WordPress is the internet's most popular target
WordPress powers 43% of all websites on the internet. It runs everything from the corner bakery's menu page to major news publications. It is easy to use, massively extensible, and completely ubiquitous.
It is also the most attacked platform on the web. Not because it is inherently insecure, but because attackers have built industrialised tools specifically designed to exploit the most common WordPress vulnerabilities at scale.
"The economics of WordPress attacks are simple: the same vulnerability can be exploited across millions of sites simultaneously using automated tools. A single unpatched plugin version can give attackers access to tens of thousands of websites in a single campaign."
— PwC UK, Cyber Threat Intelligence Report, 2025The five WordPress vulnerabilities attackers love most
Outdated plugins with known CVEs
When a vulnerability is published in a popular plugin (WooCommerce, Yoast SEO, Contact Form 7, Elementor), attackers write automated tools to exploit it within hours. The most commonly exploited plugins in 2025 are installed on millions of sites and often not updated promptly.
Outdated WordPress core
In our audits, 34% of WordPress sites were running a version with at least one known security vulnerability. Running two or three versions behind is an open invitation.
The exposed /wp-admin login page
By default, every WordPress login page is at yourdomain.com/wp-admin. Every attacker knows this. Automated brute-force tools attempt thousands of username/password combinations per hour against this endpoint — right now, on your site.
Default or weak admin credentials
The username "admin" is the WordPress default. Incredibly, a significant proportion of WordPress sites are still using it. Combined with a weak password, this is not a vulnerability — it is an unlocked door with a sign that says "Please come in."
Outdated PHP version
PHP 7.4, which reached end-of-life in 2022, is still running on an alarming number of UK WordPress sites. End-of-life means no more security patches — ever.
Go to your WordPress admin and navigate to Dashboard → Updates. If you see any core, plugin, or theme updates waiting, those are potential vulnerabilities that need addressing today.
What attackers actually do once they're in
People often ask: why would anyone want to hack my small business website? The answer is almost never "because they want your specific data." It is usually one of the following:
- Inject malware or phishing pages — your site becomes a tool for attacking others
- Add hidden links to boost SEO rankings for gambling or pharmaceutical spam sites
- Use your server to send spam email campaigns
- Mine cryptocurrency using your server's processing power
- Steal customer data for identity theft or sale
The WordPress security checklist
What we check in every WordPress audit:
- WordPress core is on the latest stable version with auto-updates enabled
- All plugins are updated to their latest versions
- No plugins have been abandoned by their developer (check last update date)
- PHP version is 8.2 or higher
- The default admin username has been changed from "admin"
- Two-factor authentication is enabled on all admin accounts
- Login attempts are rate-limited (Wordfence or equivalent)
- WP_DEBUG is set to false in the production environment
- wp-config.php is not publicly accessible
- Debug log files are not publicly accessible
Key takeaways
- 43% of all websites run WordPress — making it the most targeted platform on the web
- Outdated plugins are the most common entry point for attackers
- The /wp-admin login page is being brute-forced on every unprotected WordPress site right now
- Most WordPress infections are invisible to site owners for weeks or months
- Basic maintenance prevents the vast majority of WordPress attacks