WordPress Security Statistics 2026: 29+ Data Points on Vulnerabilities, Attacks, and Patching

11,334 new vulnerabilities were found in the WordPress ecosystem in 2025 (Patchstack, State of WordPress Security in 2026 2026). 91% of those new vulnerabilities were in plugins, and WordPress core saw only six reported vulnerabilities in the same period (Patchstack, State of WordPress Security in 2026 2026). Wordfence says it blocked more than 54 billion malicious requests and more than 55 billion password attacks against WordPress sites in 2024, which shows how much hostile traffic the ecosystem absorbs at internet scale (Wordfence, 2024 Annual WordPress Security Report 2025). We aggregated data from Patchstack, Wordfence, Sucuri, WPScan, W3Techs, and BuiltWith and dozens of other primary sources to compile this report. These WordPress Security Statistics 2026 matter because WordPress still powers 41.9% of all websites, so even small weaknesses in popular plugins can ripple across millions of live sites (W3Techs, Usage Statistics and Market Share of WordPress 2026).

Key Takeaways

• 11,334 new WordPress vulnerabilities were disclosed in 2025, up 42% from 2024 (Patchstack, State of WordPress Security in 2026 2026).
• 91% of new WordPress vulnerabilities in 2025 were found in plugins, not core (Patchstack, State of WordPress Security in 2026 2026).
• 46% of WordPress vulnerabilities in Patchstack’s 2025 disclosure analysis were not fixed before public disclosure (Patchstack, State of WordPress Security in 2026 2026).
• Wordfence blocked more than 54 billion malicious requests targeting WordPress in 2024 (Wordfence, 2024 Annual WordPress Security Report 2025).
• 57.6% of first-half 2025 WordPress vulnerabilities could be exploited by any site visitor, with no prior access required (Patchstack, 2025 Mid-Year WordPress Vulnerability Report 2025).
• Sucuri detected 681,182 infected sites in the first half of 2024, and 69.46% of those infections involved injected malware or redirects (Sucuri, SiteCheck Remote Website Scanner Mid-Year 2024 Report 2024).
• WordPress still powers 41.9% of all websites and 59.5% of sites with a known CMS (W3Techs, Usage Statistics and Market Share of WordPress 2026).
• 92.1% of WordPress sites now run version 6, which shows healthier core adoption than many people assume (W3Techs, Usage Statistics and Market Share of WordPress 2026).
• The WordPress Plugins Team reviewed 12,713 plugins in 2025, up 40.6% from 2024 (Make WordPress Plugins, A Year in the Plugins Team – 2025 2026).
• Plugin submissions were already running above 500 per week by March 2026, which helps explain why automation is now part of WordPress security operations (Make WordPress Plugins, Contribute to the Plugins Team! 2026).

Primary source worth bookmarking: Patchstack’s State of WordPress Security in 2026 whitepaper.

1. Vulnerability Volume, Severity, and Patch Gaps

The main WordPress security problem in 2026 is not a single headline exploit. It is the steady stream of extension flaws that site owners have to identify, prioritize, and patch fast. WordPress security is now an operations problem as much as a coding problem. The numbers below show why monthly maintenance habits are starting to look too slow for busy sites (Patchstack, State of WordPress Security in 2026 2026).

Volume and urgency

11,334 new WordPress vulnerabilities in one year means defenders are fighting backlog before they even reach remediation. The more important question is how many of those flaws demanded quick action. Patchstack’s 2026 report says a meaningful share were serious enough to require immediate mitigation, which is why simple “update when you remember” habits keep failing on modern WordPress stacks (Patchstack, State of WordPress Security in 2026 2026).

Contextual source: Patchstack’s State of WordPress Security in 2026 whitepaper.

Where the risk actually sits

Plugins are still the main weak point, but premium components are not a safe zone. Patchstack found that paid and freemium extensions still produce plenty of exploitable issues, and nearly half of disclosed vulnerabilities were not fixed before details went public. That is why “paid” should never be treated as a shortcut for “secure” in WordPress security decisions (Patchstack, State of WordPress Security in 2026 2026).

Contextual source: Patchstack’s premium and patching analysis for WordPress in 2026.

2. Attack Traffic Now Rewards Exploit Preparedness

Attack pressure is still enormous, but the mix is shifting. Wordfence’s telemetry suggests WordPress attackers are leaning harder into direct exploitation of published bugs while password attacks lose some relative momentum. That raises the value of WAFs, virtual patching, and fast plugin inventories because the vulnerable window often opens before a normal maintenance cycle catches up (Wordfence, 2024 Annual WordPress Security Report 2025; Patchstack, 2025 Mid-Year WordPress Vulnerability Report 2025).

Outlier: Wordfence says password attacks declined through 2024 even as general vulnerability exploitation increased, which is a bigger operational warning than the traffic volume alone (Wordfence, 2024 Annual WordPress Security Report 2025).

Contextual source: Wordfence’s 2024 Annual WordPress Security Report.

3. Post-Compromise Behavior Still Looks Quiet and Profitable

Most hacked WordPress sites are turned into distribution channels, not billboards. The common outcomes are injected scripts, redirects, and spam because those models monetize quietly. That matters for incident response. A homepage can look fine while the site still redirects visitors, serves SEO spam, or drops malicious code behind the scenes (Sucuri, SiteCheck Remote Website Scanner Mid-Year 2024 Report 2024).

Sucuri notes that malware categories overlap, so these shares are not mutually exclusive (Sucuri, SiteCheck Remote Website Scanner Mid-Year 2024 Report 2024).

Contextual source: Sucuri’s SiteCheck Remote Website Scanner Mid-Year 2024 Report.

4. Exposure: Scale, Versions, and Plugin Concentration

WordPress security risk scales with footprint. A flaw that looks limited on a small CMS can become a mass event on WordPress because the platform still sits at internet scale and major builders concentrate adoption inside that footprint (W3Techs, Usage Statistics and Market Share of WordPress 2026; BuiltWith, WordPress Usage Statistics 2026).

WordPress still carries huge web exposure

41.9% of all websites is still massive exposure. That figure alone explains why WordPress bugs keep drawing researchers, botnets, and supply chain attention. A flaw does not need to hit every WordPress site to matter at large volume when tens of millions of live installations are in play (W3Techs, Usage Statistics and Market Share of WordPress 2026; BuiltWith, WordPress Usage Statistics 2026).

Contextual source: W3Techs current WordPress usage and market share data.

Core adoption looks healthier than plugin concentration

Core adoption is moving in the right direction, but concentrated plugin exposure keeps the risk high. Most WordPress sites now run version 6, yet large builders still sit on a huge share of the ecosystem. That means one popular-extension flaw can spread quickly even when core patch coverage looks solid (W3Techs, Usage Statistics and Market Share of WordPress 2026; WordPress.org, WordPress 6.9.2 Release 2026).

Contextual source: WordPress.org’s 6.9.2 security release notes.

5. Plugin Growth Is Now a Security Variable

The plugin pipeline is growing fast enough to become a security statistic by itself. More weekly submissions mean more code paths to review, more edge cases to test, and more long-tail maintenance risk after approval. The official Plugins Team says the directory is handling much heavier review volume than it did a year earlier. That makes automation part of WordPress security infrastructure, not just a reviewer convenience (Make WordPress Plugins, A Year in the Plugins Team – 2025 2026; Make WordPress Plugins, Contribute to the Plugins Team! 2026).

The official team also says automation and AI-assisted checks are now helping it keep pace with directory growth, which says a lot about where WordPress security operations are heading next (Make WordPress Plugins, A Year in the Plugins Team – 2025 2026; Make WordPress Plugins, The WordPress Ecosystem is Growing: New Plugin Submissions Have Doubled in 2025 2025).

Contextual source: Make WordPress Plugins review statistics for 2025.

WordPress Security Statistics: Summary Table

This is the short list readers save, cite, and screenshot first.

FAQs

Is WordPress core the main security problem in 2026?

No. The bigger share of disclosed WordPress risk still sits in plugins, not core. Patchstack says 91% of new vulnerabilities in 2025 were found in plugins, and WordPress core security fixes continue to ship through official releases such as 6.9.2 (Patchstack, State of WordPress Security in 2026 2026; WordPress.org, WordPress 6.9.2 Release 2026).

What should site owners patch first?

Patch internet-facing plugin flaws first, especially anything with active exploitation or mass-exploitation potential. That priority fits Patchstack’s finding that 57.6% of first-half 2025 vulnerabilities could be exploited by any site visitor and Wordfence’s evidence of very high exploit traffic against WordPress sites (Patchstack, 2025 Mid-Year WordPress Vulnerability Report 2025; Wordfence, 2024 Annual WordPress Security Report 2025).

Do WAFs matter if I update quickly?

Yes. WAFs buy time when vendors are late. Patchstack says 46% of vulnerabilities in its 2025 disclosure analysis were not fixed before public disclosure, so blocking exploit traffic during that gap can be the difference between a notice and a compromise (Patchstack, State of WordPress Security in 2026 2026).

Is WordPress still a major target if its market share has slipped?

Yes. W3Techs still puts WordPress on 41.9% of all websites, and BuiltWith still detects 37.4 million live WordPress sites. That is more than enough scale to keep attackers interested in WordPress-specific flaws and supply chain opportunities (W3Techs, Usage Statistics and Market Share of WordPress 2026; BuiltWith, WordPress Usage Statistics 2026).

How often should a WordPress site review its plugins?

At minimum, review plugins weekly. High-change sites should do it more often. The plugin submission pipeline was already above 500 per week by March 2026, which means the extension surface changes too fast for occasional housekeeping to be enough (Make WordPress Plugins, Contribute to the Plugins Team! 2026).

What Change: 2025 VS 2026

The biggest shift in WordPress security this year is that patching discipline looks better even while the extension pipeline keeps speeding up. The share of disclosed WordPress vulnerabilities that were still unpatched at disclosure fell from 46% in 2025 to 32% in 2026 year to date. That is real progress. It does not mean the ecosystem is calmer. It means defenders are getting somewhat faster at one stage of the problem while the volume of code and plugin concentration keep pressure high.

decelerating. WordPress fell from 43.5% of all websites on May 1, 2025 to 41.9% on May 21, 2026 (W3Techs, Historical Trends in the Usage Statistics of Content Management Systems 2025; W3Techs, Usage Statistics and Market Share of WordPress 2026). The likely driver is faster growth from hosted builders and custom stacks, not a collapse in WordPress demand. The direction heading into 2027 still looks soft on market share.

accelerating. Version 6 adoption rose from 88.0% of WordPress sites on May 1, 2025 to 92.1% on May 21, 2026 (W3Techs, Historical Trends in the Usage Statistics of WordPress Versions 2025; W3Techs, Usage Statistics and Market Share of WordPress 2026). The likely driver is faster migration onto supported branches and continued background update behavior. The direction into 2027 points toward better core patch coverage.

accelerating. Weekly plugin submissions moved from about 330 at the end of 2025 to more than 500 by March 2026 (Make WordPress Plugins, A Year in the Plugins Team – 2025 2026; Make WordPress Plugins, Contribute to the Plugins Team! 2026). The likely driver is lower publishing friction, better review tooling, and AI-assisted development. The direction into 2027 points to more pressure on automated review and security linting.

reversing. The share of vulnerabilities that were still unpatched at disclosure moved from 46% in 2025 to 32% in 2026 year to date (Patchstack, State of WordPress Security in 2026 2026; Patchstack, WordPress Vulnerability Statistics 2026). The likely driver is broader use of structured disclosure workflows and more mature vendor response processes. The direction into 2027 suggests the next pressure point is patch quality, not just patch speed.

The shift to watch most closely heading into 2027 is the gap between faster plugin shipping and slower human review, because that is where WordPress security debt can compound fastest.

Methodology and Sources

We prioritized primary sources first, then current live datasets with a visible methodology. That meant official vendor whitepapers and live vulnerability databases from Patchstack, Wordfence, WPScan, and Sucuri, plus official WordPress.org release notes and Plugins Team posts. For market exposure, we used W3Techs and BuiltWith because they publish current detectable usage data and historical trends. We favored 2026 and 2025 figures whenever they were available. Where 2026 full-year data does not yet exist, we labeled figures as current or year to date. We cross-checked overlapping claims where possible, especially around WordPress footprint, version adoption, and ecosystem growth. We excluded unsupported roundups, AI-generated lists, and SEO blogs that cite each other without a visible underlying source. We also noted source caveats where a dataset reflects vendor telemetry rather than the whole web.

• Patchstack, State of WordPress Security in 2026.
• Patchstack, WordPress Vulnerability Statistics 2026.
• Patchstack, 2025 Mid-Year WordPress Vulnerability Report.
• Wordfence, 2024 Annual WordPress Security Report.
• Wordfence, Quarterly WordPress Threat Intelligence Report – Q4 2025.
• Sucuri, SiteCheck Remote Website Scanner Mid-Year 2024 Report.
• WPScan, 2024 Website Threat Report.
• W3Techs, Usage Statistics and Market Share of WordPress.
• W3Techs, Historical Trends in the Usage Statistics of Content Management Systems.
• W3Techs, Historical Trends in the Usage Statistics of WordPress Versions.
• BuiltWith, WordPress Usage Statistics.
• WordPress.org, WordPress 6.9.2 Release.
• Make WordPress Plugins, A Year in the Plugins Team – 2025.
• Make WordPress Plugins, The WordPress Ecosystem is Growing: New Plugin Submissions Have Doubled in 2025.
• Make WordPress Plugins, Contribute to the Plugins Team!.

Last updated: May 2026

We update this page quarterly with the latest data.