Most WordPress site owners believe they are protected. They install a trusted security plugin like Solid Security, keep it updated, and assume that is enough. But recent research from WeWatchYourWebsite.com paints a different picture.

In September 2025, the company analyzed 111,354 infected WordPress sites. Every single one had at least one active security plugin. Nearly 20 percent had two. These sites were not neglected or outdated. They were following best practices, yet still compromised.

Read the original research by Thomas Raef on LinkedIn:
When Security Plugins Aren’t Enough: What 111,354 Infected Websites Taught Us About Modern WordPress Attacks

How Attacks Have Changed

WeWatchYourWebsite’s research shows that 81 percent of infections came from stolen admin credentials or hijacked authentication cookies. In other words, attackers are focusing on existing login methods instead of exploiting code vulnerabilities.

Traditional security plugins, including those with web application firewalls, are designed to block suspicious traffic, limit brute force attempts, and patch known vulnerabilities. These layers of protection are important, but they cannot stop someone who already has valid credentials. Attackers are logging in like legitimate users, using stolen passwords or session cookies to move unnoticed.

The Configuration and Authentication Gap

The research uncovered another insight. On over a thousand compromised sites running SolidWP’s security plugin, attackers first logged in, then immediately deactivated Solid Security. They did this before installing malware or adding backdoors.

This shows two things. First, attackers recognize Solid Security as a serious threat to their success. Second, even the best tool cannot protect a site when attackers already have valid credentials.

The solution is modern authentication. Features like passkeys, available in Solid Security Pro, stop these attacks by removing passwords from the equation. Passkeys cannot be stolen, phished, or reused. They make stolen credentials useless.

Why Monitoring Is Essential

Strong authentication and updated plugins are only part of the picture. Attackers today move carefully, blending in with normal behavior. They edit files slowly or modify settings that look routine.

Continuous monitoring helps detect these subtle signs of compromise. Services like WeWatchYourWebsite and tools inside Solid Security, such as activity logging and file change detection, provide visibility after login. Monitoring shows what is happening on your site, not just who is trying to get in.

Layered Defense for Modern WordPress Security

True protection comes from layers of defense. Each layer fills a different role, creating stronger overall coverage.

1. Strong Authentication
   Use passkeys or hardware-based two-factor authentication. Avoid SMS or email codes that can be intercepted.
   
2. Proper Configuration
   Install a security plugin and customize its settings. Default options may not offer full protection.
   
3. Continuous Monitoring
   Use independent scanning and activity logging to spot changes made by attackers after login.
   
4. Regular Updates
   Keep every plugin updated, not just your security tools. Automate updates where possible.

Moving Forward

Security is not about fear. It is about awareness and evolution. Attackers continue to change tactics, so your defense must change too.

Site administrators should make sure every available protection is in place and configured correctly. Use all the tools your security solution provides, including authentication, logging, firewall rules, and monitoring, and ensure the most advanced features like passkeys and two-factor authentication are turned on. A security plugin is only as strong as the settings behind it.

To explore the full dataset and insights, read Thomas Raef’s full article on LinkedIn:
When Security Plugins Aren’t Enough: What 111,354 Infected Websites Taught Us About Modern WordPress Attacks

Learn more about modern WordPress protection with Solid Security Pro.