Security

Posts in this archive

9 insights

1. Managed Hosting · May 19, 2026 · 8 min read

   Cloudflare in DNS-only mode isn’t doing anything for you.

   Most WordPress sites that have Cloudflare set up have it in “DNS only” mode. In that mode, Cloudflare is functioning as nothing more than a...

   Read the article →

2. Managed Hosting · November 23, 2025 · 8 min read

   WordPress managed hosting: what 100% uptime actually requires.

   Every WordPress site is a stack of moving pieces that needs continuous operational care: patches applied, versions updated, vulnerabilities closed, backups verified, certificates renewed. Skip...

   Read the article →

3. Security Hardening · September 8, 2025 · 8 min read

   WordPress form spam protection: honeypot, CAPTCHA, Akismet — what to use when.

   Spam against WordPress forms is so common it counts as ambient noise. The bots are automated, persistent, and uninterested in any specific site. They crawl...

   Read the article →

4. Security Hardening · September 19, 2024 · 7 min read

   Using LLMs to audit WordPress code — and the bugs static scanners miss.

   Static WordPress security scanners match code against catalogs of known patterns. They miss bugs that don't match a known pattern. LLM-based code review catches those, and adding it to the audit toolkit changes what kinds of bugs you find.

   Read the article →

5. Security Hardening · July 10, 2024 · 6 min read

   Passkeys for WordPress: when 2FA isn’t enough anymore.

   The standard WordPress account security posture in 2024 looks roughly like: enforce strong passwords, require 2FA via TOTP, hope for the best. That’s been adequate...

   Read the article →

6. Security Hardening · April 23, 2024 · 6 min read

   XML-RPC, REST, and the WordPress surfaces still leaking attack surface.

   Every WordPress install ships with two API surfaces enabled by default. /xmlrpc.php has existed since the late 2000s, originally for desktop blogging clients that nobody...

   Read the article →

7. Security Hardening · March 12, 2024 · 6 min read

   Virtual patching for WordPress: when you can’t wait for the plugin update.

   When a CVE drops for a WordPress plugin, the gap between “vulnerability is public” and “official patch is available” is sometimes hours and sometimes weeks. Virtual patching closes that window without waiting.

   Read the article →

8. Security Hardening · December 5, 2023 · 15 min read

   WordPress security isn’t a plugin problem.

   Most WordPress sites have a security plugin. Most still get hacked. The disconnect is structural — the dangerous problems are architectural, and a hardening plugin won't fix them. What real WordPress security hardening looks like, layer by layer.

   Read the article →

9. Platform Architecture · May 9, 2023 · 6 min read

   Managed hosting isn’t a substitute for WordPress infrastructure thinking.

   There’s a common misreading of what managed WordPress hosting buys you: the assumption that if the host handles the platform, you don’t have to think...

   Read the article →

No insights match the current filters. Clear filters to see everything.