Website Security: What Can We Learn Letting Hackers Attack Test Sites? – interview with Max Matłoka

In this talk Max Matłoka shared practical insights on WordPress security, plugin hygiene, and why it’s time to rewrite the narrative around the world’s most popular CMS.

In a web development world increasingly focused on new tech stacks and headless frameworks, Max Matłoka is doubling down on something different: trust, transparency, and the strength of the WordPress community.

Max Matłoka is a web developer, long-time WordPress contributor, and community organizer. He takes us behind the scenes of his latest experiment with WordPress honeypots and explains why advocacy for open-source tools is more critical than ever.

What Hackers Taught Us About Bot Behavior

Max is compeletely sure about one thing: If your site is online, it will be targeted, often within seconds. During his talk at latest WordCamp Vienna, Max shared the results of a unique experiment. Using Terraform and Docker, he deployed over 70 WordPress honeypots – fully functional but fake websites designed to attract automated bot traffic.

We launched more than 70 sites, and within seconds bots started scanning them—not just for passwords, but for outdated plugins, known exploits, and vulnerable files.

This wasn’t a passive experiment. Max built systems to monitor traffic, record payloads, and analyze attack patterns. The takeaway? Malicious bots are not only fast – they’re thorough.

What they target:

• Outdated plugins and themes
• Unsecured wp-config files
• Weak admin credentials (admin:admin)
• Known exploits from public CVEs

This automated behavior proves that security isn’t optional – it’s foundational. Even a site with zero visibility can be discovered and attacked almost instantly.

Plugin Hygiene Is Non-Negotiable in 2025

Contrary to what some critics say, the problem isn’t WordPress core. It’s the ecosystem around it. Max emphasized that most real-world vulnerabilities stem from third-party plugins – especially those that are no longer maintained, downloaded from unreliable sources or bundled with premium themes from marketplaces without vetting.

WordPress is one of the most secure CMSs available today. The issue is how people use it.”

So, what’s Max’s advice if you want to keep your WordPress setup secure without turning it into a full-time job? First, don’t ignore your plugins. It’s easy to install a bunch of them and forget they exist, but even inactive ones can leave the door open for problems. Give your site a regular cleanup and make sure everything you use is up-to-date. And when you’re choosing tools, don’t go for random zip files from sketchy websites – stick to plugins from official or trusted sources.

Max is also a big believer in following the wisdom of the crowd. He recommends using security checklists built by the community, because they cover the real issues people run into day to day. If you want to go the extra mile, tools like WPScan or Patchstack are great for keeping an eye on known vulnerabilities. They help you catch risks before anything bad actually happens – kind of like having a security guard who never sleeps.

Why WordPress Advocacy Still Matters

Max believes WordPress isn’t just under attack from bots—it’s also misunderstood by the broader dev community.

We keep talking about WordPress inside a bubble, and we need to reach people outside of the WordCamp crowd.

Despite long-term leadership in powering of the web, WordPress still gets a surprising lack of credit in developer circles. It’s often overshadowed by newer, shinier frameworks – not because it can’t compete, but because the conversation around it hasn’t kept up. Max calls this out as a branding failure, not a technical one.

He believes it’s time to reframe how we present WordPress to the outside world – especially to developers who may have dismissed it years ago and haven’t looked back. That means telling better stories, sharing enterprise case studies, and showing off what’s truly possible today with custom themes, API integrations, and headless setups.

If we want the ecosystem to grow, we have to get better at showing people what WordPress can do now—not just what it did 10 years ago.

That’s why he’s taking on the role of an advocate, speaking at more events, sharing enterprise use cases, and inviting developers back into the conversation.

WordCamp Gdynia 2025

As one of the main organizers behind WordCamp Gdynia 2025, Max is helping shape one of the most exciting WordPress events in Central Europe.  What makes the conference stand out is its human-first format: sessions in both Polish and English, topics that go beyond code (think: accessibility, project management, open source sustainability), and a strong emphasis on real-world case studies from the region.

We’re creating something that’s both inclusive and technically robust – it’s for everyone who believes in building the open web.

Whether you’re looking to grow professionally or just share coffee with folks who get what you do, Gdynia offers that rare mix of learning, networking, and seaside inspiration. This year’s edition is designed to be a true community-powered gathering for makers, thinkers, and builders across the WordPress ecosystem. Mark your calendar now! You won’t want to miss what’s coming.

🗓️ Event Highlights

• September 26–28, on the Baltic coast in Gdynia 🇵🇱
• Bilingual sessions (Polish + English)
• Hands-on workshops for both devs and creatives
• A coastal location perfect for mixing learning with fun

Full conversation with Max Matłoka

Want to hear the full conversation with Max Matłoka? Check out the latest 🎙️ Osom to Know podcast.

You can also watch us on our YouTube – don’t forget to hit subscribe! 📩