Security talks at WordCamps can go one of two ways. There’s the kind that reminds you to keep plugins updated and use a strong password — useful advice, poorly timed at a conference full of people who already know. And then there are sessions that leave you genuinely uncomfortable, because you realise your setup has a problem you didn’t know existed until thirty minutes ago.
This year’s security track leans hard into the second kind.
Three sessions. Three very different problems. At least two of them will be relevant to something you’re currently running or maintaining.
Why this keeps getting more complicated
The basic WordPress security hygiene hasn’t changed much. Keep things updated. Use a decent host. Don’t install every plugin you find. Most people in this community know the list.
What’s changed is the context around it. The EU’s NIS2 Directive is now in force, which means incident reporting is no longer just good practice — for a significant chunk of European WordPress businesses and the agencies that serve them, it’s a legal obligation with specific deadlines. The regulation doesn’t care whether you’re a freelancer with three client sites or an agency with thirty. If you qualify, you’re on the hook.
Meanwhile, the attack surface keeps growing in unexpected directions. The assumption that DDoS protection lives at the network level — your host, your CDN, Cloudflare — turns out to miss a whole category of threat that originates inside WordPress itself. And hosting providers keep selling security features whose real-world effectiveness nobody has seriously tested. Until now.
The Talks
The hidden DDoS threat in WordPress: abusing the search endpoint
Speaker: Samuel Silva
Where: Track 2
When: Saturday 6 June at 14:00
Session page: The hidden DDoS threat in WordPress: abusing the search endpoint
Here’s the scenario: your site goes down, but your host can’t see anything unusual at the network level. The CDN isn’t reporting traffic spikes. Nothing looks obviously wrong. And yet the database is on its knees.
What Samuel Silva is going to show you is how WordPress’s own search endpoint — present and exposed on essentially every public WordPress install — can be abused to generate a disproportionate server load from a small number of crafted requests. This isn’t theoretical. It doesn’t require compromising anything. It just requires knowing the endpoint is there.
Ten minutes. You’ll leave knowing something you didn’t know before, and probably thinking about a few sites you’re responsible for.
Samuel Silva is a web developer from Portugal and an active contributor in the WordPress community.
Follow his work on WordPress.org as @samuelsilvapt
NIS2 Incident Report in 10 minutes
If you work with European clients and haven’t looked at NIS2 yet, this is the talk to start with — and a lightning slot is honestly the right format, because the regulation itself isn’t complicated. What’s complicated is the timeline.
Under NIS2, a significant security incident requires an early warning to the relevant authority within 24 hours. Not 72. Not “once you’ve figured out what happened.” Twenty-four hours, at which point you probably still don’t know the full extent of it.
Francesco Canovi has been working on this problem specifically for smaller WordPress agencies and freelancers — the people NIS2 guidance typically forgets to address. His session gives you a practical incident report structure you can actually use under pressure, built around how real incidents unfold rather than the hypothetical orderly version the directive seems to assume.
He’s the founder of Black Studio, an Italian digital agency, with over two decades building WordPress solutions for businesses and public entities. He’s been talking about NIS2 across the European WordPress conference circuit and at this point knows exactly which parts confuse people most.
Follow him on X as @thedarkmist and connect on LinkedIn
Testing the promise: does secure hosting deliver?
Speaker: Maciek Palmowski
Where: Track 2
When: Saturday 6 June at 15:30
Session page: Testing the promise: does secure hosting deliver?
Every managed WordPress host has a security page. Malware scanning. Automatic updates. Firewall. DDoS protection. It’s more or less the same list across every provider, which tells you either that managed WordPress security has been thoroughly solved, or that these are marketing claims nobody has seriously pressure-tested.
Maciek Palmowski works at Patchstack, which means he spends a lot of time looking at WordPress vulnerabilities from the inside. He went and actually tested what the security promises at various hosting providers do — and don’t — deliver. This session is where he reports back.
It will be uncomfortable for anyone who’s been confidently recommending managed hosting to clients on the basis of that security page. It should also be useful for the same people, because knowing where the gaps actually are is how you start to close them.
Maciek has been in the WordPress world for over 15 years, writes regularly about security and modern WordPress development, and co-organises CMS Conf in Gdynia. He’s exactly the right person to say the quiet part out loud on a subject this easy to oversell.
Follow him on X as @palmiak_fp and connect on LinkedIn