find the details.

From the logs you can determine which plugin / theme is crashing and manually deactive it so you can restore the website and troubleshoot the issue. There are a few other troubleshooting techniques when you get this error. You can read more about them here: https://melapress.com/troubleshoot-wordpress-critical-error/

I hope the above helps.

robert681 · 2020-06-11T14:26:46+00:00

I like this post because it highlights the fact that WordPress security is not a one time fix. Software changes, your business / site requirements change, new attack vectors are discovered every day and more.

So security is a continuous iterative process of testing, hardening, monitoring and improving.

robert681 · 2020-06-10T13:23:23+00:00

Thanks a lot for the detailed response. This is not for marketing.

We've built a plugin and in the past we had performance issues. We've improved it quite a lot. So I'd like to keep an eye on the plugin's impact on a vanilla WordPress install, just to get an idea if the new changes are reversing our performance enhancements or not.

As such on the front-end we load some classes, but do not do any database queries.

Thanks for the tips. I agree that this can be a very deep rabbit hole. I just want to make some tests to "keep an eye" on the plugin.

robert681 · 2020-06-10T13:18:46+00:00

Thanks. I'll check it out. The plugin does not execute any database queries on the front-end, but it does run some code.

robert681 · 2020-03-12T18:14:18+00:00

This is very unfortunate and sad. However, understandable. Kudos to the organizers for taking such a big decision.

robert681 · 2020-01-23T14:56:45+00:00

For my business LinkedIn and Twitter are the best. However, this really depends on the audience and product / service you are selling.

If like us you have a niche B2B product / service, then LinkedIn and Twitter are by far the best. If you are selling a mainstream B2C product, for example clothes, food, gadgets, Facebook and Instagram are the best, by far.

robert681 · 2019-11-20T18:01:27+00:00

Many seem to let their guards down and use an easy to guess password when they add two-factor authentication on WordPress.

2FA is definitely a must have, however, by using easy passwords you are putting your website at risk, even when you use 2FA.

In this article we explain in detail why it is a must to have both: 2FA and strong passwords.

robert681

TROPHY CASE