You have a WordPress website that works, but security has never crossed your mind? That's normal. Most Italian SMEs only discover they have a problem when the site gets defaced, data is stolen, or the server is used to send spam. At Meteora Web, we see it every day: plugins that haven't been updated in years, 'admin123' passwords, unprotected forms, backups that don't exist. The issue isn't technical—it's cultural. And it's expensive.
An attack on an e-commerce site can mean days of downtime, lost revenue, GDPR fines. Security isn't an extra: it's the foundation for a digital business that lasts.
Why WordPress Security Is a Budget Problem
We come from accounting too: financial statements, double-entry bookkeeping, VAT returns. That's why we think in client numbers, not just code. Every hour your site is down costs tens or hundreds of euros in lost sales. A data breach can run into thousands for restoration, legal advice, and GDPR penalties (up to 4% of annual turnover). A site is measured in revenue, not compliments. If it doesn't bring contacts or sales, it's a cost. If it's vulnerable, it's an even bigger cost.
We already discussed NIS2 and the Cyber Resilience Act obligations for SMEs: European law now imposes minimum security standards even for small businesses. It's not just good practice—it will be mandatory.
The 5 Most Common Black Holes in Italian SMEs
We find these on nearly every project we inherit from other developers. Listed in order of frequency.
1. Outdated Plugins and Themes
A plugin abandoned for two years is like an open window. Updates are not whims; they patch known, public vulnerabilities. Real example: a client used a form plugin that hadn't been updated in 18 months. Anyone could inject SQL queries directly through the form. We replaced it with a actively maintained one and configured automatic updates for critical plugins.
2. Weak Credentials and Ghost Users
We still see admin accounts named 'admin' with trivial passwords. Worse: former collaborators who still have access. One compromised account is enough to take control of the site. Security in Italian SMEs is systematically underestimated. We see it every day.
3. Unprotected Forms
Contact forms, registration, checkout without CAPTCHA or CSRF tokens. They are the preferred vector for spam, injection, and brute force attacks. We've seen a login form exposed to continuous brute‑force attempts with no rate limiting.
4. Backups Never Configured
90% of new clients come to us without a working backup. When the site gets hacked or the server crashes, the only solution is to rebuild from scratch. A daily automatic backup to the cloud (e.g., Google Drive, Dropbox) costs a few euros per month and saves the business.
5. Cheap Hosting and Unmanaged Servers
A €5‑a‑month hosting often lacks firewall, malware scanning, automatic PHP or server updates. Result: poor performance and non‑existent security. Owning your stack beats renting it. Lifetime fees and trapped data are not the best choice. Whenever possible, we recommend a VPS with proactive management.
What to Do Today – 10‑Step Operational Checklist
You don't need to be an expert. Follow these steps one at a time. If you get stuck, contact us. We do this every day.
Step 1: Change Table Prefix and 'admin' Username
Use a script or plugin to rename the prefix from wp_ to something unique. Create a new admin user with a non‑obvious username and delete the old 'admin' one.
# Example with WP-CLI
wp user create newadmin email@domain.com --role=administrator
wp user delete admin --reassign=newadminStep 2: Update Everything and Remove Unused Items
Go to Updates and update core, plugins, and themes. Then scan the plugin list: if you haven't used it in months, uninstall it. Every extra plugin is an attack surface.
wp plugin update --all
wp theme update --all
wp plugin delete plugin-nameStep 3: Install a Security Plugin
Wordfence, Sucuri Security, or Solid Security. Configure the firewall, malware scanning, and email notifications. No need to buy the premium version to get started.
Step 4: Activate Two‑Factor Authentication (2FA)
In our guide on modern authentication we explain how to move to passwordless. For now, enable 2FA via an authenticator app (Google Authenticator) for all admin and editor users.
Step 5: Set Up Automatic Backups
Use UpdraftPlus (free) or BackupBuddy. Configure daily backups of database and files, sent to Google Drive, Dropbox, or S3. Test a restore at least once a month.
# With WP-CLI, trigger a manual backup
wp db export backup.sql
wp plugin install updraftplus --activateStep 6: Force HTTPS and Redirect
If you don't have SSL, get a free one from Let's Encrypt (many hosts offer automatic setup). Then add a redirect from HTTP to HTTPS in .htaccess.
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]Step 7: Limit Login Attempts
Use a plugin like Limit Login Attempts Reloaded, or add rules to the WordPress .htaccess file.
# Block IP after 5 failed attempts (example)
# Use a plugin for easier managementStep 8: Disable XML‑RPC if Not Needed
If you don't use mobile apps or external services that call XML‑RPC, disable it. Add to .htaccess or use a plugin.
# Disable XML‑RPC
Order Deny,Allow
Deny from all
Step 9: Protect wp-config.php and .htaccess
Move wp-config.php one directory above root if possible. Block access to sensitive files with .htaccess.
Order Allow,Deny
Deny from all
Order Allow,Deny
Deny from all
Step 10: Check File Permissions
Files should be 644, directories 755. Never leave anything with 777.
find /path/to/wordpress -type f -exec chmod 644 {} \;
find /path/to/wordpress -type d -exec chmod 755 {} \;Mistakes to Avoid (We've Seen Them on Client Servers)
- A client used the admin password 'sciacca2020!' – easily guessable by anyone who knows the town. Replace it with something like
B8k!z9&mPq2. - Another left WordPress debug mode active in production:
define('WP_DEBUG', true)in wp-config. Every error became public. - On one server, automatic SSL renewal broke; we fixed it and automated the process without taking the client offline. Since then we check manually every month.
SEO is substance, not tricks. An insecure site gets penalized by Google: invalid HTTPS certificate, slow load times due to malware, obscured content. Security is a ranking factor.
In Summary – What to Do Now
- Run a vulnerability audit with WPScan:
wpscan --url http://yoursite.com --api-token YOUR_TOKEN. If you don't have WPScan, use the built‑in scan in Wordfence. - Verify that backups are working: perform a test restore on a staging environment. Don't just trust the confirmation emails.
- Enable security update notifications: subscribe to the WordPress Security News channel or use a service like Sucuri SiteCheck for periodic monitoring.
Security is a process, not a product. At Meteora Web we offer audits and ongoing maintenance for Italian SMEs, from domain to revenue – one single point of contact. Because the digital divide is also geographical: we work to close it, starting from Sicily.
Sponsored Protocol
