From Scary Stats to Safer Sites: What We Actually Did After Reading About 111,354 Hacked WordPress Sites

Search Blog

Categories

From Scary Stats to Safer Sites: What We Actually Did After Reading About 111,354 Hacked WordPress Sites

John Dwyer

Digital Strategist

November 18, 2025

Thomas Raef’s analysis was a wake-up call: every single compromised site had security plugins installed. The attackers didn’t break down doors – they walked through the front entrance using stolen credentials.

Read the original analysis here: https://www.linkedin.com/pulse/when-security-plugins-arent-enough-what-111354-infected-thomas-raef-t5xfe/

His article identified the problem brilliantly, but left business owners asking “now what?”

We couldn’t just forward it to clients. They needed actionable steps.

Here’s the detailed audit framework we developed, answering the four critical questions from his research:

1. Are you using modern authentication methods, or relying on passwords?

Immediate Actions:

  • Enable passkeys where available (SolidWP Pro offers this, as mentioned in the article)
  • Implement hardware-based 2FA using security keys (YubiKey, Google Titan)
  • Use authenticator apps (Google Authenticator, Authy) as minimum standard
  • Avoid SMS/email 2FA – these can be intercepted

Plugin Options:

  • Two Factor Authentication (WordPress.org plugin)
  • WP 2FA by WP White Security
  • Wordfence 2FA (built into their security plugin)
  • SolidWP Pro (mentioned specifically for passkeys)

For Agency Clients:

  • Audit all admin accounts and enforce 2FA across the board
  • Consider centralised identity management for multiple sites

2. Is your security plugin properly configured, or running on defaults?

Configuration Audit Steps:

  • Review firewall rules – ensure they’re actually blocking malicious traffic
  • Enable file integrity monitoring – track unauthorised file changes
  • Configure login attempt limiting – but don’t rely on it alone
  • Set up proper logging – capture authentication events and admin actions
  • Enable database scanning – not just file-based detection

Key Settings to Check:

  • Are notifications actually reaching you?
  • Is the firewall in learning or blocking mode?
  • Are all file types being monitored?
  • Is the plugin scanning frequency appropriate?

3. Do you have independent monitoring watching for post-compromise indicators?

Monitoring Solutions:

  • External security scanners (like the author’s WeWatchYourWebsite service)
  • File change monitoring independent of your security plugin
  • Website integrity monitoring (Sucuri SiteCheck, VirusTotal)
  • Uptime monitoring that also checks for redirects/defacement

What to Monitor:

  • Unexpected file modifications
  • New admin users being created
  • Plugin activations/deactivations
  • Database changes
  • Redirect injections
  • Unusual traffic patterns

DIY Options:

  • Set up Google Search Console alerts for security issues
  • Configure server-level file integrity monitoring (AIDE, Tripwire)
  • Use WordPress audit log plugins (WP Security Audit Log)

4. Are ALL your plugins updated, not just the security ones?

Plugin Management Strategy:

  • Enable automatic updates for security patches where possible
  • Implement staging environments to test updates before production
  • Regular plugin audits – remove unused/outdated plugins
  • Vulnerability scanning specifically for plugin versions

Tools and Processes:

  • WP-CLI for bulk plugin management across multiple sites
  • MainWP or similar for centralised update management
  • Wordfence vulnerability scanner for plugin-specific threats
  • Regular review of WordPress vulnerability databases

Risk Assessment:

  • Prioritise plugins with admin access or user input handling
  • Remove nulled/pirated plugins immediately
  • Consider alternatives for plugins that aren’t actively maintained

Additional Recommendations

Root Cause Analysis Process: When any security incident occurs, document:

  • How attackers gained initial access
  • What credentials were compromised
  • Which files were modified and when
  • What backdoors were installed
  • Timeline of the entire attack

Layered Security Implementation:

  1. Server level – Web Application Firewall (CloudFlare, Sucuri)
  2. Application level – Security plugins with proper configuration
  3. Authentication level – Modern auth methods (passkeys/hardware 2FA)
  4. Monitoring level – Independent scanning and alerting
  5. Response level – Clear incident response procedures

The key insight from Raef’s article is that traditional security plugins alone aren’t sufficient anymore. The majority of attacks use legitimate credentials, so you need monitoring that detects post-compromise activity, not just prevention at the entry point.

Perfect security doesn’t exist. But most attacks target the easiest victims.

Don’t be the easiest victim.

What security gaps have you discovered in your WordPress sites? Share your experiences in the comments below.