WordPress Sites Hacked at Rising Rate

WordPress remains one of the most popular content management systems in the world, powering millions of websites, from blogs to major business platforms. But with popularity comes risk. Recent research highlights that WordPress sites are increasingly vulnerable to hacking, particularly through plugins and third-party components that can be exploited before site owners have a chance to act.

Patchstack, a leading WordPress security company, has released its latest State of WordPress Security report, revealing that attackers are now exploiting vulnerabilities almost immediately after they are disclosed. Traditionally, website administrators were assumed to have a window of time to assess, patch, and deploy fixes. However, that assumption no longer holds true in today’s fast-paced threat environment.

The report finds that approximately half of high-impact vulnerabilities are exploited within 24 hours of discovery. When weighted according to the intensity of exploitation, the median time for the first attack can be as little as five hours. This means that the most heavily targeted vulnerabilities are being used in real-world attacks almost immediately after they are discovered.

This accelerated timeline presents a challenge for WordPress site owners. Even a delay of a few hours in applying patches can leave a website exposed to automated attacks. For businesses relying on WordPress for e-commerce or customer engagement, the consequences of being compromised can be significant, ranging from data loss to reputational damage.

The report also highlights the scale of exposure within the WordPress ecosystem. In 2025, 11,334 new vulnerabilities were identified, marking a 42% increase from the previous year. While many of these vulnerabilities were found in free plugins, a substantial portion was in premium components sold through marketplaces such as Envato. Premium plugins often receive less scrutiny because their source code is not readily available to security researchers, meaning flaws can go unnoticed until exploited.

Patchstack’s data shows that 76% of vulnerabilities discovered in premium components were exploitable in real-world attacks. These included both automated mass attacks and more targeted exploits. Furthermore, their Zero Day testing program identified 33 highly critical vulnerabilities in premium plugins, compared to just 12 in free plugins, underlining that paid components are not inherently safer than free ones.

Another pressing concern is the delay in patch availability. Many plugin and theme developers fail to release timely fixes after vulnerabilities are discovered. Patchstack found that 46% of vulnerabilities did not have a patch immediately available, leaving site owners exposed precisely when the risk is greatest. Even web hosting providers’ security measures, such as web application firewalls, were found to block only a minority of attacks—just 26% in large-scale tests.

Older vulnerabilities remain a target as well. Attackers often continue exploiting previously disclosed weaknesses, meaning that sites running outdated plugin versions remain at risk. Some of the most targeted plugins include LiteSpeed Cache, Elementor Addons, and WooCommerce Payments, where older versions have not been updated to safe releases.

Attackers are also increasingly taking a persistent approach. Instead of performing one-off attacks, they establish long-term access through multi-stage intrusions. These attacks may embed malware within legitimate files or use sophisticated runtime techniques to avoid detection, making removal and recovery far more complex than simply deleting malicious files.

The expanding WordPress ecosystem adds another layer of complexity. Sites today often include custom-coded plugins, third-party JavaScript or PHP libraries, and AI-generated code. Each new component adds potential vulnerabilities that may bypass the standard WordPress update channels. Security is no longer just about keeping installed plugins and themes up to date—it now requires visibility across all aspects of the site’s codebase.

Patchstack emphasises that defending WordPress sites is now a race against time. Rapid detection, immediate patching, and comprehensive monitoring are critical. The report advises site owners to integrate vulnerability management into their workflow, prioritise high-risk components, and audit both free and premium plugins regularly. Delays, even of a few hours, can leave websites exposed to automated attacks that exploit known weaknesses.

The report’s findings show that premium plugins, while often assumed to be safer, can present high exploitability risks. Limited visibility into premium marketplaces means that security flaws are harder to detect and patch, reinforcing the importance of vigilance and proactive security measures.

Site administrators must also remain aware of older vulnerabilities and ensure all components, including third-party code, are kept up to date. Attackers are persistent and adaptable, often targeting weaknesses that remain unpatched for months or even years.

Looking ahead to 2026, Patchstack predicts that the WordPress attack surface will continue to grow. Websites are incorporating more custom-built functionality, third-party dependencies, and even AI-generated code, all of which need to be included in any security strategy. Defending against these threats requires a holistic approach, considering not just installed plugins and themes but the entire ecosystem of code running on a site.

In conclusion, WordPress security is becoming an increasingly complex challenge. Site owners can no longer rely solely on timely patches to defend against attacks. Continuous monitoring, prompt patching, auditing of all components, and understanding the potential risks of premium and custom code are essential to protecting websites from modern hacking threats.

The message is clear: in today’s environment, speed, awareness, and proactive action are the keys to keeping WordPress sites secure. Hackers are moving faster than ever, and site owners must match their pace to safeguard data, maintain functionality, and protect their users.