LampDatabase logo LampDatabase

Security

The Real Dangers of WordPress
and Too Many Plugins

By Rolf · Updated April 2026 · 8 min read

WordPress powers around 43% of the web, which makes it the single most attractive target for hackers on the planet. In 2024, nearly 8,000 new vulnerabilities were discovered in the WordPress ecosystem — almost all of them in plugins. Here's what that actually means for a small business running a WordPress site.

WordPress itself isn't the problem. Plugins are.

Let me be fair upfront: WordPress core — the base software itself — is reasonably well-maintained. The team behind it takes security seriously, and vulnerabilities in the core are relatively rare. In 2024, only 7 vulnerabilities were found in WordPress core itself, and none were severe enough to pose a serious risk to most sites.

The problem is everything bolted onto it.

Security research firm Patchstack tracked 7,966 new vulnerabilities across the WordPress ecosystem in 2024 — a 34% increase over 2023. Of those, 96% were in third-party plugins, and 4% in themes. Exactly seven were in core. [1]

That's not a rounding error. That's a structural problem with how WordPress works.

WordPress on its own does very little. To build a functional business website you typically need plugins for contact forms, SEO, caching, backups, e-commerce, analytics, security scanning, SMTP email, sliders, galleries, booking systems, and so on. A modest small business site might have 15–25 plugins installed. Each one is written and maintained by a different developer, to a different standard, on a different update schedule — and each one is a potential entry point for an attacker.

The numbers that should concern every WordPress site owner

Some statistics that are worth sitting with:

  • 43% of WordPress vulnerabilities in 2024 required no authentication to exploit — meaning an attacker needed no login, no credentials, no prior access. They just needed to find your site and fire a request at it. [2]
  • 57.6% of vulnerabilities could be exploited automatically by anyone, at scale, with no technical skill — because the attacks are scripted and run against millions of sites simultaneously. [3]
  • 35% of vulnerabilities disclosed in 2024 still had no patch available in 2025 — meaning the plugin developer either abandoned the project, moved slowly, or simply never fixed it. If you're running that plugin, there is no update you can apply. Your only safe option is to delete it. [4]
  • More than half of plugin developers failed to patch reported vulnerabilities before public disclosure in 2024 — meaning the vulnerability was published for attackers to read before a fix was available. [1]
  • Wordfence blocked 55 billion password attack attempts in 2024 against WordPress sites. Automated bots scan the entire internet constantly, trying known credentials against every WordPress login page they can find. [4]

Sucuri, a web security firm, observed over 500,000 websites become infected in 2024 — and that's just the infections they could see. WordPress core, plugin, and theme vulnerabilities were responsible for close to half of those malware infections. [1]

Real attacks on real plugins you've probably heard of

This isn't abstract. These are plugins used by hundreds of thousands of real businesses:

  • WPForms (6 million+ active installations) — a missing authorisation vulnerability allowed attackers to issue payment refunds and cancel subscriptions without admin access. Discovered October 2024.
  • WP File Manager (700,000+ installations) — a critical remote code execution flaw (CVSS score 9.9 out of 10) allowed unauthenticated attackers to upload PHP files and gain complete server control. No login required.
  • GiveWP (100,000+ installations, used by non-profits for donations) — a PHP object injection vulnerability could lead to full site takeover via insecure deserialization of donation form parameters. [5]
  • Post SMTP (400,000+ installations) — a 2025 flaw let unauthenticated attackers read password-reset emails and take over any account on the site, including admin. Over 4,500 attacks were blocked in the first 24 hours after disclosure. [4]

The pattern is always the same: a popular, widely-trusted plugin has a flaw. Attackers discover or purchase the exploit. Automated scanners probe millions of WordPress sites simultaneously within hours or days of disclosure. Sites that haven't updated are compromised. The site owner often doesn't know for weeks.

What happens when your WordPress site gets hacked

This is the part agencies and WordPress evangelists rarely talk about in detail.

When a WordPress site is compromised, the attacker's goal is usually not to deface it immediately — that would alert you too quickly. Instead, they typically install hidden malware that quietly does one or more of the following:

  • Redirects visitors to phishing or malware sites (particularly from mobile devices or search traffic)
  • Injects spam links into your pages to boost other sites' SEO — damaging your own rankings
  • Harvests customer data — email addresses, form submissions, payment details
  • Uses your server to send spam email, getting your domain blacklisted
  • Installs a backdoor so they can return even after you "clean" the site
  • Recruits your server into a botnet used to attack other sites

Wordfence's research found that in 2023, malware actively tampered with or disabled security plugins — including Wordfence itself — in 14% of compromised sites, to stay hidden longer. Your security plugin is not a guaranteed safety net. [1]

By the time you find out, the damage to your reputation, your search rankings, and your customer trust is often already done.

The performance problem nobody mentions until it's too late

Security aside, plugins have a second serious problem: they make sites slow.

Every plugin adds PHP code that runs on every page load, database queries that add milliseconds each, CSS and JavaScript files that the visitor's browser has to download, and often third-party requests to external servers for analytics, fonts, or tracking. A site with 20 plugins might be making 40 external requests before it finishes loading.

Page speed is a Google ranking factor. If your site takes 4–5 seconds to load on mobile — which is common for heavily-plugged WordPress sites — you are losing search rankings, losing visitors, and losing conversions. Studies consistently show that conversion rates drop significantly for every additional second of load time.

I regularly audit WordPress sites that score 30–45 out of 100 on Google PageSpeed. A well-built custom PHP site, with no plugin overhead, routinely scores 95+. That difference is visible to users and measurable in enquiry rates.

The update treadmill

Running WordPress responsibly means staying on top of updates — core, themes, and every single plugin — essentially forever. Miss an update for a month and you may have a known, publicly-disclosed vulnerability sitting open on your site.

But updates aren't risk-free either. Plugin updates can conflict with each other, break your theme, change functionality you depended on, or simply introduce new bugs. The only way to update safely is to test on a staging site first — which most small business owners don't have and most agencies don't set up for them.

So you're in a difficult position: don't update and you're exposed to known exploits; update carelessly and you might break your own site. This is a tax you pay every month, forever, for as long as you run WordPress.

When WordPress is and isn't the right choice

I don't have an ideological objection to WordPress. I've built WordPress sites and I'll build them again when they're the right tool. For certain use cases — particularly content-heavy publishing sites with multiple contributors, or when a client specifically needs the WordPress editor — it can make sense.

What it isn't is the automatic right answer for every small business website, which is how most agencies treat it. It's the automatic right answer for agencies because it's fast to deploy, easy to hand to a junior developer, and generates ongoing maintenance revenue when things go wrong.

For most small business websites — a services site, a portfolio, a booking page, a contact form, even a modest e-commerce setup — a custom-built PHP application is faster, more secure, cheaper to run long-term, and requires no plugin ecosystem to maintain. There's no update treadmill because there are no third-party plugins. There's no attack surface from 20 different codebases of varying quality. There's no licence that expires or theme company that goes out of business.

You own the code outright. It does exactly what your business needs. Nothing more, nothing less.

What to ask if you're already on WordPress

If your business is currently running a WordPress site, here are the questions worth asking — either yourself or whoever manages it:

  • How many plugins are installed, and when was each last updated? Anything more than 60 days without an update on an active plugin is a yellow flag.
  • Are any plugins abandoned? Check the WordPress plugin directory — it shows when each plugin was last updated and whether it's been tested with the current WordPress version.
  • What's your backup situation? Daily automated backups, stored off-server, that have actually been tested with a restore. If the answer is "I think the host does something," that's not enough.
  • What's your PageSpeed score? Go to pagespeed.web.dev and type in your URL. If mobile is below 70, it's worth investigating.
  • Is WordPress core up to date? And is the theme? Both are attack surfaces.
  • Do you have two-factor authentication on the admin account? Given that Wordfence blocked 55 billion password attacks in 2024, this is not optional.

If any of those answers make you uncomfortable, it's worth getting a proper audit done before something goes wrong rather than after.

References

  1. Patchstack (2025). State of WordPress Security in 2025. patchstack.com
  2. SecurityWeek (2025). 8,000 New WordPress Vulnerabilities Reported in 2024. securityweek.com
  3. Patchstack (2025). 2025 Mid-Year Vulnerability Report. patchstack.com
  4. Security Boulevard (2025). WordPress Vulnerability Scanner Reveals How Exposed Your Website Really Is. securityboulevard.com
  5. BleepingComputer (2025). The 4 WordPress Flaws Hackers Targeted the Most in Q1 2025. bleepingcomputer.com

Worried about your WordPress site — or ready to leave it behind?

I offer a free 15-minute consultation. No sales pitch — just an honest assessment of your situation and what your options actually are.

Book a Free Consultation

Or email rolf@lampdatabase.com — average reply time: under 30 minutes.

Related reading: Web Agency vs Solo Developer: The Truth Australian Small Businesses Need to Hear · How a VPS lets you run your own secure and private server