Meu site é pequeno. Sou alvo de ataque mesmo?

Sim. A grande maioria dos ataques não é direcionada — são robôs varrendo a internet em busca de sites com falhas conhecidas (plugin desatualizado, senha fraca). O tamanho do seu negócio não importa para um script automatizado; o que importa é se a porta está aberta.

WordPress é inseguro?

O WordPress em si não é o problema — é a desatualização. A maioria das invasões explora plugins ou temas velhos, não o núcleo do WordPress. Mantendo tudo atualizado, removendo o que não usa e usando senhas fortes, ele é tão seguro quanto a maioria das plataformas.

Com que frequência preciso atualizar plugins e temas?

O ideal é ligar a atualização automática para correções de segurança e revisar o resto pelo menos uma vez por semana. Quanto mais tempo um plugin fica desatualizado, maior a janela para um ataque automatizado.

Acho que meu site foi invadido. O que faço primeiro?

Verifique os usuários administradores (apague qualquer um que você não criou), troque todas as senhas, atualize tudo e restaure de um backup limpo se houver. Se o site lida com dados de clientes ou pagamentos, vale acionar um profissional para uma limpeza e auditoria completas.

Security June 16, 2026 9 min read 882

Website security: the practical guide to protecting yours (no panic)

Most hacked sites didn't fall to an evil genius — they fell to an outdated plugin, a weak password, or carelessness. Here are the threats that most often take small-business sites down, and a layered plan to close the doors — with the guides and tools for each part.

Most hacks exploit three weaknesses: outdated plugins, weak passwords, and code that trusts user input. Protecting your site is a layered plan — not a silver bullet. This guide maps the most exploited doors, a weekend protection checklist, and when to hire a security professional.

When a client calls me in a panic because "the site got hacked", it was almost never an evil genius. It was a plugin nobody updated, a password that was 123456, or a form that trusted the visitor too much. The good news: the doors attackers use are almost always the same — and you can lock most of them in a weekend. This is the guide I wish every site owner read.

What threats compromise sites most often?

Today's attacks are overwhelmingly automated: bots scanning the internet for known flaws. Your business size doesn't matter — whether the door is open does. The most common ones:

Outdated plugin, theme or CMS — door #1. Exactly what happened in the recent Everest Forms WordPress case, where a form field became a door to run code on the server.
Code that trusts the user — form input flowing straight into eval() or concatenated into SQL. The "original sin" I break down in that same post.
Weak password, no 2FA, or a forgotten admin user — the dullest (and most common) way to lose a site.
No HTTPS — insecure, plus Google penalizes it and browsers flag it as "not secure".
Exposed personal data / no LGPD basis — collecting name, e-mail and phone with no policy and no care is a legal risk on top of a technical one. There's a whole guide on it (with a free generator).
Badly wired AI — chatbots and agents that obey hidden instructions (prompt injection). I built a fake agent for you to hack so you feel why it's structural.

How do I set up a layered protection plan?

Security isn't a silver bullet — it's layers. If one fails, the next holds. This is the plan I apply (and it fits in a weekend):

Update everything and turn on auto-updates. Remove plugins, themes and accounts you don't use — each is one fewer door.
Strong passwords + 2FA on every panel. Review admins and delete any you don't recognize.
HTTPS + a WAF (app firewall, like Wordfence) + automatic backups stored off-server.
(In code) never trust the user: validate input, use prepared statements, no eval() on outside data and no secrets hardcoded.
LGPD/privacy: have a privacy policy and a legal basis for the data. Generate yours in minutes with PolicyForge.
Monitor: alerts for new users, file changes and odd logins. The sooner you know, the smaller the damage.

When should I hire a security professional?

You can do a lot yourself with the plan above. But it's worth calling someone when: you've already been breached (and need a trustworthy cleanup), the site is a store / handles payments or sensitive data, or you simply don't have time and would rather sleep well.

I want a security audit

I do hardening, vulnerability fixes and LGPD compliance — without becoming bad news. If any sign above is your case, let's talk.

Where can I go deeper on each threat?

This guide is the map. Each door has its deep dive:

A plugin with eval() is hijacking WordPress sites — the Everest Forms case, hands-on.
How to create your website's Privacy Policy (LGPD), for free — with a generator.
"Ignore all previous instructions" — the prompt-injection attack AI can't defend against.
How to know if your password is strong — and why "Senha123!" cracks in seconds.
HTTP security headers — close clickjacking, XSS and sniffing with a ready-made generator.
How to prevent form spam without CAPTCHA — Honeypot and Time-trap with copy-paste ready code.

What threats compromise sites most often?

How do I set up a layered protection plan?

When should I hire a security professional?

Where can I go deeper on each threat?

Keep reading

A plugin with eval() is hijacking WordPress sites: the Everest Forms case and how to protect yours

How to back up your website (and why your host's backup isn't enough)

How to prevent form spam without CAPTCHA (Honeypot and Time-trap)