"Oh, that site still works"
If you've ever built WordPress sites for clients, you know the feeling. You think about a site you delivered three years ago and wonder: are they keeping it updated?
You check. WordPress 5.x. Plugins untouched since delivery. PHP 8.1 — which reached end of security support in December 2025. No security headers configured at all.
It works. But "working" is not the same as "safe."
This article is about the uncomfortable reality of what happens to WordPress sites after we hand them over.
WordPress Is a Monoculture
The numbers
WordPress dominates the CMS market globally, holding about 61.7% of market share among CMS-powered sites. But in some markets, the concentration is extreme.
In Japan, WordPress holds 82.9% of the CMS market. "Small business website" and "WordPress site" are essentially synonyms. And while Japan is an extreme case, the pattern holds across most markets — WordPress is the default choice for agencies and freelancers everywhere.
Why monocultures are dangerous
In agriculture, monoculture — growing a single crop across vast areas — creates systemic risk. One disease can wipe out an entire harvest.
The CMS market has the same problem. When WordPress is this dominant, a single exploit can target millions of sites simultaneously. Find a vulnerability in Plugin A, and every site running that plugin is exposed. It's an attacker's dream: maximum impact, minimum effort.
And those vulnerabilities? They're discovered every single day.
Vulnerabilities Don't Trickle — They Pour
The scale
- June 2025: 337 new vulnerabilities reported (298 plugins, 39 themes)
- One week in January 2026 (Jan 12–18): 180 vulnerabilities disclosed
- 96% of vulnerabilities come from plugins
That's roughly 25 new vulnerabilities per day. No individual developer or small team can keep up with this manually.
The scary part: no authentication required
About half of the vulnerabilities reported in late 2025 were exploitable without authentication. No login needed. No special permissions. Just hit a URL:
GET /wp-json/vulnerable-plugin/v1/sensitive-data HTTP/1.1
Host: target-site.example.com
That's all it takes to leak data in some real-world vulnerabilities.
The Maintenance Gap
What happens after delivery
Here's a lifecycle I've seen play out dozens of times:
Year 0: Agency builds WordPress site with 10 plugins.
Client declines maintenance contract — "too expensive."
Year 1: Agency says "please keep it updated."
Client says "sure" (they don't).
Year 2: Maintenance contract ends. Relationship fades.
Year 3: Nobody remembers the wp-login password.
The site becomes untouchable — "don't break it."
Year 4: PHP 8.1 reaches EOL. Hosting provider sends warnings. Ignored.
Year 5: Three plugins are abandoned by their developers.
Known vulnerabilities, zero patches.
Year 6: ← We are here. The site loads fine.
It's a vulnerability goldmine.
According to Japan's IPA (Information-technology Promotion Agency) 2024 SME Cybersecurity Survey:
| Finding | Number |
|---|---|
| Most common cause of unauthorized access | Unpatched vulnerabilities (48%) |
| Average incident cost | ~$5,000 (¥730,000) |
| Average recovery time | 5.8 days |
| Incidents impacting business partners | ~70% |
These numbers are from Japanese SMEs, but the pattern is universal. Small businesses everywhere run outdated WordPress installations and lack the resources to maintain them.
Is this really someone else's problem?
Hard truth: the client chose not to pay for maintenance. But we designed the site. Did we build it to be as low-maintenance as possible? Did we adequately communicate what happens without updates?
Realistically, not every client will sign a maintenance contract. But if we could at least make the current state visible, it would open the conversation.
Checking a WordPress Site's Health From the Outside
What you can do from the terminal
As a developer, you can gather basic security intel with a few commands.
Detect WordPress version:
# From meta tags
curl -s https://example.com | grep -oP 'content="WordPress \K[0-9.]+'
# From RSS feed
curl -s https://example.com/feed/ | grep -oP '\?v=\K[0-9.]+'
# Check if readme.html is exposed
curl -sI https://example.com/readme.html | head -1
Check security headers:
curl -sI https://example.com | grep -iE \
'(strict-transport-security|content-security-policy|x-frame-options|x-content-type-options|referrer-policy|permissions-policy)'
Try this on a small business site. Chances are nothing comes back — meaning zero security headers are configured.
Check email authentication:
# SPF
dig +short TXT example.com | grep spf
# DMARC
dig +short TXT _dmarc.example.com
A DMARC policy of p=none means phishing emails spoofing the domain aren't being blocked.
But will you do this regularly?
Running these commands once is easy. But realistically:
- You want to check 10+ client domains periodically
- You need to cross-reference plugin versions against new CVEs
- You want to be notified when something changes
- You need client-facing reports
Terminal commands don't scale.
Nyambush — Passive ASM for the Rest of Us
This is why I built Nyambush.
Nyambush is an ASM (Attack Surface Management) SaaS. Enter a domain, get an instant security assessment of its external attack surface.
ASM tools are typically enterprise software costing $30,000+/year. Nyambush starts at free — no account required.
What it checks
| Check | What you learn |
|---|---|
| DNS | Subdomain enumeration, dangling CNAMEs (subdomain takeover risk), WHOIS |
| Email Auth | SPF/DKIM/DMARC configuration, spoofing risk assessment |
| HTTP Headers | Security header coverage, HTTPS configuration issues |
| WordPress | Core version, detected plugins/themes, known CVEs |
| AI Patrol | Headless browser crawling + Claude Vision AI for defacement & anomaly detection |
AI Patrol — Catching Defacements That Humans Miss
Many compromised sites look perfectly normal to a casual visitor. The defacement might be subtle — injected spam links, hidden redirects, or a modified footer that only search engines see.
AI Patrol solves this with a two-layer approach:
Layer 1: Technical checks (automated during crawl)
├── HTTP status codes (5xx/4xx detection)
├── JavaScript errors
├── Console errors
├── Broken images
├── Mixed content (HTTPS → HTTP)
└── Broken links (subresource 404/5xx)
Layer 2: AI visual analysis (Claude Vision API)
├── Defacement detection (injected text, hacker signatures)
├── Debug info leaks (stack traces, SQL queries, internal paths)
├── Phishing redirects
├── Layout breakage (overlapping elements, overflow)
├── Character encoding issues
├── Suspicious ads/popups
└── SEO spam (hidden text, keyword stuffing)
Visual diff detection:
Playwright captures full-page screenshots and compares them pixel-by-pixel against the previous crawl using pixelmatch. When the change rate exceeds 5%, Claude Vision AI analyzes what changed — distinguishing legitimate content updates from unauthorized modifications.
Passive scanning only
Nyambush performs passive scanning exclusively:
- DNS queries
- Standard HTTP/HTTPS requests (identical to normal browser visits)
- Certificate Transparency log lookups
- Public vulnerability database correlation
No port scanning. No exploit attempts. No PoC execution. This means you can safely scan any domain — your own sites, client sites, or prospective clients — without legal concerns.
How agencies and freelancers use it
1. Health check past clients
Enter a former client's domain. See its current security posture. If issues are found, you have concrete data to re-engage: "Your site is running WordPress 5.8 with X known vulnerabilities. Want to discuss a fix?"
Numbers change conversations.
2. Scope new projects
For redesign or migration projects, scan the existing site first. "Here's the current security risk profile" makes a compelling case for modernization.
3. Automated post-delivery monitoring with AI
Set up AI Patrol and Nyambush continuously monitors delivered sites. When defacement, layout breakage, or JavaScript failures are detected, you get screenshots and specific findings. Present before/after screenshots with diff images to clients as evidence of your maintenance value.
4. Quality assurance at delivery
Scan your own work before handoff. Prove that security headers and email authentication are properly configured. "Security-conscious development" becomes a documented differentiator.
WordPress plugin for deeper insight
External scanning can't see everything. Install the Nyambush WordPress plugin to report:
- Complete plugin inventory (including deactivated plugins)
- Exact PHP version
- wp-config.php security settings (debug mode, SSL enforcement)
- Login security configuration
Those "deactivated but not deleted" plugins with known vulnerabilities? Now you can find them.
Pricing
| Free | Pro | Business | |
|---|---|---|---|
| Monthly | $0 | $13 | $65 |
| Domains | 1 | 5 | 30 |
| Scan frequency | Monthly | Weekly | Daily |
| AI Patrol | — | 5 pages (Haiku 4.5) | 50 pages (Sonnet 4.5) |
| Patrol scope | — | Tech checks + AI analysis + visual diff | Same (higher accuracy model) |
| Notifications | — | Slack + LINE | |
| AI Report | — | — | ✓ |
Free works for personal checks. Pro fits agencies managing multiple client sites. Business adds daily AI patrol for automated defacement and incident detection.
Beyond "Build and Forget"
WordPress vulnerability disclosure has reached a scale that no individual can track manually. But "stop using WordPress" isn't realistic — it powers the majority of the web, and that's not changing anytime soon.
What we can do:
- Make the invisible visible — know the current state of sites we've built
- Communicate risk with data — show clients specific numbers, not vague warnings
- Automate monitoring — catch changes before they become incidents
- Let AI watch what humans can't — visual monitoring at a scale no team can match
Try it: nyambush.app. Enter a domain. One minute, zero signup, and you'll see what's really going on.
References
Top comments (0)