Yesterday a conference was held in Granada focused on one of the most critical topics for any digital project: cybersecurity in WordPress. The event, organized at the Trevenque Data Center, brought together technical profiles, agencies, developers, ecommerce managers and marketing professionals with a common goal: to understand the real risks and how to prevent them.
Beyond theory, the talks focused on real cases, clear metrics and practical decisions that directly affect the business.
Tabla de contenidos
A key idea that sums it all up
A hacked website is always more expensive than a crashed website.
Not only because of the technical cost, but also because of the impact on reputation, sales, advertising campaigns, Google positioning and even legal consequences.
Early Signs and Ongoing Attacks
One of the most repeated messages was that the server always warns. The problem is that many times the right warnings are not being looked at.
Some relevant data:
- 51% of internet traffic is bots.
- Of the total, 37% correspond to malicious bots.
- Most attacks follow four clear phases:
- Recognition
- Exploitation
- Persistence
- Abuse or monetization
By the time visible symptoms are detected (redirects, content changes, Google notices, or hosting suspension), the attack is usually already in advanced stages.
WordPress and the most common post vectors
One of the great myths has been debunked: WordPress can’t be hacked “just because”. In most cases, the origin is clear:
- Vulnerabilities in unpatched legitimate code
- Lack of ongoing maintenance
- Weak or compromised credentials
- Code entered manually without control (“you put it in”)
Security does not depend on a miracle plugin, but on processes, control and technical discipline.
2025: new regulation and new responsibilities
The conference also focused on the Cyber Resilience Act (CRA), which aims to become the equivalent of the GDPR in terms of cybersecurity.
Some key concepts:
- Security by default and by design
- Continuous vulnerability management
- SBOM (Software Bill of Materials)
- Increased demand for transparency, documentation and control
- Clear responsibilities and possible sanctions
The message is clear: it is no longer enough to react when there is a problem. Prevention becomes mandatory.
Tools and good practices
Among the practical recommendations, he highlighted the use of Plugin Check Plugin as an essential tool to detect security problems in the development and maintenance of WordPress plugins.
I’m happy with this last term since I currently contribute to this project thanks to being part of the Plugins team.
The operational objective is ambitious, but necessary:
Zero known vulnerabilities in production.
Speakers and community
The conference featured high-level presentations by:
- Néstor Angulo (Head of Security at Patchstack)
- Javier Varón (Linux Systems Administrator at Trevenque Group)
- Francisco Torres (WordPress Consultant and Head of the Global WordPress Plugins Team)
- Luis Molina (Head of WordPress Technology at Trevenque Group)
- Guillermo Hidalgo (Maio Legal)
In addition, it was an excellent opportunity to reconnect with the WordPress community and share impressions with professionals such as Sacra Jáimez, Fede Padilla, Jesús Yesares, Miguel Ángel Pérez, Antonio Cantero, among many others.
Conclusion
Cybersecurity in WordPress is not an extra or a “we’ll see”. It is a direct part of the business.
Detecting earlier, always maintaining, and continuously reducing risks is the only viable strategy for projects in production.
Events like this help to focus on what is important and to make technical decisions with real impact.
