Shauli Zacks
Updated on: September 11, 2025
SafetyDetectives recently interviewed Thomas Petty, founder of Thomas Petty Enterprises, who is a WordPress Security Specialist. With more than two decades of web development experience—and the last 12 years dedicated almost exclusively to WordPress—Petty has built a reputation for helping businesses prevent and recover from website hacks. His journey into security began after a client’s WordPress site was repeatedly compromised, sparking a passion for protecting websites from persistent threats. Today, with WordPress powering over 40% of the internet, Petty focuses on hardening sites, educating owners about common vulnerabilities, and ensuring businesses don’t fall victim to costly cyberattacks. In this interview, he shares the most common mistakes site owners make, best practices for hardening WordPress, and his perspective on emerging security trends.
Can you tell us about your background and how you became focused on WordPress security?
I’ve been a web developer for over 20 years, and at least the last dozen, almost exclusively focused on WordPress.
About 10 years ago, one of my existing clients – a pharmaceutical research company – discovered that when someone clicked their link in the Google search results page (but nowhere else), it would redirect to a “non-business-friendly” website in another country – if you get my drift.
I found some core WordPress files had been modified with some clever code that shouldn’t be there, so I removed it.
The hackers came back and hacked it even worse. After a couple more back-and-forth rounds of this, I had to get smart and figure out how to keep them out permanently.
This has led to a focus on the last decade with a passion for hardening WordPress against hackers, and unhacking/securing sites after it happens.
With WordPress powering over 40% of the world’s websites, there’s plenty of opportunity for hackers. Roughly 90% of all website hacks happen on the WordPress platform, and last year, there were nearly 4.7 million sites compromised.
When a WordPress site gets hacked, what are the first steps you take to assess and fix the situation?
Generally, I’m not too interested in the “why” or “how” the site got hacked. It’s usually obvious when a site has been compromised.
Unfortunately, the base WordPress install has so many holes that hackers can get in without much effort, and most web hosts do little to nothing to patch these holes. You’re basically on your own.
As an example, several years ago, a community college came to me because their site had been hacked. The home page and all other content had been completely replaced by other hacker graffiti content (“Hacked by…”).
Unfortunately, when I looked at the back end, all files and the database had been erased. Because she didn’t have a backup of the site, there wasn’t anything to salvage. In that case, we had to start all over, which cost her in downtime, reputation, lost business, and of course, the wallet to fix.
However, in most cases, the damage is less deleterious. The website can be salvaged and rebuilt without a ton of effort, but I have to be thorough. Hackers are notorious for putting in hidden back doors that allow them to crawl back in even when you think it’s locked down tight.
Hacks can happen because of (there are more reasons, of course):
- Weak passwords and/or no two-factor authentication (2FA)
- Out of date plugins or WordPress core (exploitation of known vulnerabilities)
- Common or default user IDs (like “admin”)
- Insecure hosting (i.e. “consumer-grade” hosting that allows FTP access instead of forcing SFTP and other security vulnerabilities)
- Cross-site scripting (XSS) – JavaScript injected into vulnerable forms plugins
- No Web Access Firewall (WAF) to buffer the site from DDoS and other attacks
- Failure to implement security headers to prevent XSS, clickjacking, force SSL (HSTS), and other vulnerabilities
One of the most common questions I get is, “Why would anyone want to hack my site? There’s nothing there of value.”
It usually comes down to two things:
- Bragging rights
- Installation of malware or scripts with a payload (like ransomware) in hidden directories that they can send spam links to.
Either way, it’s not pretty, and it can be very costly to fix. It’s far better to prevent it up front than it is to clean up the mess after the fact.
What are the most common security mistakes you see website owners make?
In most cases, just assuming that the website is secure or the web developer knows anything about security is a problem.
Just last week I met with a cybersecurity company. They help manage what I call “inside the walls” (networks, firewalls, employee processes, etc.). I took a look at his website (which is “outside the walls”), and within a few seconds, I had three of his login user IDs (which I could brute force if I wanted to) because the login screen is public. I also pointed out a host of other holes that allow hackers to compromise the site.
He basically did a face-palm and said that he just assumed his web guy took care of that stuff.
The other one I see – and it’s easy to reveal if they are – is using the default WordPress login ID of “admin”. Hackers will beat on that user ID all day long until they get in. ALWAYS delete that user ID and create another harder-to-guess administrative-level user ID.
Never assume that whoever has access to the website has a secure, hard-to-guess password. 78% of people reuse passwords across multiple sites, and those passwords have often been collected in other breaches (remember LinkedIn, Facebook, and Ticketmaster?). Always implement 2FA so even if a password is compromised and on the dark web, it’s far more difficult to gain access to the site.
Finally, does the person who posts your blogs really need administrative-level access? Regularly review who has access to the site and then only grant them the maximum level (author or editor) they need, rather than granting everyone full access to everything. Delete anyone who is no longer working for you.
How do you approach hardening a WordPress site to prevent future attacks?
It’s a process that I go through whether it’s a new website about to be launched or an existing site that hasn’t been compromised. But there are three major components.
- Install a quality security plugin
Most security plugins do little to protect a website. One of the most popular plugins has failed so many times – I’ve unhacked multiple sites that had even their paid Pro version.
The only plugin I recommend is Solid WP’s Solid Security Pro. It’s the only one that I’ve found to be 100% effective. With it, you should:
- Hide the back-end login screen (don’t use their default setting either)
- Protect critical files like the .htaccess, wp-config.php, and other system files
- Set up Google reCAPTCHA or Cloudflare Turnstile
- Force 2FA on all users including the use of passkeys (see below)
- Set up passwordless logins
- Configure a Web Access Firewall (WAF)
The WAF sits between the wild west internet and your web server. It buffers the website server from bad actors, DDoS attacks, bots, and other threats. I use Cloudflare, and their free platform works great. WP Engine hosting includes free integration with Cloudflare directly, so you get the best of both worlds – solid, secure hosting with the Cloudflare WAF and global CDN built right into the system.
- Configure security headers
Security headers can protect from some several attacks including cross-site scripting and click jacking. Businesses can scan their website at Security Headers by snyk (make sure you HIDE your results – you don’t want your site exposed that on their “Hall of Shame” board!). Most websites I see get an “F” score here.
With new threats always emerging, what trends in WordPress security should site owners be most aware of right now?
It’s honestly nothing too sexy. The two most important things that all WordPress site owners should pay attention to include:
- Keep your plugins, theme, and core up to date at least weekly. Apply all patches regularly. There are hundreds of known vulnerabilities published every week.
- Get away from user ID/password logins. At the least, implement 2FA, but better yet, implement passwordless logins and passkeys.
For small businesses and individuals who rely on WordPress, what’s the one piece of advice you’d give to keep their websites safe?
Always make sure the website is backed up every night and stored somewhere other than on the web server (Dropbox, AWS, etc.). Most web hosts don’t provide a nightly backup. Most business owners I speak to have no idea if their site is backed up or not.
If your host charges extra for backups or doesn’t offer it, switch to a better web host like WP Engine or use Solid WP’s Solid Backup plugin, which includes 20 GB of storage for a nominal fee.
The reason this is important is that if a breach happens, it’s possible to roll back to a previous version of the site prior to the hack, then of course, immediately secure and harden the site.
The bottom line? Prevention is far cheaper than dealing with the aftermath of a hack. If you’re not paying attention to security, it’s a ticking time bomb that will explode.
