State of WordPress Security In 2026

Intro

There’s a concept in security called “Pre-Boom vs. Post-boom” - what you do before a breach, and what you do after.

As the threat landscape changes, there are major problems with both preventive and reactive WordPress security approaches.

Let’s start with the preventive side - WordPress vulnerabilities have always been hard to protect against using standard network and server layer security tools. But last year, we managed to put a number on it - in a large-scale pentest of popular web hosting companies, only 26% of all vulnerability attacks were blocked.

Regular plugin updates are the second line of defence, but as attackers weaponize new vulnerabilities within mere hours, this is not a viable defence.

Then there are reactive solutions - malware detection and cleanup. The WordPress ecosystem has been far too reliant on treating security as something to fix “post-boom” - but attackers are evolving, and so is their malware.

In this year’s whitepaper, we partnered up with Monarx to investigate what happens to infected websites. What they found was that attackers are getting more strategic and sophisticated in their methods - malware is getting harder to find, and even harder to remove.

About Patchstack

Patchstack is the world's #1 WordPress vulnerability intelligence provider, covering the entire lifecycle from detection to mitigation. Powered by RapidMitigate - a technology that combines software composition analysis, threat intelligence, and contextual prioritization - Patchstack delivers site-specific protection rules automatically and only to sites where a vulnerability is actually present, with near-zero false positives and no code changes.

Trusted by hosting leaders including GoDaddy, Hostinger, DigitalOcean, and Cloudways, Patchstack helps hosting companies reduce support burden, protect their users, and turn security into a revenue stream. Patchstack also manages vulnerability reporting for over 1,000 WordPress plugin vendors, including Elementor, WP Rocket, and YITH. Our mission is to make the open web more secure.

In fact, more high-severity vulnerabilities were discovered in the WordPress ecosystem in 2025 than in the previous two years combined. This increase largely came from premium components on marketplaces like Envato, and highlights the security visibility problem of such components and marketplace. Because these components are not readily available to security researchers, it is harder to find security issues in them.

91% of new vulnerabilities were found in plugins, and 9% were found in themes. There were only 6 vulnerabilities reported in the WordPress core, but these were low priority issues.

For the third year in a row, Patchstack continues to be the leading vulnerability coordinator and publisher in the WordPress ecosystem, with over 1,000 plugin vendors trusting Patchstack as their security point of contact.

High numbers of serious vulnerabilities found in premium WordPress components

Typically, most vulnerabilities are found and reported in free plugins and themes. Premium WordPress components receive less scrutiny because it’s harder for researchers to access their code.

This is a problem because lower scrutiny does not equal better security, and lower awareness of security issues in premium products can leave these vulnerable to uncontrolled exploitation.

To understand the threat landscape of premium plugins and themes, last year we conducted focused research on premium marketplaces such as Envato.

Overall we received 1,983 valid vulnerability reports for Premium or freemium components, making up 29% of total reports.

59% of those were high Patchstack Priority vulnerabilities that can be used in automated mass attacks. A further 17% had medium Patchstack Priority, meaning they can be exploited in more targeted attacks.

That means 76% of vulnerabilities found in Premium components were exploitable in real life attacks.

Furthermore, our Zero Day program found 33 highly critical vulnerabilities in Premium components, compared to only 12 in free components.

Patchstack Zero Day program is part of our Bug Bounty program and it’s aimed at finding vulnerabilities that are either already actively exploited, or can be easily mass-exploited before public disclosure.

When looking at actual attacks, premium components had three times more Known Exploited Vulnerabilities (KEV) than free components.

These findings underscore the need for more scrutiny into premium marketplaces and components. This is something we’re aiming to solve by offering free mVDP programs to plugin and theme creators.

By joining the mVDP program, plugin creators can incentivize researchers to review the security of their code while outsourcing the process to the Patchstack team.

46% of vulnerabilities were not fixed in time for public disclosure

Looking at the vulnerability disclosure timelines from last year, lack of security updates from plugin vendors continues to be a problem - 46% of vulnerabilities did not receive a fix from the developer in time for public disclosure.

This again shows why website owners can’t rely on plugin updates as a security measure.

On the research side, we saw a significant increase of AI generated “slop” vulnerability reports in 2025. Incomplete or invalid reports have always been a problem in the WordPress security space, but AI is making it easier for people to send in poorly compiled reports in hopes of getting an easy reward.

These are also problems we are aiming to solve with our free mVDP program - we have a dedicated team working on triaging and validating vulnerability reports on behalf of vendors, and advising them on delivering patches.

Median time to mass exploitation for heavily exploited vulnerabilities is 5 hours

When analysing the speed at which attackers weaponize new vulnerabilities, we found that approximately half of high impact vulnerabilities get exploited within 24 hours.

When we account for how intense the exploitation was (by weighting based on observed activity), then the weighted median time to first exploit is 5 hours. This suggests that the most heavily targeted vulnerabilities are typically attacked within hours, not days.

To understand how fast attackers move after vulnerabilities are made public (which is also when the Rapidmitigate rule is created and deployed on vulnerable sites), we measured the time between when a Rapidmitigate rule was rolled out and when we first saw an exploitation attempt for each vulnerability.

We focused on vulnerabilities that show the highest levels of exploitation in practice, reflecting what is most attractive to attackers, including flaws in widely used components and high-impact vulnerability classes. This prioritized subset accounts for ~95% of the observed exploitation activity for vulnerabilities published in 2025.

Share of vulnerabilities published in 2025 whose first exploitation was observed within the time window:

Overall, this means that the first 24 hours are critical when a new exploitable vulnerability is published in the ecosystem, requiring close monitoring, fast tuning and strong response readiness.

Broken Access Control was the most exploited vulnerability

Broken Access Control is a broader category of vulnerabilities that are specific to WordPress, as they are connected to user access and authorization.

These vulnerabilities are very difficult to defend against using traditional WAFs because the exploits look like normal authenticated traffic with no obvious injection patterns.

Top vulnerabilities of all time exploited in 2025

When looking at top ten vulnerabilities that were being targeted most by attackers, we see that only four were published in 2025.

This is an important reminder that attackers will also attempt to exploit older vulnerabilities, hoping to infect sites that are not properly kept up to date.

Our findings support this theory. The top 10 data here is based on real exploit attempts blocked by Patchstack, meaning that the older vulnerable versions of these plugins were present on customers’ sites.

Hosting companies largely powerless against WordPress vulnerability attacks

The growing number of WordPress vulnerabilities and faster exploitation times are putting a lot of pressure on the hosting industry’s defences - but research shows that most of the defences are not effective.

In 2025 we conducted two separate pentesting studies where we tested the effectiveness of common security solutions (internal WAFs, Cloudflare etc.) against vulnerability exploits.

The first one, focusing on known exploited vulnerabilities, revealed that traditional defences only blocked 12% of WordPress-specific vulnerability attacks. In the second experiment, we expanded the scope to test more vulnerabilities, including more generic ones - but still, only 26% of total attacks were blocked.

What’s interesting is that similar defensive solution combinations performed very differently across hosting environments:

These differences were likely due to how different companies had set up their internal WAF solutions. Overall, internal WAF’s also performed somewhat better against generic, non-WordPress specific vulnerabilities, while security vendor suites were less effective.

Injected files make malware removal difficult

The 2025 data demonstrates that signature-based "delete-only" security is no longer sufficient, as attackers increasingly favor compromising legitimate files during peak traffic periods.

Unlike malicious files which can simply be deleted automatically, injected files are legitimate WordPress core, plugin or theme components that contain malicious snippets.

This is also why Monarx is focusing on automated surgical malware remediation, rather than just deleting obvious malicious files.

The Holiday Attack Surge: A Critical Risk Window

Throughout 2025, Monarx observed a distinct seasonal pattern in attack activity - malicious file uploads showed a dramatic spike during Q4 holidays - nearly tripling in volume during November and December.

This "Holiday Spike" is driven by a dangerous convergence - high consumer traffic meets reduced IT staffing. Attackers capitalize on diminished administrative response times, while IT teams are at minimum capacity.

Attackers are pivoting to complex multi-stage attacks

Monarx's 2025 data revealed a significant strategic shift in attacker behavior. While Adware remained the most prevalent malware category throughout the year, Uploader scripts nearly doubled in volume in June 2025 and maintained that elevated presence through year-end.

This sustained increase suggests attackers are moving beyond opportunistic, one-off compromises. Instead, they're investing in persistent infrastructure—planting uploaders that enable multi-stage attacks and long-term access to compromised sites.

Persistent infrastructure means attackers aren't just exploiting vulnerabilities once and moving on. They're establishing footholds that allow them to return, deploy additional payloads, and maintain access even after initial infections are cleaned.

This makes post-breach remediation significantly more complex and increases the likelihood of reinfection.

Modern malware is designed to be stealthy

Analysis of the most prevalent malware campaigns in 2025 reveals why traditional security scanning often fails to detect compromised sites.

There are two major evasion techniques attackers use to avoid detection, and to reinfect websites after cleanup:

Selective payload delivery

The dominant attack families (Japanese SEO, jgalls, Parrot TDS) all use "cloaking" techniques to serve different content based on who visits the website. Search engine bots see keyword-stuffed spam to boost rankings, while human visitors get redirected to phishing sites or fraudulent stores. Security scanners and site owners often see clean content, making infections invisible until customer complaints arrive or search rankings tank.

Modern variants have evolved further - Parrot TDS now detects AI training crawlers (like ChatGPT and Google Gemini) to serve them clean content while continuing to exploit human visitors, making automated detection even more challenging.

Memory-resident persistence

The Lock360 malware family demonstrates why simple file cleanup fails. This campaign runs malicious code in server memory, automatically monitoring and reinfecting files like index.php and .htaccess the moment they're restored.

Support teams find themselves in a frustrating cycle - they clean an infection only for it to immediately rewrite itself because the malware is still running in the background.

These evasion techniques explain why hosting providers often don't discover compromises until significant damage has occurred - degraded SEO rankings, customer complaints about redirects, or blacklisting by security services. By the time the infection is visible, the attacker has already achieved their objective.

Brought to you by

Darius Sveikauskas Head of Threat Intelligence at Patchstack

Edouard L. Security Engineer at Patchstack

Oliver Sild CEO at Patchstack

Mart Virkus Head of Marketing at Patchstack

Salvador Aguilar Threat Research Manager at Monarx

Joe Bruno Principal Security Engineer at Monarx