In September 2025, the company analyzed 111,354 infected WordPress sites. They all had at least one active security plugin. Nearly 20 percent had two. These sites are not neglected or outdated. They followed best practices, but still made compromises.
Read Thomas Raef’s original research on LinkedIn:
When Security Plugins Aren’t Enough: What 111,354 Infected Websites Taught Us About Modern WordPress Attacks
Research by WeWatchYourWebsite shows this 81 percent of infections come from stolen administrator credentials or hijacked authentication cookies. In other words, attackers focus on existing login methods rather than exploiting vulnerabilities in the code.
Traditional security plugins, including those with web application firewalls, are designed to block suspicious traffic, limit brute force attempts, and patch known vulnerabilities. These layers of protection are important, but they can’t stop someone who already has valid credentials. Attackers log in as legitimate users and use stolen passwords or session cookies to remain undetected.
The research revealed another insight. On more than a thousand compromised sites running SolidWP’s security plugin, attackers logged in first and then immediately Solid security disabled. They did this before installing malware or adding backdoors.
This shows two things. First, attackers see Solid Security as a serious threat to their success. Second, even the best tool can’t protect a site if attackers already have valid credentials.
The solution is modern authentication. Features such as access codesavailable indoors Solid security professionalstop these attacks by removing passwords from the equation. Passwords cannot be stolen, phished or reused. They make stolen credentials useless.
Strong authentication and updated plugins are only part of the picture. Attackers today act cautiously and in accordance with normal behavior. They edit files slowly or adjust settings that look routine.
Continuous monitoring helps detect these subtle signs of compromise. Services such as WeWatchYourWebsite and tools within Solid Security, such as activity tracking and file change detection, provide visibility after login. Monitoring shows what’s happening on your site, not just who’s trying to enter.
Real protection comes from layers of defense. Each layer performs a different role, creating stronger overall coverage.
- Strong authentication
Use passkeys or hardware-based two-factor authentication. Avoid text or email codes that can be intercepted. - Correct configuration
Install a security plugin and adjust its settings. Standard options may not provide complete protection. - Continuous monitoring
Use independent scanning and activity tracking to detect changes made by attackers after login. - Regular updates
Keep every plugin up to date, not just your security tools. Automate updates where possible.
Safety is not about fear. It’s about consciousness and evolution. Attackers keep changing their tactics, so your defense must change too.
Site administrators must ensure that all available security is in place and properly configured. Use all the tools your security solution offers, including authentication, logging, firewall rules, and monitoring, and make sure the most advanced features like passcodes and two-factor authentication are enabled. A security plugin is only as strong as the settings behind it.
Read Thomas Raef’s full article on LinkedIn to explore the full dataset and insights:
When Security Plugins Aren’t Enough: What 111,354 Infected Websites Taught Us About Modern WordPress Attacks
Learn more about modern WordPress security with Solid security professional.
#security #plugins #arent #lessons #infected #WordPress #sites