WordPress powers nearly half the web, making it the most targeted platform on the internet. In 2025, the threat landscape shifted in ways that rendered most conventional security strategies insufficient. Vulnerability counts climbed sharply, exploitation timelines collapsed to hours, and attackers deployed increasingly sophisticated malware designed to survive cleanup attempts.
This overview draws on security data from 2025 to help WordPress and WooCommerce site owners understand the real risks their sites face and the practical steps they can take to close the gaps.
Security researchers identified 11,334 new vulnerabilities across the WordPress ecosystem in 2025, a 42% increase over the prior year. Of those, 4,124 were serious enough to require active mitigation, and 1,966 carried a high severity rating, indicating a strong likelihood of mass-scale automated exploitation.
To put that in perspective, more high-severity vulnerabilities were discovered in WordPress in 2025 than in the previous two years combined. This is not a gradual trend. It represents a meaningful acceleration in attacker attention toward the WordPress ecosystem.
Plugins accounted for 91% of all newly reported vulnerabilities. Themes made up the remaining 9%. WordPress core itself reported only six issues, all low priority.
That distribution reinforces a straightforward reality: the core software is not the problem. The risk lives in the third-party components layered on top of it, and most WordPress sites run dozens of them.
No. Premium components often present a more dangerous blind spot than their free counterparts.
Security researchers conducted a focused analysis of premium marketplace components, including those distributed through Envato. The findings were significant:
The reason is not that premium plugins are built more carelessly. It is because security researchers have limited access to paid software, so fewer eyes are reviewing the code. Lower scrutiny does not mean lower risk. It means lower awareness of existing risk.
Only 54%. In 2025, 46% of reported vulnerabilities were not fixed by the plugin developer before public disclosure. That means vulnerability details became public and, in many cases, were immediately available to attackers before patches were available to site owners.
Relying on plugin updates as a primary security measure is generally insufficient, as nearly half of disclosed vulnerabilities have no patch available.
Faster than most update schedules allow. For the most heavily targeted vulnerabilities, the weighted median time from public disclosure to active exploitation was five hours.
Approximately half of all high-impact vulnerabilities were being exploited within 24 hours of disclosure. This window covers a period when most site administrators are either unaware of the issue or have not yet had the opportunity to apply an available patch.
The first 24 hours following a vulnerability disclosure typically represent the highest-risk window for a WordPress site. Without automated mitigation in place, most sites are exposed during exactly this period.
Broken Access Control topped the list of exploited vulnerability categories in 2025. This category is particularly difficult to defend against because the attacks mimic normal authenticated user behavior. There are no obvious injection strings or malformed requests for a traditional web application firewall to catch.
Other heavily exploited vulnerability classes included:
WooCommerce-related plugins appeared in the top ten most-targeted list, including a WooCommerce Payments privilege escalation vulnerability from 2023 that was still being actively targeted against unpatched installations.
Not effective enough. Penetration testing conducted across multiple hosting providers in 2025 found that standard defensive configurations, including internal WAFs and Cloudflare, blocked only 26% of WordPress vulnerability exploit attempts. Specifically, against known exploited vulnerabilities, the block rate dropped to 12%.
Performance varied significantly across hosting environments, largely due to the configuration of internal WAF rules. Generic WAF rules perform reasonably well against non-WordPress-specific attacks but are poorly matched to WordPress-specific vulnerability classes, which account for most real-world exploitation activity.
Post-compromise behavior in 2025 became more sophisticated and harder to remediate. Analysis of billions of malware infections across global hosting infrastructure revealed clear shifts in how attackers operate once they gain access to a site.
Attackers are increasingly favoring injected files over standalone malicious files. An injected file is a legitimate WordPress core file, plugin file, or theme file that has been modified to contain malicious code. Because the base file is legitimate, deletion-based scanning tools flag it inconsistently or miss it entirely.
Removing injected malware requires identifying and surgically cleaning the malicious snippet from an otherwise valid file. Deleting the file itself breaks the site. This distinction is forcing a meaningful shift in how remediation tools need to operate.
Yes. Malicious file-upload activity nearly tripled in November and December 2025. This surge is not coincidental. Q4 combines peak consumer traffic with reduced IT staffing, creating an environment where attackers can operate with less chance of immediate detection or response. WooCommerce store owners running active holiday promotions are operating in the highest-risk window of the year, often with the fewest internal resources available to respond.
The most prevalent malware campaigns shared a common design goal: avoid detection for as long as possible. Three evasion patterns were particularly widespread.
Selective Content Delivery
Campaigns, including Japanese SEO spam, jgalls, and Parrot TDS, serve different content depending on who makes the request. Search engine crawlers receive keyword-stuffed spam to manipulate rankings. Human visitors get redirected to phishing pages or fraudulent storefronts. Site owners and scanners typically see clean content. The infection remains invisible until customers start complaining or organic search traffic collapses.
Parrot TDS extended this technique further in 2025 by detecting AI training crawlers, including those from OpenAI and Google. Clean content is served to crawlers while malicious redirects continue to redirect human visitors, making detection via automated auditing even less reliable.
Memory-Resident Persistence
The Lock360 malware family executes malicious code directly in server memory rather than storing it in files. When an administrator cleans an infected file, such as index.php or .htaccess, the memory-resident process immediately rewrites the malicious code back into it. Support teams often find themselves in a continuous cycle of cleanup and reinfection until the underlying memory process is terminated, something most standard scanning tools are not equipped to handle.
Uploader Infrastructure Expansion
Uploader script activity nearly doubled in volume during June 2025 and remained elevated through the end of the year. Uploaders are tools that allow attackers to deploy additional payloads to a compromised site at will. Their sustained increase signals a strategic shift toward persistent access rather than one-time exploitation. A site cleaned of one infection may be reinfected through a dormant uploader that survived the cleanup.
Several trends are converging to make WordPress security more complex, not less.
AI-assisted development is accelerating the production of custom plugins. Agencies are generating plugin functionality on demand and deploying AI-generated front ends built with React while using WordPress as the backend CMS. This expands the attack surface well beyond the traditional scope of core, plugins, and themes. Custom-coded components, JavaScript packages, and PHP dependencies all introduce security exposure that standard WordPress scanning tools are not designed to evaluate.
At the same time, AI is lowering the barrier for attackers to autonomously discover and exploit vulnerabilities. The same tools used to build sites faster are also used to find and exploit weaknesses in them.
On the regulatory side, the EU Cyber Resilience Act is pushing commercial WordPress plugin vendors to establish formal vulnerability disclosure programs as a legal requirement for distributing software to European users. Most plugin developers do not currently have the internal resources to manage high volumes of incoming security reports. This gap will create friction between vulnerability identification and patch availability, a period that already carries significant risk based on 2025 exploitation data.
The 2025 data makes several things clear to anyone running a WooCommerce store.
The fundamentals of WordPress security have not changed: keep software up to date, limit plugin sprawl, and use strong credentials. What has changed is that these measures are no longer sufficient on their own.
Exploitation timelines have compressed to hours. Malware is designed to survive standard cleanup. Premium plugins carry hidden risk. And the attack surface of a typical WordPress site is expanding as AI-generated components enter the stack.
Effective WordPress security in 2026 requires automated vulnerability mitigation that activates within the first hours of disclosure, server-level malware detection capable of identifying injected code and memory-resident threats, and clear visibility into every component running on the site, whether installed through the admin panel or generated through custom development.
Sites that treat security as a proactive, continuous process will be significantly better positioned than those relying on periodic cleanups after something goes wrong.
