AI is making cyber attacks smarter. Here’s what that means for your website.
Two years ago, a brute-force attack on your WordPress login looked like hundreds of attempts from the same IP address. Your security plugin would catch it, lock the IP out, and that was the end of it.
That version of the internet is gone.
In March 2026, Lumen’s cybersecurity team published research on a botnet called KadNap. It had quietly infected over 14,000 home routers across the US, UK, Australia, and Europe, then sold access to criminals through a proxy service. The attacks coming through those routers look like normal residential traffic. Your firewall doesn’t flag a login attempt from someone’s home broadband connection in suburban Brisbane.
But KadNap isn’t the story. It’s a symptom of a much bigger shift. Artificial intelligence has changed the economics of attacking websites, and most site owners haven’t caught up.
What’s actually changed
The tools attackers use have gotten dramatically better in the last 18 months. And cheaper. And easier to access.
AI-assisted vulnerability scanning can now crawl a website and identify outdated plugins, exposed admin panels, and misconfigured APIs in minutes. The same assessment used to take a skilled attacker hours of manual probing. Now it’s automated, running 24/7 across millions of sites simultaneously.
Password attacks have evolved too. Instead of running through a dictionary of common passwords, AI models can generate targeted password guesses based on leaked databases, company names, common patterns, and publicly available information. Combined with botnets like KadNap that rotate through thousands of residential IP addresses, these attacks bypass the per-IP rate limiting that most security plugins rely on.
Then there’s the phishing side. AI-generated emails are nearly indistinguishable from genuine business communication. An attacker who compromises your contact form, customer database, or email system through a vulnerable website now has everything they need to launch convincing phishing campaigns against your customers.
The barrier to entry has collapsed. Attack tools that required real expertise three years ago are now packaged, automated, and sold as services.
The three things that actually protect you
There’s a lot of noise in the cybersecurity space. Products and services competing for attention with increasingly dramatic threat descriptions. But for a business running a website, particularly a WordPress site, the defence comes down to three things done consistently.
Keep everything updated. Everything.
This sounds basic because it is. And it’s still the number one reason sites get compromised.
Every WordPress core update, every plugin update, every theme update exists for a reason. Many of them patch security vulnerabilities. When researchers discover a flaw in a popular plugin, the patch usually arrives within days. But the window between disclosure and patching is when automated scanners are most active, because attackers know exactly what to look for and they know most sites won’t update immediately.
Here’s what “keeping updated” actually means in practice:
WordPress core should update automatically for minor releases at minimum. Major releases need testing, but they shouldn’t sit for weeks.
Plugins need to be updated within days of a security release, not whenever someone remembers. If you’re running 15 plugins and three of them haven’t been updated in six months, those three are your biggest risk.
Themes matter too. Abandoned themes with no developer support are a common entry point. If your theme hasn’t had an update in over a year, it’s time to consider whether the developer is still maintaining it.
PHP version matters more than people think. Running PHP 7.4 in 2026 isn’t just slow, it’s unsupported and unpatched. Your hosting environment should be on PHP 8.2 or newer.
The AI angle here is straightforward: automated scanners are now sophisticated enough to identify the specific version of every plugin on your site and cross-reference it against known vulnerability databases in seconds. An outdated plugin isn’t a theoretical risk anymore. It’s a known, indexed target.
Use a web application firewall
A web application firewall (WAF) sits between your website and the internet, inspecting incoming traffic and blocking requests that match known attack patterns.
For a full breakdown of hosting security layers, read SSL, Firewalls & Security Basics Your Host Should Handle.
For a full breakdown of hosting security layers, read SSL, Firewalls & Security Basics Your Host Should Handle.
For a full breakdown of hosting security layers, read SSL, Firewalls & Security Basics Your Host Should Handle.
If your hosting provider includes a WAF as part of their firewall and server management, you’re already covered at the infrastructure level. This is the best scenario because server-level WAFs operate before traffic reaches your application, blocking malicious requests earlier and with less overhead on your site.
If your host doesn’t provide this (and many don’t), you need one at the application level. For WordPress, Wordfence is the most widely deployed option for good reason. It maintains its own threat intelligence feed, updates firewall rules in near real-time as new vulnerabilities are discovered, and provides login security features that go beyond basic rate limiting.
What a good WAF does for you:
Blocks known attack patterns like SQL injection, cross-site scripting, and file inclusion attempts before they reach your site’s code.
Rate limits authentication attempts intelligently, looking at patterns across multiple IPs rather than just blocking individual addresses. This is critical against botnet-style distributed attacks.
Monitors for file changes that indicate a compromise. If someone does get in, early detection limits the damage.
Provides real-time threat intelligence. When a new WordPress vulnerability is discovered, WAF rules are updated to block exploitation attempts, often before a plugin patch is available. This buys you time during that critical window between disclosure and update.
The WAF won’t help if it’s installed and forgotten. Rules need updating. Alerts need monitoring. Logs need reviewing. A WAF that nobody checks is just another plugin consuming resources.
Choose hosting with proper server management
This is where the conversation gets uncomfortable for a lot of hosting providers.
Your website doesn’t exist in isolation. It runs on a server with an operating system, a web server, a database, PHP, and a dozen other components that all need patching, configuring, and monitoring independently of your WordPress install.
When we talk about AI making attacks more advanced, we’re not just talking about someone trying passwords on your login page. We’re talking about attacks that target the server itself: the operating system, the web server software, the database, the mail system. These are infrastructure-level threats, and no WordPress plugin can protect against them.
Proper server management means:
The operating system is patched and updated regularly, not just when something breaks.
The web server (Apache, Nginx, LiteSpeed) is configured with security headers, TLS 1.2+ enforcement, and appropriate access controls.
PHP is on a supported, actively maintained version with dangerous functions disabled.
The database is secured, not running with default credentials, not exposed to the internet, and backed up independently.
Firewall rules are maintained at the server level, not just at the application level. This includes blocking known malicious IP ranges, limiting connection rates, and monitoring for unusual traffic patterns.
Someone is watching the logs. Not a script that sends an email nobody reads. A person (or a team) that reviews server logs, identifies anomalies, and investigates before an incident becomes a breach.
This is the layer most site owners never think about because it’s invisible when it’s done right. But it’s also the layer where AI-powered attacks are increasingly focused, because a server compromise gives attackers access to every site on that server, not just one.
The uncomfortable truth about “managed” hosting
A lot of hosting providers use the word “managed” to describe what is essentially shared hosting with a control panel. They’ll keep the server running. They might even handle backups. But security hardening, active monitoring, WAF management, and incident response? That’s either an expensive add-on or simply not available.
If your hosting provider can’t tell you:
– What version of PHP your site is running
– When the server’s operating system was last patched
– Whether they run a WAF at the server level
– What happens if your site is compromised at 2am on a Saturday
Already been hacked? Follow our recovery guide: How to Safely Restore a Hacked WordPress Site.
Already been hacked? Follow our recovery guide: How to Safely Restore a Hacked WordPress Site.
Already been hacked? Follow our recovery guide: How to Safely Restore a Hacked WordPress Site.
…then the word “managed” in their marketing is doing a lot of heavy lifting.
The AI revolution in cyber attacks means the gap between “good enough” hosting and genuinely managed hosting is getting wider. Automated attacks don’t sleep. They don’t take weekends off. They don’t wait for business hours to exploit a vulnerability that was disclosed on Friday afternoon.
What to do this week
You don’t need to overhaul everything at once. But there are things you can check right now that will tell you where you stand.
Log into your WordPress dashboard and check for pending updates. Core, plugins, themes. Update what you can. Remove what you don’t use. An inactive plugin with a known vulnerability is just as dangerous as an active one.
Check your PHP version. If it’s below 8.1, talk to your host about upgrading. If they can’t or won’t, that tells you something.
Check whether you have a WAF running. If your host provides one at the server level, confirm it’s active and rules are current. If not, install Wordfence or a similar application-level WAF and configure it properly.
Ask your hosting provider what their security monitoring looks like. Not their marketing page. Ask them directly. The answer will tell you whether you need to start looking for better hosting.
The attacks are getting smarter. Your defences need to keep pace.
