AI is inescapable at the moment. It’s bleddy everywhere. And website security is no exception to this rule. Plugins, platforms, and third-party tools are now all promising that artificial intelligence will keep your site safe automatically without you lifting a finger.
We get that it can seem like an appealing idea, especially if you’re running a small business and your website is something you manage alongside everything else (if you’re tired of juggling too many balls, why not pass the website over to us to manage instead eh?). Anyway, the truth is that – whilst they can be genuinely useful – leaning on AI security tools entirely is a bit like fitting a smart lock on your front door but leaving the back window wide open. Kinda looks fancy, but a bit pointless.
This blog article is for anyone running a WordPress or Shopify website. We’re going to write about where we think AI security tools can help – but also where they fall short, and therefore what still needs a human involved.
First, let’s be fair, AI security tools can do a lot of good
Before we get onto our soapbox and happily rant about all the limitations of AI security tools, we should really acknowledge what AI-powered security tools genuinely do well. Because dismissing them entirely wouldn’t really be fair. And, whilst we’ll freely admit we’re rather biased against AI, we should give it a chance in the areas it performs well.
AI tools are brilliant at watching traffic patterns, so they can spot unusual behaviour pretty quickly. If a login page suddenly gets 200 attempts in 60 seconds, or if someone’s scraping your product pages in an unusual way, AI can flag or block it far faster than any manual process. On WordPress, tools like Wordfence use this kind of logic. We love Wordfence and, if you don’t already have it, go get it. It’s free. If you want to read more about it, we’ve got a couple of blog articles you may want to peruse – “Simple steps to improve business security” and “3 tips to improve your WordPress site”.
Shopify has its own built-in fraud detection that works similarly.
Additionally, AI can filter known threats (malware signatures, known bad IP addresses, spam comments, malicious bots) automatically, because AI tools have access to vast databases of known threats and can block them without you ever needing to know they existed. That background protection is super valuable.
Let’s also not forget that, unlike a human, an AI tool doesn’t take weekends off. It’s there 24 hours a day, 7 days a week. Attacks often happen in the early hours or over bank holidays precisely because attackers know that’s when nobody’s watching.
So where does it go wrong?
This is where we get to gleefully rub our hands, and get on our soapbox. (We’re finding the unavoidable prevalence of AI exceptionally irritating. No, the washing machine does NOT need AI.)
Credit where credit is due, issues with AI security tools aren’t necessarily rearing their heads because “AI tools are bad” but often because of human error – so many people assume these tools are comprehensive. But they’re not; there are a lot of gaps.
Remember: a robot doesn’t know your business inside out
It doesn’t have any context you haven’t specifically given it, and it’s not a critical thinker. If you came to us and asked us to do something we’ve seen many people screw up before, we’d issue a word of caution to you before doing anything – but a robot won’t.
Security tools work from rules and patterns, but they have no idea what “normal” looks like for you. If you suddenly get a spike in orders because you’ve appeared on a popular podcast, gone viral, or sent out a promotion then an AI tool might flag it as suspicious. Which you really wouldn’t want! But if a genuine attack mimics what regular traffic looks like on your site, it might sail straight through.
These examples are especially true on eCommerce stores that run promotions or flash sales. The occasional unusual traffic pattern is normal, but an AI tool has no way of knowing that without – you guessed it, because we already said it – context.
Human involvement can make things worse…
OK, so we suppose this perhaps could go under the “Pro-AI” heading, rather than our soapbox heading…
Because the majority of WordPress security breaches come through outdated or poorly coded plugins and themes, due to us humans not keeping them updated. AI tools can sometimes flag known vulnerable versions – but they can’t stop you installing something dodgy in the first place. And they don’t make the judgement call about whether that free plugin from an unknown developer is worth the risk. If you need help picking a good plugin, we’ve got a blog on that.
According to Sucuri’s annual hacked website reports (here’s one from 2023, but they’ve done a few), vulnerable plugins and themes consistently account for the majority of WordPress compromises. That’s a “you” problem, not one an AI tool can solve. Or, as we like to sometimes say: PICNIC – Problem In Chair, Not In Computer.
Staying with the “human involvement” theme – social engineering is a real problem, and AI can’t protect you from phishing emails, fake supplier invoices or someone ringing up and pretending to be from your hosting company. These attacks target people, not systems. An AI security plugin on your website has absolutely no ability to intercept a convincing email designed to get your login credentials. This is still one of the most common ways sites get compromised.
Side note, it’s scary how effective these can be. Always be cautious if you get an unexpected email, text, or phone call about your services/accounts. Don’t reply to it, find the contact details you usually use – don’t just blind-faith use whatever contact info is included in the message – and reach out to the service provider in question directly.
Because AI is the current buzzword, it can give you a false sense of security
…And false confidence breeds inaction – which is possibly the most dangerous issue. When people install an AI security tool and see a reassuring dashboard full of green ticks, they stop thinking about security. Regular backups may get skipped (such a bad idea). Password best practice goes out the window. The hosting plan never gets reviewed. The AI says everything’s fine, so it must be, right?
Security isn’t a state you achieve. It’s an ongoing practice. It’s not something that stops.
Don’t forget as well that AI is only so smart – it can be fooled. Sophisticated attackers know what holes and problems security tools are looking for, and they design attacks specifically to avoid triggering them. Slow, low-volume attacks that spread out over days or weeks, or attacks that use legitimate looking credentials, often evade automated detection entirely. To be fair, this isn’t a flaw unique to AI – it’s an inherent limitation of any rule-based or pattern-based defence.
Quick shout out for Shopify users in particular: On Shopify, the platform itself handles a lot of the underlying infrastructure security but that doesn’t mean your store is automatically safe. App integrations, third-party checkout tools, and how you handle customer data are all areas where things can go wrong, and Shopify’s built-in tools won’t always catch them. Be vigilant.
Now what? What should you actually do?
Don’t worry, you don’t need to become a cybersecurity expert. But you do need to treat security as something that needs regular, human attention, not just a plugin you install and forget. There are new threats everyday, so you need to make sure you’re continually reviewing your website security and keeping an eye on things. A big part of this is performing regular maintenance on your site – something we’ve written about before. We generally recommend that you do this once a month, as little and often is best.
You need to make sure to keep everything updated, such as WordPress core, themes, and plugins. This is especially important when there’s a security release/patch. For those Shopify users among us, make sure to review your installed apps regularly and remove anything you’re not actively using.
Whilst you’re on your site and keeping it updated, it’s worth taking regular backups too. If you’re not sure how often to take a backup, ask yourself how much data you could afford to lose without it seriously damaging your business. For example, if losing a day’s worth of orders is going to cripple you, you’re going to need to make sure you’re performing backups on the regular.
When doing your regular maintenance, it might be a good idea to review your security setup at the same time. Your site changes, your team changes, threats change. A regular check-in – even a quick one – is far better than set-and-forget. Is there someone with access to your site who doesn’t need it anymore? Time to remove them. On that note…
Be sensible about access to your site
Everyone and their Mums doesn’t need access to your site, and certainly not admin-level access. So limit what people really need access to – on WordPress, this is through user roles, and on Shopify it’s through staff permissions.
Make sure you have a good password policy too. And we don’t just mean making sure your own password is decent – make sure anyone who has access to your site also follows best practice. This means using a strong, unique password – remember that length trumps complexity. Use a password manager if you can’t trust yourself to remember a different password for every login you have.
It’s also well worth enabling two factor authentication wherever you can.
Finally, be alert for social engineering – be cynical about emails, especially if it’s something you weren’t expecting. If someone emails claiming to be from your hosting company, WordPress, or Shopify asking you to click a link and log in then stop and verify through a separate channel before you do anything.
In short…
- Keep your site maintained
- Take regular backups
- Don’t willy-nilly add people to your site with full admin access – lock down user levels
- Have a proper password, not Password123 – and make anyone with access to your site follow your password policy
- Use a password manager, if you need to
- Enable two factor authentication wherever you can
- Be alert for social engineering (phishing etc)
As much as we love to hate on AI, we do recognise that AI security tools can be a worthwhile part of your website’s defences (it is not a complete solution though!). If you’re on WordPress, something like Wordfence (our personal favourite) or Solid Security gives you a useful automated layer. If you’re on Shopify, the platform’s built-in protections are a reasonable starting point, so long as they’re supplemented by careful app management
But please, don’t stop there. The most successful attacks on small business websites aren’t sophisticated AI-versus-AI battles. They’re opportunistic. They target outdated plugins, weak passwords, and people who clicked the wrong link in an email. None of those require a genius attacker – and none of them will be stopped by a security tool running in the background.
Don’t forget that, if all this seems a bit much for you, we do offer a monthly maintenance service – so it doesn’t have to be your problem. Hint, hint, nudge, nudge. Drop us a line on hello@soxdigital.co.uk to find out more.
Disclaimer: Yes, we did use AI to generate the header image with this one. Guilty as charged. Rest assured, the irony is not lost on us.