A few days ago, on February 6, 2025, we gathered to celebrate another WordPress Valencia MeetUp, that I have the pleasure of co-organizing. This time we talked about cybersecurity, a topic that we started to talk about more frequently in recent years, as a result of cyberattacks on companies and public entities.
Let’s recall some rather mediatic cases such as the one against the Hospital Clinic de Barcelona in 2023. The RansomHouse group demanded the payment of 4.25 million euros to prevent the disclosure of sensitive data from hundreds of patients. Another example, also from 2023, is that of Air Europa: cybercriminals got hold of the bank card numbers, their expiration date, and the CVV code of hundreds of customers. More recently, in early February 2025, a hacker was arrested in Alicante, with more than 40 cyberattacks on organizations such as the Civil Guard, the Ministry of Defense, and OTAM, among others.
These are examples of attacks on large corporations or public bodies. However, small and medium-sized companies can also be affected. I experienced a situation as an e-commerce manager for a cell phone manufacturer. One day, we noticed a sudden drop in sales and, upon investigating the website, discovered that customers were being redirected to a malicious site when initiating the payment process. Fortunately, we fixed the problem quickly and had no complaints.
Considering the importance of this issue and the need to establish security protocols from the beginning of the programming of a website, we had a very special guest, Sara Martínez. I met her at RootedCon Valencia 2024 when she was giving a talk for cybersecurity professionals.
For 10 years, Sara Martínez has been dedicated to the analysis and quality testing of cybersecurity software in the areas of telecommunications, geolocation, Big Data, and Power Electronics. She is currently responsible for the Software Developer Engineer Test Department at Telefónica Tech, for its acronym SDET, Software Developer Engineer Test. This specialty tests the software product throughout its production, from the initial development phase to testing and quality. She also participates in conferences as a speaker and has her project called Testing Soul.
The objective of his talk, “Cybersecurity in WordPress: Risks and Protections,” was to explain how to make our products cyber secure. She highlighted aspects such as using secure code, being alert to new vulnerabilities, risks, and attacks, and taking action to protect websites from the commencement of development.
To immerse us in this world, Sara began by defining the concept of cybersecurity in this way: “It is the art of protecting networks, devices, and data from unauthorized access or criminal use and the practice of ensuring the confidentiality, integrity, and availability of information “*. She emphasizes that if we take information to the cyber-environment, we have a certain responsibility with its protection, and for this, it is important to implement the secure software development cycle, better known by its acronym SSDLC (Secure Software Development Life Cycle). In addition, she ended this part with a clarification: “A hacker is not a criminal, a cybercriminal is a criminal. A hacker is a person who pushes technology beyond its limits and explores it”.
After these preliminary explanations about the ethics and necessity of cybersecurity, she began to tell us how CVEs were increasing exponentially every year. In the first month of 2025 alone, some 5000 new software vulnerabilities and exposures (CVEs) had been detected. According to Sara, a quick prediction from that figure would give about 60,000 CVEs for this year. This is a considerable amount in her opinion. “There is a lot of software and a lot of websites being made these days and there are a lot of loose legs out there,” Sara says.
A CVE stands for “Common Vulnerabilities and Exposures”. These are bugs in the code or configuration of software that allow an attacker to gain indirect access to systems and networks. For example, a vulnerability in a web server allows remote code execution. In 2024, the most frequent types of computer attacks were cross-site scripting (XSS) and SQL injections, as a result of these CVEs.
Subsequently, she referred to the CWE (Common Weakness Enumeration), translated into English as “Common Weakness Enumeration”. This concept points out general weaknesses in the design or implementation of (Web) software and can lead to vulnerabilities. A CVE is the result of a CWE because a weakness in the code (CWE) can generate a specific vulnerability (CVE). For example: Lack of input validation (CWE-20) can facilitate SQL injection or XSS.
The linkage between these two concepts highlights the importance of creating robust code and delivering a reliable product, and this depends on those of us who build it. In the case of WordPress, weaknesses can come from the hand of a third-party code, such as plugins or templates, because it is a code that is not fully controlled, so it is important to be clear about the basis on which we work,” she says.
These weaknesses occur in different phases:
- During implementation: 85.1%
- Architecture and design: 57.2%
- Operation: 17.9%
- Installation: 7.2%
Some of the most common cyber-attacks on WordPress last year were credential theft; SQL injections through plugins, -5 compromised plugins infected one million websites-; malware resulting in more than 10,000 affected domains; and poorly secured servers.
After this analysis, it was time for the “action points” to deliver a secure product, “because cybersecurity is not questionable and you have to work on it ”*, and WordPress is in the spotlight. What are these recommendations?
- Culture of quality and security:
- Promote the need to create secure products.
- Analysis tools:
- At the level of audit tools leave us with: InspectWP. It is important to check if it has been recently updated.
- Plugins and updates:
- Make an analysis before selecting them.
- What is its origin?
- Does it have a reliable community behind it?
- Update cycle
- Hosting selection:
- We give everything to a third party; we must be demanding with the hosting.
- Server version: Apache and Nginx must be updated.
- Secure access with 2FA
- Good management of shared servers
- DDoS protection
- WAF
- Antimalware
- Monitoring
- Updates
- Backups
- Testing
- Permissions and roles: Privilege escalation
- Files: Only valid files
- Login: Strong password
- 2FA
- Resets
- Cookies
- Forms: Limit inputs (ie.XSS)
Finally, she reminds us that in cybersecurity we can’t take anything for granted, because the environment is constantly changing. The best tool this year will not necessarily be the best next year. That’s why it’s essential to stay up-to-date and always on the alert.
And so we entered the time for questions and comments, where we had a great discussion about security protocols and how to apply them. Then it was the time for beerworking, an excellent opportunity to continue exchanging ideas and opinions in a more relaxed way.
It was an engaging talk; although often complicated, the content was easily understood. One of the key ideas of the afternoon was the need to create secure code, which depends on its authors and the proper management of the entire creation process, to avoid vulnerabilities that put our data at risk and allow attacks. In trying to make similarity to physical life, I would say it is necessary to have a good technology lock in your house’s front door and lock it well to prevent the access of thieves.
Thanks, Sara, if you are wondering if we have received your message, the answer is yes. Next September 9th, the tester’s day, we will congratulate you, testers do a great job alerting us of bugs that can make our cyber life more difficult.
And to conclude, we went to dinner.
Now we need to explore what the vulnerabilities are and how to monitor them. This is the subject of a future talk, already scheduled for an upcoming WordPress Valencia MeetUp. Learn more here.
Many thanks to Wayco for giving us the space for this meeting and to Raiola for sponsoring the networking.
See you soon!
Watch the video here. Thanks.
Sources:
* https://www.cisa.gov/news-events/news/what-cybersecurity
*Sara Martinez. Talk: “Cybersecurity in WordPress: Risks and Protections”, 06/02/2025. MeetUp WordPress Valencia. Wayco Cabañal.
