WordPress sites are attacked most often via:
Main attacks
- Brute-force admin password
- Vulnerabilities in outdated plugins
- SQL injection (in old plugins)
- Phishing admin credentials
Defense
- Auto-update WordPress and plugins
- Trusted plugins only (>100k downloads, updated <6 months ago)
- 2FA
- Change login URL (/wp-admin → /site-admin)
- Brute-force limit plugin (Wordfence, iThemes)
- SSL is mandatory
- Weekly backups