WordPress security in 2026: plugins are still the #1 risk

The most popular CMS is also the most attacked

WordPress powers roughly 43% of the internet. That market dominance has a side effect: it makes WordPress the single most targeted CMS for automated attacks. Bots scan for known WordPress vulnerabilities around the clock, probing login pages, testing plugin exploits, and injecting malicious code into outdated installations. This is not a theoretical risk — it is the reality that every WordPress site operator lives with.

The WordPress core team deserves credit for their security track record. Core vulnerabilities are rare and patched quickly. But the vast majority of WordPress security incidents have nothing to do with WordPress core. They come from plugins — the third-party code that every WordPress site depends on to function. And the plugin ecosystem, for all its power, has a security problem that is structural, not incidental.

This is not about blaming plugin developers. Many of them are solo developers or small teams maintaining free software in their spare time. The problem is the model itself: allowing hundreds of independently maintained code packages to run with full server access on your website, each with different security standards, update schedules, and vulnerability response times.

The numbers tell the story

Patchstack's 2025 Annual Security Report and WPScan's vulnerability database provide the clearest picture of WordPress security. Here is what the data shows:

• 90% of hacked CMS sites are WordPress. This is not just a function of market share. WordPress's plugin architecture creates a uniquely broad attack surface that other CMS platforms do not have.
• 52% of all WordPress vulnerabilities originate in plugins. Not themes, not core, not hosting misconfigurations — plugins. They are the primary vector, year after year.
• Over 30,000 plugin vulnerabilities have been reported. WPScan's database tracks these across the WordPress plugin ecosystem. The volume is staggering, and it grows every year as more plugins are published.
• Average time to patch a plugin vulnerability: 49 days. That is nearly seven weeks between disclosure and fix during which every site running the affected plugin is exposed. Many site owners wait weeks or months more before applying updates.

These numbers do not mean your WordPress site will be hacked. They mean the risk is measurable, ongoing, and directly proportional to how many plugins you run and how diligently you update them.

Why plugins are the weak link

Understanding why plugins create security risk requires looking at how they actually work inside WordPress:

Full server access

WordPress plugins run as PHP code on your server with the same permissions as WordPress core. A plugin can read your database, access your filesystem, execute system commands, and communicate with external servers. There is no sandboxing, no permission model, no isolation between plugins. A vulnerability in a single plugin can compromise your entire server.

No code review requirement

The WordPress.org plugin repository performs a basic automated review before listing a plugin, but it does not conduct thorough security audits. Premium plugins sold through third-party marketplaces have even less oversight. Any developer can publish code that runs on your server, and the review bar is low.

Maintenance gaps

Many plugins are maintained by a single developer. When that developer moves on, the plugin continues to be used by thousands of sites but no longer receives security updates. Abandoned plugins are one of the most common entry points for WordPress attacks, and there is no automatic mechanism to warn users when a plugin is no longer maintained.

Update fatigue

The average WordPress site runs 20-37 plugins. Each one has its own update cycle. Keeping everything current means checking for and applying updates weekly, testing for conflicts after each update, and occasionally dealing with a broken site when a plugin update is incompatible with another plugin or the theme. Many site owners fall behind, and each delayed update widens the security window.

How to audit your WordPress security

If you are running a WordPress site today, these six steps will give you a clear picture of your current exposure:

1. Check plugin update status. Go to your WordPress admin panel and review every installed plugin. How many have pending updates? How many have not been updated by their developer in over a year? Any plugin that has not been updated in 12+ months is a significant risk.
1. Scan for known vulnerabilities. Use a tool like WPScan or Patchstack to cross-reference your installed plugins and their versions against known vulnerability databases. You may be running plugin versions with publicly documented exploits right now.
1. Review user permissions. Check how many administrator accounts exist. Each one is a potential entry point if compromised. Remove any admin accounts that are not actively used. Ensure all admin accounts use strong, unique passwords and two-factor authentication.
1. Check login page exposure. Is your wp-admin and wp-login.php accessible to the public internet without rate limiting or IP restrictions? Brute-force attacks against WordPress login pages are automated and relentless. At minimum, add login attempt limiting. Better yet, restrict access by IP or use a plugin like WPS Hide Login to change the login URL.
1. Test backup recovery. Having backups is not enough — you need to verify that you can actually restore from them. Download your latest backup, set up a local or staging environment, and confirm that the restored site works correctly. Many site owners discover their backups are incomplete or corrupted only when they need them.
1. Assess hosting security. Does your hosting provider offer a web application firewall (WAF)? Are PHP versions kept current? Is your server isolated from other tenants, or are you on shared hosting where another compromised site could affect yours? Managed WordPress hosts like Kinsta and WP Engine include server-level security. Budget shared hosting generally does not.

Why static sites are inherently more secure

The security conversation changes fundamentally when you move from WordPress to a static or statically-generated architecture like Next.js. The reason is straightforward: most WordPress attack vectors simply do not exist in a static deployment.

No server-side code execution

A static site serves pre-built HTML, CSS, and JavaScript files from a CDN. There is no PHP interpreter processing requests, no server-side code running on each page load, and no way for an attacker to execute arbitrary code on your server — because there is no server in the traditional sense. The files are read-only assets served from globally distributed edge nodes.

No database to exploit

WordPress stores everything — content, user credentials, plugin settings, session data — in a MySQL database that is accessible to every plugin and every PHP process. SQL injection is one of the most common WordPress attack vectors. A static site has no public-facing database. Content is compiled at build time and served as flat files. There is nothing to inject into.

No login page to attack

WordPress sites expose wp-login.php and wp-admin to the internet. These are targets for brute-force attacks, credential stuffing, and session hijacking. A static site has no login page on the public-facing site. If you use a headless CMS like Payload for content editing, the admin interface runs on a separate domain with its own security, completely isolated from the public website.

No plugin supply chain

This is the most significant difference. A static site does not depend on 20-37 third-party code packages running with full server access. Dependencies exist in the development environment (npm packages), but they are compiled at build time and do not run on the production server. A compromised npm package cannot affect your live site the way a compromised WordPress plugin can.

The realistic perspective

Migrating away from WordPress does not make you immune to all security threats. Client-side JavaScript vulnerabilities, XSS through user-generated content, and misconfigured hosting can still create risks. But the attack surface shrinks dramatically — from a complex server-side application running dozens of third-party plugins to a set of static files served from a CDN.

For most business websites, the question is not whether your WordPress security is "good enough." It is whether you want to spend ongoing time, money, and mental energy managing a security surface that does not need to exist. A modern, statically-generated site eliminates most WordPress security concerns by architecture, not by vigilance.