WordPress Security VIP - Key Takeaways From Maciej Nowak’s Talk At WordCamp Porto
Illustration with a blue shield symbolizing cybersecurity, a calendar icon, Dom Luís I Bridge silhouette, and "WordCamp PORTO 2024" in a speech bubble on a light abstract background.

WordPress Security VIP – Key Takeaways from Maciej Nowak’s Talk at WordCamp Porto

Maciej Nowak delivered an insightful talk at WordCamp Porto, focusing on practices surrounding WordPress security.

WordCamp Porto 2024, brought together a vibrant international community of WordPress professionals. The event combined technical depth with an open, friendly atmosphere – a perfect setting for Maciej Nowak’s session on the urgent realities of WordPress security. During his talk, Maciej addressed the topic of WordPress security with practical insight and real-world experience, delivering accessible takeaways grounded in his work with agency he co-founded and continues to lead.

Your website is more vulnerable than you think, and attackers don’t need a reason – just an opening.

Popularity of WordPress, its sheer size makes it an attractive target for hackers. It’s our collective professional duty to enhance the security of the WordPress ecosystem as much as possible, for the sake of our clients and for WordPress itself.

Illustration with a blue shield symbolizing cybersecurity, a calendar icon, Dom Luís I Bridge silhouette, and "WordCamp PORTO 2024" in a speech bubble on a light abstract background.

The Motivation Behind Hacking

Understanding the reasons behind website attacks is a crucial first step in building awareness. Maciej outlined several key motivations:

  • Financial gain through credit card skimming (e.g., Magecart), ad fraud, crypto-jacking, phishing, fake product listings, and SEO spam.
  • Malware distribution, utilizing compromised websites to spread infected code.
  • Hacktivism and cyber warfare, as seen during geopolitical conflicts.
  • Reputation building or personal challenge, where hackers attack just to prove they can.
  • Personal vendettas, reminding us to maintain good relationships with colleagues.

 

Real-World Infection Case Studies

Maciej shared vivid examples of website infections his agency handled:

 

Government Organization with 15 Websites

Hosted on a single AWS LightSail server without isolation, all sites were compromised. The lack of regular updates, involvement of multiple agencies, and unclear attack vector made it difficult to identify the original source. Even after cleaning and restoring from backup, infections recurred, pushing the team to implement domain separation for further investigation.

 

E-commerce Platform with Outdated Plugins

A plugin vulnerability, patched and disclosed by Patchstack and Wordfence, led to an infection three days after the advisory. The hacker added a fake admin user named “Wordfence,” highlighting the dangers of delayed updates. This prompted the client to adopt a more regular update schedule.

 

VPS-Based Website with Multiple Attack Vectors

This case involved SSH key insertion, malicious cron jobs, and admin account manipulation. Even after switching platforms and thoroughly cleaning the system, the infection returned due to a custom-built, vulnerable code allowing SQL injection.

 

Sources of Vulnerabilities

The origin of attacks was analyzed through reports by Patchstack and Thomas Rief:

  • Patchstack (Feb 2023): 97% of reported vulnerabilities stem from plugins.
  • Thomas Rief (2023): 60% of real-world attacks originated from stolen session cookies.

This shows that while code vulnerabilities are widespread, securing developer and admin environments is equally critical.

 

Protecting Your Digital Environment

Security isn’t just about the server – it’s also about the user:

  • Log out of admin sessions regularly to prevent hijacking.
  • Avoid using open Wi-Fi networks and keep local machines malware-free.
  • Don’t store passwords or admin sessions across multiple client sites.
  • Use separate, unique accounts instead of shared credentials.
  • Treat passwords and admin access with utmost care.

 

Best Practices for WordPress Security

Maciej summarized practical steps every WordPress user should take:

  • Update regularly: Preferably enable auto-updates when safe.
  • Back up frequently: Especially offsite, to recover from major failures.
  • Avoid shared admin accounts: For clear accountability.
  • Check REST API leaks: Avoid exposing usernames publicly.
  • Secure login pages: Don’t reveal if a username is correct.
  • Use OWASP as a guide: A solid starting point for understanding common security flaws.

 

Final Thoughts

Maciej concluded with a strong reminder: if you think your website isn’t a target, think again. Most attacks are automated, looking to exploit any opening – compute power, traffic, or reputation. Start by securing your environment and learning from frameworks like OWASP.

“Everyone gets hacked eventually,” he warned, even security organizations like OWASP itself. The best defense is to stay prepared and proactive.

Next article

Illustration of a person using a laptop, surrounded by tech symbols like a lock, globe, and Wi-Fi. A shield icon on the screen highlights cybersecurity strategies for WordPress, emphasizing data protection themes.

Enhancing Cybersecurity: Strategies for WordPress Users

A smiling man with a bald head, wearing a white shirt, stands with his arms crossed against a plain white background. Blue and pink lighting highlights his face and sleeves, giving him the confident look of a WordPress expert.

By Tomasz Zieliński