Outro

A Personal Note

I didn't set out to write a book. I set out to stop repeating myself.

Every time I set up a new WordPress site, hardened a server, or cleaned up after a compromise, I found myself going through the same steps, checking the same things, and explaining the same concepts to clients who had no idea how exposed their sites were. At some point it made more sense to write it all down properly than to keep reinventing it.

What you've just read is the distillation of years of real work. Not textbook theory, not recycled blog posts. Things I've actually done, on actual sites, in actual production environments ranging from personal blogs to corporate installations to multisite networks serving thousands of users.

I wrote this for the person who knows enough to be dangerous but wants to know enough to be confident. For the freelancer who wants to offer their clients something more than a cheap hosting plan. For the small business owner who's tired of finding out their site was compromised long after the fact. For anyone who's ever googled "WordPress security" and found themselves drowning in contradictory advice.

I hope it's useful. More than that, I hope it's the thing you actually come back to.

If it has been, or if something's missing, or if something's wrong, let me know. [email protected].

— Stu

Recommended Resources

These are the tools, sites, and sources I'd point anyone to who wants to go deeper. No fluff, just the ones that are actually worth your time.

Vulnerability Intelligence

Wordfence Blog — wordfence.com/blog The best source of WordPress-specific threat intelligence. Detailed vulnerability disclosures, real-world attack analysis, and security research. Subscribe to the email list.

Patchstack Weekly — patchstack.com A weekly email summarising newly disclosed WordPress vulnerabilities. Essential reading if you manage multiple sites. The free tier also monitors your installed plugins.

WPScan Vulnerability Database — wpscan.com/plugins Search any plugin or theme before you install it. Check your existing stack periodically. Free API tier covers most personal use cases.

NIST National Vulnerability Database — nvd.nist.gov The authoritative CVE database. More technical than the WordPress-specific sources but useful for looking up specific CVEs in detail.

General Security

Krebs on Security — krebsonsecurity.com Brian Krebs covers the broader security landscape, including hosting, infrastructure, and web crime. Often relevant to WordPress site owners even when it's not specifically about WordPress.

Troy Hunt's Blog — troyhunt.com Clear, practical writing on web security from the creator of Have I Been Pwned. Good for understanding the broader context of credential compromise and authentication security.

Have I Been Pwned — haveibeenpwned.com Check whether your email addresses have appeared in known data breaches. Worth running your admin email addresses through this regularly.

WordPress Administration

WordPress Developer Documentation — developer.wordpress.org The official source of truth for WordPress APIs, hooks, and core behaviour. Indispensable for anything beyond surface-level configuration.

WP-CLI Documentation — wp-cli.org Full reference for every WP-CLI command. If you're doing server-level WordPress management, this should be open in a tab.

WordPress Hardening Guide — wordpress.org/support/article/hardening-wordpress The official WordPress hardening documentation. Worth reading alongside this book as a cross-reference.

Server and Infrastructure

DigitalOcean Tutorials — digitalocean.com/community/tutorials Some of the best server configuration tutorials available. Nginx, MySQL, PHP-FPM, UFW, Let's Encrypt. Well-written and kept reasonably up to date.

Mozilla SSL Configuration Generator — ssl-config.mozilla.org Generates recommended Nginx and Apache SSL configurations based on your server and software versions. Takes the guesswork out of TLS configuration.

SSL Labs Server Test — ssllabs.com/ssltest Test your SSL configuration against current best practices. Aim for A or A+.

Security Headers — securityheaders.com Test your HTTP security headers and get specific recommendations for what's missing or misconfigured.

If Your Site Gets Hacked: Emergency Reference

This is the condensed version. If you're in the middle of a crisis, work through this in order.

Immediate steps

1. Don't panic. A hacked site is recoverable. Take a breath and work methodically.

2. Take it offline. Put the site into maintenance mode or take it down entirely. Don't leave a compromised site serving traffic while you investigate. Your visitors and your reputation are both at risk while it's up.

3. Change all passwords immediately. WordPress admin accounts, FTP, hosting control panel, database user. Do this before anything else. If the attacker still has valid credentials, everything else you do can be undone.

4. Regenerate WordPress security keys and salts. This invalidates all active sessions including any the attacker may have open. Do this in wp-config.php or via the official generator at api.wordpress.org/secret-key/1.1/salt/.

5. Preserve evidence. Before restoring, capture the current state. Download your access logs, error logs, and a snapshot of the current files. You'll need these to understand how the compromise happened.

Investigation

6. Check for new admin accounts. Look in WordPress users for accounts you don't recognise. Delete any that shouldn't be there, but document them first.

7. Check for modified files. Use Wordfence's file integrity scanner or run a manual find for recently modified PHP files:

find /var/www/html -name "*.php" -newer /var/www/html/wp-config.php -type f

8. Check the uploads directory. Look for PHP files that have no business being there:

find /var/www/html/wp-content/uploads -name "*.php" -type f

9. Review your access logs. Look for POST requests to unusual locations, requests from unfamiliar IPs, or spikes in traffic that correlate with when the compromise occurred.

10. Identify the entry point. Before restoring, understand how they got in. Common vectors include a vulnerable plugin, a compromised password, or a misconfigured file permission. If you don't close the door before restoring, you'll be compromised again.

Recovery

11. Identify a clean backup. Go back through your backup history and find a backup taken before the compromise occurred. Use your logs and file modification times to help narrow down the timeline.

12. Restore to a clean environment. Ideally restore to a fresh server or document root. Don't restore on top of compromised files without first removing everything.

13. Update everything. Before going back online, update WordPress core, all plugins, and all themes to their latest versions. Apply any security patches that were pending.

14. Harden and audit. Run through the security checklist from Chapter 12. Fix anything that's missing. This is also a good time to implement anything from this book you hadn't gotten around to yet.

15. Relaunch and monitor closely. Bring the site back online and watch it carefully for the next 24 to 48 hours. Review Wordfence logs, server logs, and uptime monitoring.

After the crisis

16. Notify anyone who needs to know. If the site collected user data and that data may have been exposed, you may have legal notification obligations depending on your jurisdiction and the nature of the data. Take this seriously.

17. Write a post-mortem. Even a brief one. What happened, how it happened, what you did, and what you'll do differently. The sites that get compromised twice are usually the ones where no one took the time to understand the first compromise properly.

18. Review your backup and monitoring setup. A compromise is uncomfortable but also an opportunity to close gaps. Did your monitoring catch it? Did your backups work? If not, fix that now while the motivation is fresh.

Changelog

This book is updated regularly. The most recent changes are listed here.

April 2026 — Initial release

• All 12 chapters published
• Foreword, disclaimer, and outro added
• Covers WordPress 6.x, PHP 8.3 and 8.4, current plugin landscape as of April 2026

Protect My WP is a living document. Check back for updates, or follow along at protectmywp.com.

If something's wrong, missing, or could be better — [email protected]