WordPress Security / 10 min read

How safe is WordPress? What you need to know in 2024

Unsecured websites are often the target of cybercriminals and otherwise bad actors. With the cost of cybercrime projected to climb to $24 trillion in 2027, it’s only natural for website owners and developers to be even more careful when managing website security.

WordPress is the most popular CMS in the world. It’s used in about 63% of websites with a known CMS or around 43% of all websites. Being so widespread, it’s no surprise that WordPress sites are often the victim of hacks and breaches.

This article will explore the essential information you need to know about WordPress security, including:

  • The main elements of WordPress’ security.
  • Common WordPress security vulnerabilities and threats.
  • Current WordPress security statistics.
  • WordPress security best practices.

Keep reading to understand better how to set up and maintain a secure WordPress site.

Elements of WordPress’ security

WordPress websites consist of the core WordPress installation and the additional software component you add later (plugins and themes).

When boosting your site’s security, you need to be aware of these three main elements. It is a short overview of each of the elements and their role in your site’s security.


The WordPress core is the set of files you install on your server when you start a WordPress.org webpage. They are the essential files all WordPress sites need to operate.

The WordPress core is developed and maintained by the team behind WordPress.org, which employs world-class cybersecurity experts to monitor and patch vulnerabilities constantly. As a result, the core is very secure, but it may still be open to occasional vulnerabilities before they’re patched.

Older WordPress cores are not maintained, and as a result, they’re much more vulnerable to exploits. Keeping the core files updated is a crucial security measure.

Plugins and themes

WordPress.org’s team does not develop plugins and themes. As a result, their security level depends on the developers’ dedication to it.

It means some plugins and themes are very secure because they have a team of cybersecurity experts behind them. In contrast, others are much less secure due to a lack of maintenance and updates. Some plugins and themes may even be abandoned, making them even more insecure.

The best way to avoid vulnerabilities in plugins and themes is to install only reputable ones and keep them updated.

Common WordPress security vulnerabilities and threats

WordPress has vulnerabilities that can be turned into security threats by malicious actors, such as hackers motivated for monetary gain, website traffic, or any other reason.

These are the most common and significant WordPress vulnerabilities and threats.

Out-of-date CMS cores and PHP versions

Code screen

As we explained above, the core is the main WordPress installation containing the fundamental basis of your website. Older versions are no longer supported by WordPress.org, meaning their known vulnerabilities will forever remain unpatched.

As a result, hackers can exploit them more easily, safely knowing that they cannot be stopped via security patches. The same goes for PHP, the programming language powering the core files. Older PHP versions are less secure.

Unsecured admin panels

A man using the admin of a WordPress site

Exploiting the admin login URL via brute force attacks is one of the most common ways. WordPress sites are hacked, providing full access to the admin dashboard. There are many ways to secure your admin login URL, but these three are probably the most common and effective:

  • Change the default login URL to a unique one that is harder to guess.
  • Add two-factor authentication to the login process.
  • Establish a limit for failed login attempts.

Brute Force Login Attempts

code screen

Brute force login attempts or brute force attacks are cyberattacks in which the attacker guesses every possible combination of characters to find a password that allows them access to a site.

It’s one of the simplest cyberattacks and can take a lot of time before stumbling into the correct password. Using long, strong, unique passwords makes brute-force attacks less effective.

Vulnerable, unsecured plugins and themes

Plugins section of a WordPress

Considering there are dozens of thousands of plugins and themes that interact with your websites in multiple ways, it’s possible for hackers to eventually find a vulnerability in one of them and exploit it to gain access to unsuspecting websites.

Plugin and theme vulnerabilities can be the most harmful when exploited in popular plugins and themes installed on thousands or millions of websites. The wide adoption increases the pool of possible targets and provides larger amounts of information to steal.


A man coding

Malware (malicious software) is a broad family of software created to damage or gain unauthorized access to a computer system. Various types of malware operate in different ways to exploit different website mechanisms.

In WordPress, the most common types of malware are:


A man using his computer and a server on the back

Hotlinking is linking content (images, music, videos, documents, etc.) from one website to another instead of downloading the file and hosting it on your own server. When Website A links to content in Website B instead of hosting the file, Website A costs Website B bandwidth and processing resources by not hosting the files.

It increases bandwidth spent on Website B without directing traffic their way while providing traffic to Website A. At best, it’s bad etiquette. At worst, it’s malicious.

Denial-of-Service (DoS)

A lock over a keyboard

DoS attacks shut down a service, network, or website, disrupting it so visitors cannot use it.

Most often, hackers overwhelm the victim’s systems with an excessive amount of traffic requests. When the requests come from multiple devices instead of a single one, it’s called a distributed denial of service (DDoS).

SQL injections

Code screen

SQL is a programming language used to manage relational databases. All WordPress sites use relational databases. SQL injections are malicious uses of SQL to gain access to backend information that was supposed to stay hidden from the public.

Cross-Site Scripting (XSS)

Code screen

XSS is a type of attack where a third party injects malicious scripts into otherwise benign websites. The injected scripts can impersonate legitimate users, steal sensitive data, and more. XSS is one of the most common types of cyberattacks in the WordPress ecosystem.

WordPress security statistics

Now that we have context about WordPress’ common vulnerabilities and threats, let’s explore vital security statistics you should be aware of.

For some context, it’s estimated that around 90,000 WordPress sites are attacked every day. WordPress’s also well-known as the most vulnerable CMS: in 2021, over 95% of sites where SiteCheck performed a malware scan and cleanup were WordPress sites. The other CMSs accumulated less than 5% of attacks.

Since SiteCheck’s user base is almost entirely WordPress users, we shouldn’t take this statistic to mean that 95% of all cyberattacks occur on WordPress sites. Still, given WordPress’ massive market share, it’s expected to be the most common target for cyberattacks.

As you read through these nuggets of data, remember that they come from reports created by specific companies that monitor security in WordPress and sometimes other CMSs, too. More specifically, our sources are:

  • Wordfence’s 2022 security report.
  • Sucuri’s 2021 security report.

The scope of these reports is limited when compared to all of WordPress’ user base. However, they still provide a good overview of WordPress’ security environment. With that in mind, let’s explore some WordPress security statistics.

Credential stuffings are the most common type of attack

In 2022, the most common type of attack against WordPress was credential stuffings, where an attacker tries to guess multiple username and password combinations for a site. The username and password combinations come from data breaches and password lists.

Wordfence blocked more than 159 billion credential-stuffing attacks in 2022.

Source: Wordfence’s 2022 State of WordPress Security Report.

Cross-site scripting is the most commonly disclosed WordPress vulnerability.

Cross-site scripting (XSS) was the most common category of disclosed (publicly known) WordPress vulnerability in 2022, accounting for nearly half of all disclosed vulnerabilities. The next most common types were cross-site request forgery, authorization bypass vulnerabilities, SQL injections, and information disclosure.

Source: Wordfence’s 2022 State of WordPress Security Report.

Most attacks take place on already-compromised websites

In 2022, most attacks against WordPress occurred in sites that had already been compromised rather than sites that had been secure up to that point. It is known as “persistent infection.”

Source: Wordfence’s 2022 State of WordPress Security Report.

Many website owners don’t keep their WordPress cores updated

In 2021, 48% of SiteCheck users (most of which use WordPress) had outdated CMS installations, making them more vulnerable to exploits.

Source: Wordfence’s 2022 State of WordPress Security Report.

The problem of credential reuse is growing.

Credential reuse is reusing the same password for multiple systems (admin account, cPanel account, phpMyAdmin account, etc.). As more leaked passwords accumulate yearly, malicious actors have a larger pool of potentially reusable passwords.

Unmaintained WordPress accounts are especially vulnerable.

Source: Wordfence’s 2022 State of WordPress Security Report.

WordPress security-related lists

The most common types of WordPress malware in 2021

The following is a list of the most common types of malware found during SiteCheck’s scans and cleanups:

  1. Generic malware such as PHP malware, site URL/ home URL infections, malicious processes that primarily affect .htaccess and ./index.php, etc.. (61%)
  2. Backdoors (60%)
  3. SEO spam (52)
  4. Hacktools (20%)
  5. Phishing (7%)
  6. Defacements (6%)
  7. Mailers (5%)
  8. Droppers (0.63%)

The percentages overlap because sites are often infected by multiple types of malware simultaneously.

Source: Sucuri’s 2021 Website Threat Research Report.

The 10 most vulnerable WordPress plugins in 2021 by popularity

In 2021, these were the most vulnerable WordPress plugins, based on the number of installations:

  1. WooCommerce (5+ Million)
  2. All In One SEO (3+ Million )
  3. Ninja Forms (1+ Million)
  4. Redux Framework (1+ Million)
  5. WP Fastest Cache (1+ Million)
  6. Astra Starter Templates (1+ Million)
  7. WP Statistics (600,000+)
  8. WP User Avatar / ProfilePress (400,000+)
  9. Simple 301 Redirects by BetterLinks (200,000+)
  10. Thrive Themes Plugins/Themes (100,000+)

This data does not necessarily indicate that these plugins were the attack vector. Still, they likely contributed to an unsafe environment for the websites they were installed in.

Source: Sucuri’s 2021 Website Threat Research Report.

The 10 most vulnerable plugins, based on their CVSS score

The Common Vulnerability Scoring System (CVSS) is a rating from 0 to 10 that indicates how severe security vulnerabilities are in a given software. 10 is the most severe, and 0 is the least severe.

Based on their CVSS score, in 2021, the plugins with the most severe security vulnerabilities were:

  1. Thrive Themes Plugins/Themes (10)
  2. Kaswara (abandoned by the developers, 9.9)
  3. Simple 301 Redirects (9.9)
  4. External Media (9.9)
  5. Store Locator Plus (abandoned by the developers, 9.9)
  6. All In One SEO (9.9)
  7. WP User Avatar / ProfilePress (9.8)
  8. Booster for WooCommerce (9.8)
  9. Image Hover Effects Ultimate (9.8)
  10. PublishPress Capabilities (9.8)

Source: Sucuri’s 2021 Website Threat Research Report.

Abandoned plugins are highly vulnerable.

Abandoned plugins are those no longer being updated by their developers. This makes them likely to be exploited since developers no longer patch known vulnerabilities. In 2021, abandoned plugins Kaswara and Store Locator Plus were two of the most vulnerable in the WordPress ecosystem.

Kaswara is a page builder, which means that users who built their page using Kaswara had to rebuild it entirely or stay open to security leaks.

Source: Sucuri’s 2021 Website Threat Research Report.

The most well-protected WordPress sites in 2021

The most well-protected WordPress sites in 2021 were the ones employing auto-updates for plugin components and using a Web Application Firewall (WAF) to block attack attempts.

Source: Sucuri’s 2021 Website Threat Research Report.

Are WordPress websites secure?

WordPress.com screen

In the hands of an experienced WordPress developer who is informed about common vulnerabilities and knows how to secure a site, WordPress sites can be as secure as any website can be in any CMS.

In the hands of someone unaware of common vulnerabilities, who doesn’t update plugins and themes, doesn’t update PHP versions and core files, doesn’t make regular backups, and doesn’t understand security best practices, it can lead to a costly security breach.

The WordPress ecosystem has the tools to build a secure website. Still, it’s up to the developers and owners to take the necessary measures and stay on top of known vulnerabilities if they want to create a secure environment.

If you found this post useful, read our blog for more WordPress insights, guides, and tips.