WordPress runs roughly 43% of all websites on the internet, and that kind of adoption makes it a permanent target. Attackers do not care about the size of your site or the industry you operate in. They care about the path of least resistance, and WordPress sites that run stale plugins, weak passwords, and default configurations give them exactly that. The numbers confirm it. Patchstack found 11,334 new vulnerabilities in the WordPress ecosystem in 2025, which was a 42% increase over the prior year (patchstack.com/whitepaper/state-of-wordpress-security-in-2026/). Plugins alone accounted for 91% of those vulnerabilities. So the question is not if your WordPress site will be probed, but how prepared you are when it happens.
This article covers what you need to do at the server level, inside your WordPress admin panel, and across your update and maintenance routines to keep your site locked down.
Your Server Does Half the Work Before You Log In
Most WordPress hardening guides start at the application layer, but a large portion of attacks target the infrastructure underneath it. A server running outdated PHP versions, lacking proper file permission controls, or missing web application firewalls gives attackers a way in before any plugin vulnerability comes into play. Choosing secure wordpress hosting, keeping PHP updated, and enabling server-side malware scanning all reduce the attack surface at a level your WordPress dashboard cannot reach.
Patchstack reported that 20% of heavily exploited vulnerabilities were attacked within six hours of disclosure (patchstack.com/whitepaper/state-of-wordpress-security-in-2026/). That window is too small for manual response, which makes automated server-level protections and patching policies a baseline requirement rather than an upgrade.
Plugins Are the Weak Point, So Treat Them Like One
Of the 11,334 vulnerabilities reported in 2025, cross-site scripting made up 41.52%, broken access control represented 13.42%, and cross-site request forgery followed closely at 13.40%. SQL injection, while a smaller slice at 5.91%, remains one of the more damaging attack types when it succeeds. Nearly all of these vulnerabilities were found in plugins and themes, with plugins holding the overwhelming share.
You need to audit your plugin list regularly. Remove anything you are not actively using. A deactivated plugin still has its files on the server, and those files can still be exploited. Before installing a new plugin, check when it was last updated, read the changelog, and look at the support forum activity. Abandoned plugins are liabilities.
Patchstack also noted a rise in AI-generated code appearing in plugins throughout 2024, with security issues cropping up where authors were either careless or placed too much trust in the output (patchstack.com/whitepaper/state-of-wordpress-security-in-2026/). If the plugin author did not write the code carefully, you inherit that risk the moment you install it.
Limit Who Can Do What
WordPress ships with multiple user roles, and too many site owners hand out administrator access without thinking twice. Every admin account is a potential entry point. Assign the lowest permission level that allows each person to complete their work. Contributors do not need admin access, and editors do not need to manage plugins.
Enforce strong, unique passwords across all accounts. Use a password manager if needed, and require 2-factor authentication for every user with publishing or administrative privileges. Brute-force attacks against the WordPress login page are constant, and weak credentials remain the easiest way in.
Keep Everything Updated, Including the Small Stuff
The weighted median time to first exploitation for heavily targeted vulnerabilities was 5 hours, according to Patchstack. That means once a flaw is publicly known, attackers begin using it the same day. Automatic updates for minor WordPress core releases should be enabled. For plugins and themes, set up a process that checks for and applies updates daily if automatic updates are not feasible.
Themes deserve the same attention as plugins. They accounted for 9% of all reported vulnerabilities in 2025. A theme you installed 3 years ago and forgot about still runs code on every page load.
Backups Will Save You When Nothing Else Does
No security setup is perfect. A reliable backup system means that even if your site gets compromised, you can restore it to a known good state quickly. Store backups off-site, separate from your web server, and test the restoration process at least once every few months. A backup you have never tested is a backup you cannot trust.
Incoming Regulatory Pressure
The European Union’s Cyber Resilience Act introduces requirements starting in 2026. By September of that year, open-source developers, including plugin and theme authors, will need formal processes to notify authorities and users about actively exploited or severe vulnerabilities (digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act). This means the plugin ecosystem itself is going to be held to a higher reporting standard, which should eventually improve response times across the board. But until that takes full effect, the responsibility sits with you as the site owner.
What You Should Do This Week
Review your plugin list and remove anything inactive. Update PHP to a supported version. Turn on 2-factor authentication for all admin accounts. Confirm your backups run on schedule and that you can actually restore from them. These are small steps that close the most common gaps, and they take an afternoon at most.
