{"id":4385,"date":"2025-12-13T00:37:32","date_gmt":"2025-12-12T23:37:32","guid":{"rendered":"https:\/\/davidperezgar.com\/en\/?p=4385"},"modified":"2025-12-13T00:37:33","modified_gmt":"2025-12-12T23:37:33","slug":"wordpress-day-granada-cybersecurity-applied-to-the-real-world","status":"publish","type":"post","link":"https:\/\/davidperezgar.com\/en\/blog\/wordpress-day-granada-cybersecurity-applied-to-the-real-world\/","title":{"rendered":"WordPress Day Granada: cybersecurity applied to the real world"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Yesterday a conference was held in Granada focused on one of the most critical topics for any digital project: <strong>cybersecurity in WordPress<\/strong>. The event, organized at the <strong>Trevenque Data Center<\/strong>, brought together technical profiles, agencies, developers, ecommerce managers and marketing professionals with a common goal: to understand the real risks and how to prevent them.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Beyond theory, the talks focused on <strong>real cases, clear metrics and practical decisions<\/strong> that directly affect the business.<\/p>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex frontblocks-gallery-grid\" data-layout=\"grid\" data-columns=\"3\" data-gutter=\"20\" data-lightbox=\"false\">\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" data-id=\"4479\" src=\"https:\/\/davidperezgar.com\/wp-content\/uploads\/wpday-granada-25-4-1082x812.jpeg\" alt=\"Wpday Granada 25 4\" class=\"wp-image-4479\" title=\"\"><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" data-id=\"4474\" src=\"https:\/\/davidperezgar.com\/wp-content\/uploads\/wpday-granada-25-1-1082x812.jpeg\" alt=\"Wpday Granada 25 1\" class=\"wp-image-4474\" title=\"\"><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" data-id=\"4475\" src=\"https:\/\/davidperezgar.com\/wp-content\/uploads\/wpday-granada-25-7-1082x812.jpeg\" alt=\"Wpday Granada 25 7\" class=\"wp-image-4475\" title=\"\"><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" data-id=\"4476\" src=\"https:\/\/davidperezgar.com\/wp-content\/uploads\/wpday-granada-25-8-1082x812.jpeg\" alt=\"Wpday Granada 25 8\" class=\"wp-image-4476\" title=\"\"><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" data-id=\"4477\" src=\"https:\/\/davidperezgar.com\/wp-content\/uploads\/wpday-granada-25-5-1082x812.jpeg\" alt=\"Wpday Granada 25 5\" class=\"wp-image-4477\" title=\"\"><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" data-id=\"4478\" src=\"https:\/\/davidperezgar.com\/wp-content\/uploads\/wpday-granada-25-6-1082x812.jpeg\" alt=\"Wpday Granada 25 6\" class=\"wp-image-4478\" title=\"\"><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" data-id=\"4480\" src=\"https:\/\/davidperezgar.com\/wp-content\/uploads\/wpday-granada-25-3-1082x812.jpeg\" alt=\"Wpday Granada 25 3\" class=\"wp-image-4480\" title=\"\"><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" data-id=\"4481\" src=\"https:\/\/davidperezgar.com\/wp-content\/uploads\/wpday-granada-25-2-1082x812.jpeg\" alt=\"Wpday Granada 25 2\" class=\"wp-image-4481\" title=\"\"><\/figure>\n<\/figure>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Tabla de contenidos<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-69ea51cc24864\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-69ea51cc24864\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/davidperezgar.com\/en\/blog\/wordpress-day-granada-cybersecurity-applied-to-the-real-world\/#A_key_idea_that_sums_it_all_up\" >A key idea that sums it all up<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/davidperezgar.com\/en\/blog\/wordpress-day-granada-cybersecurity-applied-to-the-real-world\/#Early_Signs_and_Ongoing_Attacks\" >Early Signs and Ongoing Attacks<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/davidperezgar.com\/en\/blog\/wordpress-day-granada-cybersecurity-applied-to-the-real-world\/#WordPress_and_the_most_common_post_vectors\" >WordPress and the most common post vectors<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/davidperezgar.com\/en\/blog\/wordpress-day-granada-cybersecurity-applied-to-the-real-world\/#2025_new_regulation_and_new_responsibilities\" >2025: new regulation and new responsibilities<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/davidperezgar.com\/en\/blog\/wordpress-day-granada-cybersecurity-applied-to-the-real-world\/#Tools_and_good_practices\" >Tools and good practices<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/davidperezgar.com\/en\/blog\/wordpress-day-granada-cybersecurity-applied-to-the-real-world\/#Speakers_and_community\" >Speakers and community<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/davidperezgar.com\/en\/blog\/wordpress-day-granada-cybersecurity-applied-to-the-real-world\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"A_key_idea_that_sums_it_all_up\"><\/span>A key idea that sums it all up<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"wp-block-paragraph\"><strong>A hacked website is always more expensive than a crashed website.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Not only because of the technical cost, but also because of the impact on reputation, sales, advertising campaigns, Google positioning and even legal consequences.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Early_Signs_and_Ongoing_Attacks\"><\/span>Early Signs and Ongoing Attacks<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">One of the most repeated messages was that <strong>the server always warns<\/strong>. The problem is that many times the right warnings are not being looked at.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Some relevant data:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\"><strong>51% of internet traffic is bots<\/strong>.<\/li>\n\n\n\n<li class=\"\">Of the total, <strong>37% correspond to malicious bots<\/strong>.<\/li>\n\n\n\n<li class=\"\">Most attacks follow four clear phases:\n<ol class=\"wp-block-list\">\n<li class=\"\">Recognition<\/li>\n\n\n\n<li class=\"\">Exploitation<\/li>\n\n\n\n<li class=\"\">Persistence<\/li>\n\n\n\n<li class=\"\">Abuse or monetization<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">By the time visible symptoms are detected (redirects, content changes, Google notices, or hosting suspension), the attack is usually already in advanced stages.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"WordPress_and_the_most_common_post_vectors\"><\/span>WordPress and the most common post vectors<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">One of the great myths has been debunked: <strong>WordPress can&#8217;t be hacked &#8220;just because&#8221;.<\/strong> In most cases, the origin is clear:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">Vulnerabilities in unpatched legitimate code<\/li>\n\n\n\n<li class=\"\">Lack of ongoing maintenance<\/li>\n\n\n\n<li class=\"\">Weak or compromised credentials<\/li>\n\n\n\n<li class=\"\">Code entered manually without control (&#8220;you put it in&#8221;)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Security does not depend on a miracle plugin, but on <strong>processes, control and technical discipline<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2025_new_regulation_and_new_responsibilities\"><\/span>2025: new regulation and new responsibilities<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The conference also focused on the <strong>Cyber Resilience Act (CRA),<\/strong> which aims to become the equivalent of the GDPR in terms of cybersecurity.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Some key concepts:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\">Security <strong>by default<\/strong> and <strong>by design<\/strong><\/li>\n\n\n\n<li class=\"\">Continuous vulnerability management<\/li>\n\n\n\n<li class=\"\">SBOM (Software Bill of Materials)<\/li>\n\n\n\n<li class=\"\">Increased demand for transparency, documentation and control<\/li>\n\n\n\n<li class=\"\">Clear responsibilities and possible sanctions<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">The message is clear: it is no longer enough to react when there is a problem. Prevention becomes mandatory.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Tools_and_good_practices\"><\/span>Tools and good practices<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Among the practical recommendations, he highlighted the use of <strong><a href=\"https:\/\/wordpress.org\/plugins\/plugin-check\/\" target=\"_blank\" rel=\"noopener\">Plugin Check Plugin<\/a><\/strong> as an essential tool to detect security problems in the development and maintenance of WordPress plugins.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">I&#8217;m happy with this last term since I currently contribute to this project thanks to being part of the Plugins team.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The operational objective is ambitious, but necessary:<br><strong>Zero known vulnerabilities in production<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Speakers_and_community\"><\/span>Speakers and community<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The conference featured high-level presentations by:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"\"><strong>N\u00e9stor Angulo<\/strong> (Head of Security at Patchstack)<\/li>\n\n\n\n<li class=\"\"><strong>Javier Var\u00f3n<\/strong> (Linux Systems Administrator at Trevenque Group)<\/li>\n\n\n\n<li class=\"\"><strong>Francisco Torres<\/strong> (WordPress Consultant and Head of the Global WordPress Plugins Team)<\/li>\n\n\n\n<li class=\"\"><strong>Luis Molina<\/strong> (Head of WordPress Technology at Trevenque Group)<\/li>\n\n\n\n<li class=\"\"><strong>Guillermo Hidalgo<\/strong> (Maio Legal)<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">In addition, it was an excellent opportunity to reconnect with the WordPress community and share impressions with professionals such as <strong>Sacra J\u00e1imez<\/strong>, <strong>Fede Padilla<\/strong>, <strong>Jes\u00fas Yesares<\/strong>, <strong>Miguel \u00c1ngel P\u00e9rez<\/strong>, <strong>Antonio Cantero<\/strong>, among many others.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Cybersecurity in WordPress is not an extra or a &#8220;we&#8217;ll see&#8221;. It is <strong>a direct part of the business<\/strong>.<br>Detecting earlier, always maintaining, and continuously reducing risks is the only viable strategy for projects in production.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Events like this help to focus on what is important and to make technical decisions with real impact.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Yesterday a conference was held in Granada focused on one of the most critical topics for any digital project: cybersecurity in WordPress. The event, organized at the Trevenque Data Center, brought together technical profiles, agencies, developers, ecommerce managers and marketing professionals with a common goal: to understand the real risks and how to prevent them. Beyond theory, the talks focused on real cases, clear metrics and practical decisions that directly affect the business. A key idea that sums it all up A hacked website is always more expensive than a crashed website. Not only because of &#8230; <a title=\"\" class=\"read-more\" href=\"\" aria-label=\"Read more about \">Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":4389,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","inline_featured_image":false,"_ayudawp_aiss_exclude":false,"webmentions_disabled_pings":false,"webmentions_disabled":false,"editor_notices":[],"footnotes":""},"categories":[1],"tags":[],"class_list":["post-4385","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50"],"_links":{"self":[{"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/posts\/4385","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/comments?post=4385"}],"version-history":[{"count":0,"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/posts\/4385\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/media\/4389"}],"wp:attachment":[{"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/media?parent=4385"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/categories?post=4385"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/davidperezgar.com\/en\/wp-json\/wp\/v2\/tags?post=4385"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}