A client emailed me last month, slightly panicked. Their site had been hit with a credential-stuffing attack and an attacker was halfway through their admin database. Their first words: “But we have SSL — how did this happen?”
That question, more than the breach itself, is what I want to talk about. Because the little green padlock in the browser bar has somehow become shorthand for “this site is secure.” It isn’t. It’s the equivalent of locking your front door while leaving every window open and the keys under the mat. SSL is hygiene. Real security lives somewhere else entirely.
What SSL actually does (and doesn’t)
SSL/TLS encrypts the data moving between a visitor’s browser and your server. That’s it. It means someone sniffing public WiFi at a Bergen County coffee shop can’t read the contact form your visitor just submitted. It does not stop anyone from guessing your admin password. It does not patch the vulnerable plugin you forgot about. It does not block the bot army hammering your login page 4,000 times an hour. Encryption in transit is table stakes — Google has been flagging non-HTTPS sites since 2018, and every reputable host issues free Let’s Encrypt certificates. Treating it as a security feature in 2026 is like advertising that your office has electricity.
How attackers actually get in
I’ve cleaned up dozens of compromised WordPress sites over the years. The breach almost never involves SSL. It involves one of four things: a stale plugin with a known CVE, a weak or reused admin password, an unprotected XML-RPC endpoint being used for brute-force amplification, or a developer leaving a backup file accessible at a guessable URL. The attacker isn’t a hooded genius in a basement. It’s a script — often running from a residential IP in another country — that crawls millions of sites looking for any of those four conditions. SSL doesn’t enter the conversation.
The five wins that actually move the needle
If you do nothing else on your WordPress site this quarter, do these. In order. Each one closes off a real, measurable attack vector that scripts are actively probing for right now.
- Disable XML-RPC entirely unless you genuinely use the Jetpack mobile app or pingbacks. A single line in .htaccess kills it. This one change blocks the most common brute-force amplification vector on the internet.
- Enforce two-factor authentication on every admin and editor account. Not “encouraged.” Enforced. Plugins like Wordfence Login Security or WP 2FA make this a 10-minute setup. Password leaks are a when, not an if.
- Auto-update minor plugin and core releases. The window between a vulnerability being disclosed and being weaponized is now under 48 hours in many cases. If you’re updating manually once a month, you’re already losing.
- Limit login attempts and rate-limit /wp-login.php and /xmlrpc.php at the firewall or CDN layer. Cloudflare’s free tier handles this. Most brute-force attempts die at this gate.
- Run a real off-site backup at least daily, restorable in under 10 minutes. Hosts go down. Backups stored on the same server are not backups. We’ve watched a $40,000 e-commerce site lose three weeks of orders because the “backup” was sitting in the same compromised file system.
Why the padlock myth is so sticky
Two reasons. First, browsers visibly warn users when SSL is missing, so the absence is loud and the presence feels reassuring — even though the reassurance is misplaced. Second, cheap hosts and template-shop web designers love to list “Free SSL” as a security feature on their pricing pages, because it costs them nothing and sounds technical. It’s the security equivalent of a car dealer bragging that the vehicle comes with seatbelts. True, useful, and absolutely the minimum.
How AJD handles this
Every WordPress build we ship to a Bergen County client gets the five wins above, configured before launch, not as an upsell. XML-RPC disabled, 2FA enforced on admin accounts, auto-updates wired in with a staging-first rollback path, login throttling at the Cloudflare layer, and daily off-site backups to a different provider than the host. Our care plans add monthly vulnerability scanning and a 4-hour incident response window. SSL? That’s installed in the first 10 minutes and we never mention it again, because it isn’t the conversation. Whether you work with us or not, run through that five-item list this week. If you’d rather we audit the one you have, the discovery call is free.
Want a 30-minute look at your site’s actual security posture — not the padlock, the real stuff? Book Free Discovery Call →
