When something powers over 40% of the internet, it’s bound to attract attention, good and bad. WordPress isn’t uniquely vulnerable; it’s just the largest target on the internet. The more widely a platform is used, the more frequently it appears in cyberattack statistics. That’s a matter of scale, not structural weakness. Understanding this distinction is key to separating anecdote from evidence when evaluating WordPress’s actual security posture.
Open-Source Nature and Plugins
The open-source model is part of WordPress’s strength, but it’s often misunderstood. Anyone can build a plugin or theme. That’s a blessing for flexibility, but also introduces risk when poorly maintained code gets added to the ecosystem. Misuse isn’t a platform flaw; it’s a human oversight.
The Origins of the Myth
Much of the “WordPress is insecure” narrative stems from stories of hacked blogs or compromised small business sites. In reality, most of those breaches trace back to outdated plugins, weak credentials, or using pirated (nulled) themes. The myth persists because the headline is simple. The truth isn’t.
What the Data Really Shows
The 2025 Patchstack report paints a sharper picture of the modern WordPress threat landscape. Nearly 8,000 new vulnerabilities were recorded in 2024 alone, averaging 22 per day, and a staggering 96% came from third-party plugins. In contrast, only seven core WordPress vulnerabilities were identified during the same period, none of which posed widespread risk.
What matters more than volume is impact. Patchstack’s Priority Score revealed that only 11.6% of vulnerabilities were high priority, but these were often exploited or considered likely targets. Alarmingly, 43% of all vulnerabilities required no authentication to exploit, underlining the rise of fast, automated attacks.
Perhaps most concerning: over 1,600 plugins and themes were removed from the WordPress.org repository in 2024 due to unresolved security issues. One-third of all disclosed vulnerabilities weren’t patched before going public. That critical lag time leaves sites exposed when exploits spread fastest.
And on the horizon: artificial intelligence. In 2024, AI-generated exploits and polymorphic malware began surfacing, alongside more advanced scanners used by researchers and attackers alike. As AI accelerates both discovery and exploitation, the margin for error will only shrink.
The takeaway? WordPress security in 2025 is about sustained strategy, vulnerability management, software supply chain integrity, compliance readiness, and AI awareness. Reactive security is no longer enough.
Up-to-Date Installations vs Outdated Sites
Reports like those released every year by Patchstack and Sucuri consistently highlight that most compromised WordPress sites were running outdated versions. Sucuri found 39% of hacked CMS installs were out-of-date when breached. Notably, WordPress core auto-updates have drastically reduced exploits in core files over the last few years.
Vulnerability Statistics Breakdown
Vulnerabilities by Component (Core, Plugins, Themes)
Patchstack’s 2023 report notes that only about 0.2% of all WordPress vulnerabilities originate from core WordPress files. The rest? Plugins and themes. That means the risk isn’t baked into WordPress itself. It’s about what gets layered on top.
Expert Analyses (Patchstack, WPScan, etc.)
Security platforms agree: the WordPress core team is quick to patch and responsible with disclosure. WPScan, a leading vulnerability database, shows thousands of plugin vulnerabilities each year. But it also shows that responsible developers release fixes fast. Problems arise when site owners delay updates or use abandonware.
The True Culprits Behind Hacks
Common Vulnerability Vectors
Most WordPress breaches happen when outdated plugins are left sitting on a live site. Even well-known tools like Elementor, WPBakery, or WooCommerce have had high-profile bugs patched quickly, but only if updates are applied.
The Danger of Nulled Themes and Plugins
Pirated premium themes and plugins often carry embedded malware. They offer flashy features at zero cost, but many include backdoors. These files don’t just leave the door open; they hand over the keys.
Human and Hosting Factors
Weak Passwords and Administrative Access
Weak admin credentials continue to be one of the easiest ways to break into a WordPress site. Default usernames like “admin” and passwords like “password123” are still common.
Poor Hosting or Misconfiguration
Not all hosting environments are equal. Cheap shared hosting often lacks isolation between sites. If one account gets compromised, others on the server may too. Misconfigured file permissions and outdated PHP versions further compound the risk.
Why WordPress Core Is Actually Secure
Auto-Updates and Security Releases
Since version 3.7, WordPress has included automatic updates for minor versions. Security patches get pushed quickly, and most reputable hosting providers support them without breaking sites.
Only 0.2% Vulnerabilities in Core
The small fraction of core vulnerabilities found each year is typically made up of edge cases, and almost all are addressed within days. Compare that with third-party plugin issues, and it becomes clear where the actual risk lies.
Multiple Review Layers and Bug Bounties
The WordPress core team works closely with researchers and sponsors a bug bounty program via HackerOne. Pull requests are reviewed, tested, and monitored by developers around the globe.
Plugins Are Not Inherently Bad
Plugins add functionality, but they require oversight. Think of them as apps on a smartphone. Downloaded wisely and updated regularly, they’re safe. Abandoned plugins, however, are like expired food in the fridge.
Best Practices Make the Difference
1. Security isn’t static. Staying current with plugin, theme, and core updates is the simplest way to avoid 90% of known vulnerabilities.
2. Using a host with built-in firewall protection, automated backups, and malware scanning removes a huge portion of risk. Add security plugins like Wordfence or Sucuri, and a basic WordPress site becomes impressively robust.
3. Partnering with a WordPress-focused digital agency brings another layer of assurance. Agencies that specialize in enterprise-grade WordPress development and support don’t just build beautiful sites. They implement governance models, enforce secure coding standards, and maintain full lifecycle oversight. From custom plugin vetting to access controls and performance monitoring, a seasoned WordPress agency becomes an extension of the in-house team. This kind of partnership ensures that the platform not only meets design and content needs but also stays resilient, up-to-date, and compliant as it scales.
WordPress Security the Right Way
The narrative that WordPress is insecure doesn’t hold water. The data is clear: when maintained properly, WordPress is as secure, if not more, than any other CMS on the market. Breaches tend to come from negligence, not the platform. Trew Knowledge builds and maintains secure WordPress platforms for clients across sectors. Whether it’s compliance, custom development, or proactive website support, our team brings the rigour of enterprise security to the flexibility of open-source.
Reach out today and let’s make WordPress work—securely—for any digital vision.
