You usually notice design and content when you visit a website, but what do attackers see? They spot misconfigurations, forgotten endpoints, out-of-date components, emails and other sensitive information. Vladimír will give a 10-minute preview of common but not often-mentioned mistakes he saw during security scans of WordPress sites, specifically: Username and email leaking, full path disclosures, accessible backups, open .git repositories and DoS capable endpoints. He will also provide tips on how to reduce risks, where it is worth restricting access, how to enable Bcrypt password hashing and 2FA, and what configuration directives you need to check.