This week, researchers disclosed a critical vulnerability in a WordPress backup plugin installed on more than 900,000 websites. The flaw—rated 9.8 out of 10 in severity—could allow an attacker to upload malicious files and take complete control of a website without any authentication. No password needed. No login required.
If this sounds alarming, it should. But the real story isn't about one plugin. It's about a pattern that has been accelerating for years—and that every business running a WordPress website should understand.
The Numbers That Should Get Your Attention
WordPress powers approximately 43% of all websites on the internet. That scale has made it both incredibly successful and an irresistible target.
According to Patchstack, the leading WordPress vulnerability research firm, 7,966 new security vulnerabilities were discovered in the WordPress ecosystem in 2024—a 34% increase over the previous year. In the first half of 2025 alone, another 4,462 were reported.
Here's the critical detail: 96% of those vulnerabilities were in plugins—the add-on tools that give WordPress its flexibility. Only a handful were in WordPress itself.
The very thing that made WordPress great—an open ecosystem of over 60,000 plugins that let you customize your site to do almost anything—has become its Achilles' heel. Every plugin you install is code written by a third-party developer, maintained on their schedule, and secured to their standards. And your website is only as secure as its weakest plugin.
What a WordPress Hack Actually Looks Like
When most people think about a hacked website, they picture a defaced homepage with some dramatic message. In reality, that's the least common scenario—and the least profitable one for attackers. What typically happens is far more insidious and harder to detect.
Malicious Redirects
The most common outcome of a WordPress compromise. Visitors to your site are silently redirected to phishing pages, fake online pharmacies, or malware distribution sites. You may not even notice because the redirect often only affects visitors arriving from search engines—so if you type your URL directly, everything looks normal. Sucuri tracked over 175,000 malicious redirect incidents in 2024 alone.
SEO Spam Injection
Attackers inject hidden content into your site—typically pharmaceutical keywords, gambling links, or other spam—designed to exploit your domain's search authority. Sucuri documented over 422,000 SEO spam incidents in 2024, with Japanese keyword spam being the most prevalent. Your site essentially becomes an advertising vehicle for criminals, and you may only discover it when Google flags your site or your rankings collapse.
Malicious Ad Injection
Your visitors start seeing ads you didn't place—pop-ups, banner ads, or even fake browser update prompts that install malware. Google has documented campaigns where over 14,000 WordPress domains were abused to serve malicious ads in a single operation. For businesses, this erodes trust instantly. A customer visiting your site and encountering suspicious ads may never return.
Domain Blacklisting
This is where the damage compounds. Google blacklists approximately 10,000 websites per day. If your site is flagged, visitors see a stark "This site may harm your computer" warning before they can even reach your page. Your site is effectively removed from search results. One business owner reported a 50% traffic drop overnight after being blacklisted, with cleanup costs reaching several thousand dollars—and full SEO recovery taking 30 to 90 days.
Data Theft
If your WordPress site runs an online store through WooCommerce, the stakes are higher. Credit card skimming malware—designed to look like legitimate plugins—has been found injecting code into checkout pages to steal payment information in real time. A WooCommerce vulnerability disclosed in December 2025 could have exposed customer names, emails, phone numbers, addresses, and payment methods.
Botnet Recruitment
Your compromised site can be quietly enlisted into a network of hacked websites (a botnet) used to attack other sites, send spam, or crack passwords. The Balada Injector campaign alone has been estimated to have infected over one million WordPress sites since 2017.
Why Plugins Are the Weak Link
WordPress' plugin model has a fundamental supply chain problem. When you install a plugin, you're trusting that its developer follows security best practices, responds quickly to vulnerability reports, and keeps the software maintained. Many do. Many don't.
Consider some recent examples:
- WPvivid Backup (900,000+ installs): Critical RCE vulnerability (CVE-2026-1357, CVSS 9.8) allowing unauthenticated file uploads. Patched January 28, 2026.
- LiteSpeed Cache (6 million+ installs): Four separate critical vulnerabilities in 2024 alone, including unauthenticated privilege escalation. Wordfence blocked nearly 59,000 attacks in a single 24-hour period after one disclosure.
- WPForms (6 million+ installs): Authorization bypass allowing subscribers to process unauthorized Stripe refunds.
- LA-Studio Element Kit: A former employee inserted a backdoor in late December 2025 that allowed unauthorized admin account creation on any site running the plugin.
- OttoKit/SureTriggers: Exploited just four hours after vulnerability disclosure—with proof-of-concept code appearing on GitHub within three hours and active exploitation beginning shortly after.
Patchstack's research found that more than half of plugin developers did not patch vulnerabilities before they were publicly disclosed. Meanwhile, site administrators take an average of 14 days to apply critical patches—while attackers begin scanning within hours.
That gap—between when a vulnerability is known and when it's fixed on your site—is where breaches happen.
AI Is Making This Worse
The WordPress vulnerability problem was already serious. Artificial intelligence is accelerating it.
AI tools can scan millions of websites in hours, identifying which plugins are installed, which versions are running, and which known vulnerabilities exist. What used to require manual reconnaissance now happens at machine speed. Once a vulnerability is found, AI can generate exploitation scripts and even create polymorphic malware that changes its signature to evade detection.
The impact is already visible. Security researchers documented a 45% increase in brute force attacks against WordPress sites in Q4 2025, driven largely by AI-enhanced botnets. These automated attacks can rotate through residential proxies, bypass traditional CAPTCHAs, and generate context-aware phishing content that slips past spam filters.
For business owners, the implication is straightforward: the urgency of keeping WordPress and its plugins updated has never been higher. The window between "vulnerability discovered" and "your site is compromised" is shrinking from days to hours.
The Shift Toward Managed Platforms
Against this backdrop, a growing number of businesses—particularly small and medium-sized ones—are reconsidering whether WordPress is the right choice for their website.
Managed website platforms like Webflow, Squarespace, and Wix take a fundamentally different approach. Instead of an open plugin ecosystem where security is the site owner's responsibility, these platforms handle hosting, security updates, SSL certificates, and infrastructure as part of the service. There's no plugin layer to worry about, no patches to apply, and no server to configure.
The tradeoff is clear: you get less customization, but someone else is responsible for keeping the lights on and the doors locked.
The market is reflecting this shift. WordPress' share of the CMS market has declined from a peak of 65.2% in January 2022 to approximately 61% by early 2026—its first meaningful decline in over a decade. Meanwhile:
- Shopify has grown to 6.7% market share and now powers more e-commerce sites than WooCommerce in many categories
- Wix holds about 5% market share with over 280 million registered users
- Squarespace captures roughly 3.4% and is projecting over a billion dollars in revenue
- Webflow is growing at approximately 10% annually with SOC 2 certification—a security compliance standard
WordPress isn't disappearing—it still powers more websites than the next nine platforms combined. But the trend line is no longer going up, and security is a significant factor driving businesses to look elsewhere.
WordPress' AI Pivot
WordPress isn't standing still. In February 2026, WordPress.com launched an official integration with Anthropic's Claude AI—the first hosted WordPress platform to offer a direct AI connector. The tool gives Claude read-only access to site data like traffic patterns, engagement metrics, and plugin configurations, allowing site owners to ask questions like "which posts performed worst last month?" or "show me pending comments across my network."
Write access—enabling Claude to create and edit content directly—is reportedly planned for a future release. WordPress has also acquired AI companies and launched tools for AI-assisted plugin development.
It's a smart move to stay relevant. But it doesn't address the core issue. Adding AI features to the dashboard doesn't fix the 8,000 new plugin vulnerabilities discovered every year. It doesn't change the fact that every plugin is a potential entry point. And it doesn't help the business owner who gets compromised because a plugin developer took two weeks to release a patch for a flaw that attackers exploited in four hours.
What's Coming Next: AI-Built Websites
Looking further ahead, the conversation may move beyond "WordPress versus managed platforms" entirely. AI-powered website builders—tools like Bolt, Vercel's v0, and Lovable—are enabling people to create functional websites through natural language prompts, no coding or CMS required.
The AI website builder market is projected to reach over $32 billion by 2035, and some of these tools have grown explosively. However, they come with their own security considerations. Research from Veracode found that 45% of AI-generated code introduces security vulnerabilities, and a CodeRabbit analysis found that AI co-authored code had significantly more security vulnerabilities than human-written code—up to 2.7 times higher for certain flaw categories like cross-site scripting.
The tools are improving rapidly, but the lesson from WordPress applies here too: convenience and speed don't automatically equal security.
What Business Owners Should Consider
If your business runs a WordPress website, here are some practical questions worth asking:
How Many Plugins Are You Running?
Every plugin is an additional attack surface. Audit your plugin list and remove anything that isn't actively needed. If a plugin hasn't been updated in over a year, it may be time to find an alternative or remove it entirely.
Who Is Keeping Everything Updated?
WordPress core, themes, and every plugin need regular updates. If no one on your team is responsible for this—or if updates happen "whenever someone remembers"—your site is likely running vulnerable software right now. With nearly 8,000 new vulnerabilities discovered annually and attackers exploiting them within hours, updates can't be an afterthought.
Do You Have Monitoring in Place?
Would you know if your site was compromised? Many WordPress infections go undetected for weeks or months—silently redirecting visitors, injecting spam, or stealing data. Security monitoring, malware scanning, and regular security audits are essential for catching problems early.
Is WordPress Still the Right Fit?
This isn't a question with a universal answer. WordPress remains a powerful platform with capabilities that managed alternatives can't match. But if your business needs a straightforward website—a professional online presence with some content and maybe an online store—and you don't have the resources to maintain WordPress security properly, a managed platform may offer a better risk profile.
The right choice depends on what your business actually needs versus what you're realistically able to maintain.
Do You Have a Recovery Plan?
Only 27% of WordPress professionals surveyed by Melapress reported having a breach recovery plan. If your site went down tomorrow due to a compromised plugin, how quickly could you restore it? Are your backups current, tested, and stored separately from your website? The difference between a minor disruption and a significant business impact often comes down to preparation.
The Bigger Picture
WordPress revolutionized the web by making it possible for anyone to build a website. That democratization was genuinely transformative. But the same open ecosystem that made it powerful has created a security burden that many businesses—especially smaller ones—aren't equipped to manage.
The plugin model was built for a different era, before AI could find and exploit vulnerabilities in hours, before a single plugin could expose millions of sites simultaneously, and before businesses depended on their websites as primary revenue channels.
None of this means WordPress is doomed or that every site needs to migrate tomorrow. It means that running a WordPress site in 2026 requires treating it like what it is: a piece of business infrastructure that needs active security management—not a set-it-and-forget-it tool that takes care of itself.
Because your website is often the first thing a potential customer sees. And if what they see is a malware warning or a redirect to a spam site, they won't come back to find out what you actually do.
This article is intended for informational purposes only and does not constitute professional security, legal, or compliance advice. Organizations should consult with qualified professionals to assess their specific circumstances and develop appropriate protective measures.