How many WordPress vulnerabilities were discovered in 2025?

11,334 new vulnerabilities were discovered in the WordPress ecosystem in 2025, a 42% increase from 2024's 7,966. This is the highest number ever recorded.

How quickly are WordPress vulnerabilities exploited after disclosure?

The median time from vulnerability disclosure to first exploitation is 5 hours, according to Patchstack's 2026 whitepaper. By the time most site owners learn about a vulnerability, bots are already scanning for it.

How many WordPress sites are hacked daily?

Approximately 13,000 WordPress sites are hacked daily. The majority of attacks are automated and target known vulnerabilities in plugins, exposed login pages, and default WordPress paths.

What percentage of WordPress vulnerabilities require no authentication?

43% of new WordPress vulnerabilities in 2025 required zero authentication to exploit. Attackers can compromise a site without ever needing to log in, primarily through XSS and CSRF vulnerabilities in plugins.

Where do most WordPress vulnerabilities come from?

The vast majority come from plugins. WordPress core had approximately 23 vulnerabilities projected for 2025. Premium plugins sold on marketplaces are especially risky because they are harder for security researchers to audit.

How can I protect my WordPress site from these threats?

Use a layered defense: hide WordPress paths so scanners can not identify your plugins, enable a server-level firewall to block injection attacks, add brute force protection with reCAPTCHA, enable 2FA, add security headers, and keep plugins updated. WP Ghost provides all of these in a single plugin.

WordPress Security Statistics 2025-2026: Vulnerabilities, Attacks, and Prevention Data

April 14, 2026

Updated April 14, 2026 – Includes Q1 2026 data

Table of Contents

01. Vulnerability Landscape 2025-2026
- Where Do Vulnerabilities Come From?
02. Attack Vectors and Entry Points
- How Sites Get Hacked: Root Causes
- The Unauthenticated Exploitation Problem
03. How Attackers Operate in 2025
04. The Real Cost of Getting Hacked
05. What These Statistics Mean for Your Site
Sources

WordPress powers 43.5% of the entire internet, making it the world’s largest target for hackers. This page compiles verified statistics on WordPress threats, vulnerabilities, and hack prevention for 2025 and 2026, with sources linked on every data point.

Patchstack released its State of WordPress Security in 2026 whitepaper on February 25, 2026. Key new findings: 5-hour median exploitation window, 87.8% of hosting defenses fail, 46% of vulnerabilities unpatched at disclosure, 333 new vulnerabilities disclosed in a single week (Jan 7, 2026). This article has been updated with all Q1 2026 data.

In 2025, 11,334 new vulnerabilities were found in the WordPress ecosystem (+42% YoY). 13,000 sites are hacked daily. The median time to first exploitation after disclosure is 5 hours. 46% of vulnerabilities have no patch at disclosure. Standard hosting defenses block only 26% of exploits. In January 2026, 333 new vulnerabilities were disclosed in a single week. 52% of plugin developers do not patch before public disclosure. Only 27% of site owners have a breach recovery plan.

WordPress security key statistics for 2025-2026 showing 11,334 vulnerabilities, 13,000 daily hacks, and 5-hour exploitation window

01. Vulnerability Landscape 2025-2026

The WordPress vulnerability landscape reached a historic peak in 2025. According to Patchstack’s State of WordPress Security in 2026 whitepaper, 11,334 new vulnerabilities were discovered across the WordPress ecosystem. That is the highest number ever recorded, and a 42% jump from 2024’s 7,966. More high-severity vulnerabilities were discovered in 2025 than in the previous two years combined.

WordPress vulnerability growth chart from 2021 to 2025 showing 42% year-over-year increase to 11,334 in 2025

In the first half of 2025 alone, 6,700 new vulnerabilities were identified, and 41% of them were exploitable in real-life attacks. That means a new exploitable WordPress vulnerability is disclosed every 3 to 4 hours on average.

Q1 2026 data is already alarming. In the week of January 7, 2026, 333 new vulnerabilities were disclosed (253 in plugins, 80 in themes), and 120 of those remained unpatched. The current average is 250+ new plugin vulnerabilities weekly, or 36 new plugin vulnerabilities every single day. By the week of March 25, 2026, the rate remained at 331 vulnerabilities per week. Source: SolidWP Weekly Reports, Jan-Mar 2026

Where Do Vulnerabilities Come From?

WordPress vulnerability sources showing plugins account for the vast majority compared to themes and WordPress core

WordPress core itself is remarkably stable. The core development team’s security review processes have kept core vulnerabilities consistently low, with approximately 23 core vulnerabilities projected for 2025. The real danger lies in the plugin ecosystem, particularly premium plugins sold on marketplaces like Envato, which are harder for security researchers to access and audit.

This is why WP Ghost’s approach of hiding plugin paths is so effective. Bots scan for known plugin paths like /wp-content/plugins/contact-form-7/ to identify which plugins you have installed and whether they match known vulnerabilities. If the bot can not find the plugin path, it can not identify your plugins, and it can not target known vulnerabilities. You become invisible to the 250+ weekly vulnerability exploitation attempts.

02. Attack Vectors and Entry Points

Understanding how attackers get in is the first step to stopping them. In 2025, Cross-Site Scripting (XSS) dominated vulnerability disclosures, but the attack methods extend far beyond a single vector.

WordPress vulnerability types in 2025 showing XSS, SQL injection, CSRF, file inclusion, and other attack vectors

How Sites Get Hacked: Root Causes

Vulnerable plugins are the #1 entry point. Plugins account for the overwhelming majority of WordPress vulnerabilities. With 11,334 new vulnerabilities disclosed in 2025 and the average site running 20+ plugins, the odds of having at least one vulnerable plugin at any given time are high.

Login page exposure is the #2 entry point. In 2023, Wordfence blocked over 100 billion credential-stuffing attacks from more than 74 million unique IP addresses. Attackers do not need a zero-day exploit. A known username and a leaked password from another breach is often enough. Every WordPress site has its login page at /wp-login.php by default, and bots know this. Changing the login path and enabling brute force protection with reCAPTCHA eliminates this attack surface entirely.

Outdated software is the #3 entry point. 46% of vulnerabilities have no patch at disclosure (Patchstack 2026), meaning even diligent site owners running updates can be exposed. The median time from vulnerability disclosure to first exploitation is just 5 hours. By the time you read about a new vulnerability, bots are already scanning for it.

The Unauthenticated Exploitation Problem

One of the most alarming findings from 2025: 43% of new WordPress vulnerabilities require zero authentication to exploit. Attackers can compromise a fully legitimate-looking site without ever needing to log in. These vulnerabilities, primarily XSS and CSRF, stem from poor input validation and insufficient capability checks in plugins. They are almost always exploited at massive scale through automated scanning tools.

This is precisely why hack prevention matters more than post-infection cleanup. WP Ghost’s 8G Firewall blocks SQL injection and XSS payloads at the server level before they reach any vulnerable plugin code. Combined with path security (which makes plugin paths invisible to scanners), you reduce your exposure to both authenticated and unauthenticated attacks.

03. How Attackers Operate in 2025

The nature of WordPress attacks has fundamentally shifted. While the types of attacks have not changed dramatically, how they are executed has. In 2025, automation, AI, and persistent infrastructure transformed opportunistic hacking into sophisticated, large-scale operations.

Automated Mass Scanning

Hackers use automated bots and machine learning to scan thousands of WordPress sites simultaneously. They identify exposed version numbers, vulnerable plugins, and unpatched readme.html files. Identifying targets with known CVEs now takes seconds. Your site does not need to be specifically targeted. Automated tools will find it.

This is the core premise behind WP Ghost’s hack prevention approach. If bots can not find your WordPress paths, plugins, themes, or login page, you are invisible to these automated scanners. The bot sends a request to /wp-content/plugins/vulnerable-plugin/, gets a 404 error, and moves on. Your site is never added to the target list.

Persistent Infrastructure: The 2025 Shift

Patchstack’s 2025 data revealed a significant strategic shift. Attackers are no longer just exploiting vulnerabilities and moving on. Uploader scripts nearly doubled in volume in June 2025 and maintained elevated presence through year-end. Attackers are investing in persistent infrastructure, planting uploaders that enable multi-stage attacks and long-term access. Post-breach remediation becomes significantly more complex, and the likelihood of reinfection increases dramatically.

Supply chain attacks are rising. In June 2024, plugins including Social Warfare and Blaze Widget were injected with malicious code to create unauthorized admin accounts and inject SEO spam, all while hosted on the official WordPress.org repository. These attacks are particularly dangerous because they exploit a behavior you should be doing: keeping plugins updated. WP Ghost can not prevent supply chain attacks directly, but its Security Threats Log helps you detect unusual requests that may indicate a compromised plugin is being exploited.

AI-Powered Attacks

In 2025, hackers began actively using AI to enhance attacks. AI tools can rewrite XSS payloads to bypass security rules, generate SQL injection variants, learn how CSRF tokens are generated to forge requests, and find leaked credentials to predict password patterns. Brute force attacks on WordPress sites surged by 60% over the previous year, according to Wordfence’s threat intelligence team.

This makes multi-layer defense essential. No single security measure is enough. WP Ghost combines path security (makes you invisible), the 8G Firewall (blocks injection patterns), brute force protection (limits login attempts with reCAPTCHA), 2FA with passkeys (eliminates credential theft), and security headers (prevents browser-level attacks). Each layer catches what the others miss.

04. The Real Cost of Getting Hacked

The financial consequences of a WordPress hack extend far beyond the initial cleanup. Here is what the data shows:

Direct costs. Professional malware removal services charge $150 to $500+ per incident. For complex infections with persistent backdoors, costs can reach $1,000 to $3,000. Some hosts charge additional fees for restoring from backups or re-provisioning servers.

Downtime and lost revenue. The average hacked WordPress site is offline for 24 to 48 hours during cleanup. For e-commerce sites, that downtime translates directly to lost sales. For service businesses, it means missed leads and damaged client trust.

SEO damage. Google flags hacked sites with “This site may be hacked” warnings in search results, which can persist for weeks after cleanup. Injected spam content and malicious redirects can cause ranking penalties that take months to recover from. Sites that distribute malware to visitors can be removed from search results entirely.

Reputation damage. Only 27% of site owners have a breach recovery plan (Patchstack 2026). The remaining 73% are scrambling during an active incident, often making decisions that compound the damage. Customer trust, once lost, is expensive to rebuild.

Reinfection rate. With the rise of persistent infrastructure attacks documented by Patchstack in 2025, cleaned sites face a significant reinfection risk. Attackers plant hidden backdoors that survive basic cleanup procedures, allowing re-entry weeks or months later.

Prevention is orders of magnitude cheaper than recovery. A proactive hack prevention plugin like WP Ghost costs a fraction of a single malware cleanup, runs silently in the background, and eliminates the attack surface that leads to infections in the first place.

05. What These Statistics Mean for Your Site

The data tells a clear story. Attacks are automated, the exploitation window is shrinking, and most hosting defenses are insufficient. Here is what you should take away:

Hiding is not optional, it is practical security. With 250+ new plugin vulnerabilities disclosed every week, keeping everything patched in real time is nearly impossible. Hiding your WordPress paths means scanners can not identify which plugins you use, which means they can not target known vulnerabilities. You buy time between disclosure and patching.

Layered defense is the only viable strategy. No single tool stops all attacks. Path security stops reconnaissance. The firewall stops injection payloads. Brute force protection stops credential attacks. 2FA stops compromised passwords. Security headers stop browser-level exploits. You need all of them.

Prevention beats cleanup every time. 13,000 sites are hacked daily, and 73% of site owners have no recovery plan. The cost of prevention is a fraction of the cost of recovery. The question is not whether your site will be targeted (it already is, by automated bots), but whether those bots will find anything to exploit.

WP Ghost is a proactive hack prevention plugin that reduces your attack surface before exploitation happens. It combines path security, the 8G Firewall, brute force protection with reCAPTCHA, 2FA with passkeys, security headers, and country blocking to create a multi-layer defense that makes your site invisible to bots and defended against the attacks that get through. Install the free version and run a Security Check to see how many vulnerabilities your site currently has.

Sources

Patchstack – State of WordPress Security in 2026 (February 2026). Primary source for 2025 vulnerability totals, exploitation timelines, developer patching behavior, and hosting defense statistics.

SolidWP Weekly Vulnerability Reports (January-March 2026). Weekly vulnerability disclosure counts and patch status.

Wordfence Threat Intelligence. Credential-stuffing attack volume, brute force attack trends, and firewall block statistics.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.