Security at Night — Brute-Force, Plugins, and the Quiet Attack — What Your Website Is Doing While You Sleep (Part 3)

The attacks happening at 3 AM that nobody sees

Open your WordPress dashboard at 3 AM and look at the security plugin logs. If you have a working firewall installed, you’ll see something most owners never realize: thousands of login attempts per night. Bots from every continent trying common username and password combinations against your site, methodically, around the clock.

This is the part of WordPress security that runs while you sleep. Not the dramatic site-defacement attacks that make headlines. The quieter ones — brute-force login attempts, plugin vulnerability scans, comment spam floods, and SEO injection attempts. They’re happening to your site right now, even if nothing has gone visibly wrong.

This is Part 3 of What Your Website Is Doing While You Sleep. Part 1 covered backups — the layer that protects you when something goes wrong. Part 2 covered speed and caching — the layer that determines whether anything goes right. This one covers the layer that decides whether your site is still yours by morning. WordPress security isn’t a plugin you install once. It’s a 5-layer defense most small business sites are missing two or three layers of.

Why this matters more than most owners realize

Sucuri publishes annual data on the most common WordPress threats. Sucuri’s 2024 Hacked Website Report documented that the overwhelming majority of compromised WordPress sites — over 90% in their dataset — were running outdated plugins or themes with known vulnerabilities. The infection vector wasn’t a sophisticated hack. It was an unpatched plugin that the attacker scanned for, found, and exploited.

Wordfence tracks the volume side. Wordfence’s threat intelligence reports consistently show billions of attack attempts against WordPress sites per month — most of them automated bots trying credential combinations. Your specific site is being scanned even if you have one visitor a week.

The economics of small business website attacks are uncomfortable. Cleaning a hacked site costs $300-1500 in agency fees. Lost search rankings from being blacklisted by Google can take 3-6 months to recover. The bigger cost is reputational — customers who land on a site flagged as “deceptive” by their browser don’t come back.

The 5-layer WordPress defense

Most small business sites have one or two of these layers configured. The fast-loading, never-hacked sites have all five. Each layer addresses a different attack vector.

Layer 1: Login security (where 80% of attacks happen)

Brute-force login attempts are the single most common attack against WordPress. Bots try thousands of common username/password combinations against the login page. The defense is making this attack unprofitable.

What to configure:

• Strong unique passwords. Every admin user. Generated by a password manager, never reused. The single highest-ROI security move.
• Two-factor authentication on every admin account. Wordfence has it free. So does iThemes Security. Enable it.
• Rename the login URL. Hide My WP Ghost changes the default login path to something custom. Stops 99% of automated bots from finding the form.
• Limit login attempts. Lock IPs after 3-5 failed attempts for 20-30 minutes. Built into most security plugins.
• Never name an admin user “admin.” Half of brute-force bots start with that exact username. If yours exists, create a new admin user with a different name, then delete the “admin” one (after reassigning content).

The chain breaks here for most attackers. Configure this layer well and a huge portion of attacks just stop reaching your site.

Layer 2: Plugin and theme hygiene

The second most common attack vector — and the one most owners ignore — is plugin vulnerabilities. A plugin released a security patch six months ago. Your site is still running the unpatched version. A bot scans for that exact vulnerability and finds you.

What to do:

• Update plugins weekly. Not “when I get around to it” — weekly. Most managed maintenance services handle this automatically.
• Delete plugins you’re not actively using. Inactive plugins still get exploited if the code is on the server. Don’t deactivate — delete.
• Audit your plugin list quarterly. Any plugin that hasn’t had an update in over a year is a risk. Replace with an actively maintained alternative.
• Avoid nulled or “free premium” plugins. Cracked premium plugins frequently contain backdoors. The savings cost dramatically more than the original license would have.

I see this pattern repeatedly when taking over WordPress sites: 47 installed plugins, 12 of them inactive, 8 of them haven’t been updated since 2022. That’s the attack surface. The three WordPress settings most owners get wrong intersect with this — plugin auto-updates being one of them.

Layer 3: The firewall

A web application firewall (WAF) sits in front of WordPress and blocks malicious requests before they reach your site. This is the layer that protects against attack types you’ve never heard of and don’t need to understand.

What works:

• Cloudflare WAF (free tier). Covers most small business needs. Setup is one DNS change.
• Wordfence Premium. $99/year. WordPress-specific WAF rules that update as new vulnerabilities are discovered.
• Sucuri Firewall. $199-499/year depending on tier. Cloud-based, particularly good against DDoS.
• Host-level WAF. Some managed hosts include this. Kinsta, WP Engine, Cloudways all have varying levels of built-in protection.

You don’t need to stack three firewalls. One properly configured WAF is the goal. Most small business sites can run Cloudflare’s free tier alongside Wordfence’s free version and get genuinely strong protection without spending anything.

Layer 4: File integrity monitoring

This is the layer most owners skip entirely. File integrity monitoring detects when files on your WordPress installation change unexpectedly. If a hacker injects malicious code into a theme file at 3 AM, you find out at 3:01 AM instead of three weeks later when Google flags your site.

What handles this:

• Wordfence (free) includes file integrity scanning. Compares your core files to the original WordPress.org versions and flags differences.
• Sucuri SiteCheck does external scanning to catch what server-level scans miss.
• Managed hosting often includes this. Kinsta, WP Engine, and similar do continuous file scanning.

The setup is one-time. Configure it, set up email alerts, then let it run. When a real attack happens, you’ll know within minutes instead of months.

Layer 5: The backup chain (your last resort)

If layers 1-4 all fail and someone does compromise your site, the question becomes: how quickly can you restore? Series C Part 1 covered backups in depth, but the security context is worth restating: a backup you’ve never tested is a hope, not a recovery plan. Verify your backups restore cleanly at least quarterly.

The recovery time difference is enormous. A site with tested, recent, off-site backups can be restored in 30-60 minutes. A site without that can be down for days while an agency reverse-engineers the damage.

The OWASP context (where small business sites land in the bigger picture)

The web application security community publishes an annual top-10 list of the most critical vulnerabilities. The OWASP Top 10 covers attack categories like broken access control, injection attacks, and security misconfiguration. Most small business WordPress sites are vulnerable to several of these by default — not because anyone did something wrong, but because the defaults aren’t sufficient for an internet-facing site in 2026.

You don’t need to memorize the OWASP list. You need to know that the 5-layer defense above addresses the categories of attack that hit small business WordPress sites most often. Configure the layers properly and you’ve already addressed the bulk of the risk.

The 60-minute security audit you can run today

One sitting. WordPress admin and security plugin logs open.

1. Login security check (15 min): Is 2FA on every admin account? Is the login URL hidden? Is “admin” still a username? Is login rate-limiting active?
2. Plugin and theme audit (15 min): List every plugin. Note which haven’t been updated in 12+ months. Delete the inactive ones. Schedule replacements for the abandoned ones.
3. Firewall check (10 min): Is Cloudflare or another WAF active? Is Wordfence configured? Are basic rules turned on?
4. File integrity scan (10 min): Run a Wordfence scan. Note any changes flagged.
5. Backup verification (10 min): Check the most recent backup. Confirm it’s recent (under 7 days) and stored off-site.

Whatever layer is weakest is what to fix this week. The contact form audit pattern applies here too — these audits work because they force you to actually look at the system instead of assuming it’s fine.

What’s coming in Part 4

Part 4 of this series covers the update layer — plugin updates, theme updates, WordPress core updates, and the conflicts that happen when those updates collide. The boring infrastructure that determines whether your site stays running smoothly or breaks in week three of an update cycle.

Final Thoughts

WordPress security is boring infrastructure. Nobody notices when it’s working. Everyone notices when it’s not — usually in the form of a Google warning page or a customer calling to say your site is showing weird pharmacy spam.

Run the audit this week. Whatever layer is missing or misconfigured, fix it before the next attack. The bots don’t wait for you to be ready.