7,966 New Vulnerabilities: The WordPress Security Problem No One's Talking About

In 2024, security researchers disclosed 7,966 new vulnerabilities in the WordPress ecosystem, a 34% increase over the previous year (Patchstack 2025 State of WordPress Security Report). That’s roughly 22 new security holes discovered every single day. For service business owners running WordPress, this isn’t a hypothetical risk. It’s a math problem, and the odds are getting worse.

But this isn’t a scare piece. This is a practical look at what’s actually happening, why the standard advice doesn’t work, and what your options are.

The Plugin Supply Chain Problem

Here’s the part most people miss: WordPress core — the software itself — isn’t the main problem. Only about 4% of the vulnerabilities discovered in 2024 were in WordPress core. The other 96% were in plugins and themes (Patchstack 2025).

That distinction matters because of how WordPress actually works in practice. A typical service business website runs 15-25 active plugins. Contact forms, SEO tools, security scanners, backup solutions, page builders, analytics, caching, image optimization, spam filters, review widgets, booking systems — each one is a separate piece of software written by a separate developer or team.

You’re not running one piece of software. You’re running 15-25 pieces of software from 15-25 different sources, each with its own update schedule, its own security practices, and its own track record. Some of those plugins are maintained by professional teams. Others are maintained by a single developer in their spare time. A few have been abandoned entirely but still have thousands of active installs.

Every plugin is a door into your website. With 7,966 new vulnerabilities discovered in a single year, the question isn’t whether one of your plugins has a security flaw. The question is how many of them do right now.

This is what security professionals call a “supply chain” problem. You’re trusting a chain of suppliers (plugin developers) with the security of your business, and you have no practical way to audit their work. Even security-focused business owners can’t evaluate the code quality of every plugin they use. You just have to hope everyone in the chain is doing their job.

What a Breach Actually Costs a Local Business

When a national retailer gets hacked, it makes the news. When a plumbing company or dental practice gets hacked, it doesn’t. But the impact on the business can be devastating in proportion to its size.

Here’s what happens when a WordPress site is compromised:

Immediate damage:

Your site gets defaced, redirected to spam, or taken offline entirely
Google may flag your site with a “This site may be hacked” warning in search results
Your hosting company may take your site down preemptively to protect other sites on the same server

Recovery costs:

Professional malware removal: $500-$2,500
Rebuilding from backup (if you have one): $1,000-$5,000
If no clean backup exists: potentially the entire cost of rebuilding your site from scratch

Business impact:

Every day your site is down or flagged, you’re invisible to the 78% of local mobile searchers who lead to a purchase within 24 hours (BrightLocal)
Google blacklisting can take weeks to resolve, even after the malware is removed
Customers who see a security warning will not come back. Trust, once broken, is nearly impossible to rebuild with someone who was about to hire you for the first time

Long-tail damage:

If customer data was exposed (contact forms, booking information), you may have legal notification requirements depending on your state
Your email domain may get flagged as a spam source if the attacker used it to send malicious emails
Your organic search rankings may take months to recover from a Google Safe Browsing flag

Add it all up, and a single security incident can easily cost a small service business $5,000-$25,000 in direct costs and lost revenue. For some businesses, the reputational damage is the biggest cost of all, and it doesn’t show up on an invoice.

Why “Just Keep It Updated” Doesn’t Work

This is the advice everyone gives: keep your plugins updated and you’ll be fine. It sounds reasonable. It’s also insufficient, for three specific reasons.

Reason 1: Zero-day vulnerabilities have no patch to apply.

A zero-day vulnerability is a security flaw that’s discovered by attackers before a fix is available. In 2024, researchers found that many WordPress plugin vulnerabilities were actively exploited before patches were released. You can’t update your way out of a vulnerability that doesn’t have a fix yet.

Reason 2: Update conflicts break things.

If you’ve run a WordPress site for any length of time, you’ve experienced this: you update a plugin, and something else breaks. A contact form stops working. The layout shifts. A page throws an error. This happens because plugins interact with each other and with your theme in unpredictable ways.

The result? Many business owners delay updates because they’re afraid of breaking their site. That’s rational behavior, but it leaves known vulnerabilities unpatched for weeks or months. You’re stuck choosing between “might break my site” and “definitely leaving a security hole open.”

When you have 15-25 plugins, each updating on its own schedule, maintaining compatibility across all of them is a constant, low-grade maintenance headache. WordPress ranked as the 3rd “most dreaded” technology in the Stack Overflow Developer Survey 2024, and this kind of maintenance burden is a big reason why.

Reason 3: You’re trusting plugin developers with your security, and you shouldn’t have to.

Most WordPress plugin developers are honest, competent people. But the WordPress plugin ecosystem has essentially no quality control. Anyone can publish a plugin to the WordPress repository. Plugins get acquired by new owners who may inject malicious code. Developers abandon plugins that still have thousands of active installs.

With 7,966 new vulnerabilities discovered in one year across the ecosystem, the sheer volume tells you that the current model — trust everyone, update constantly, hope nothing slips through — is structurally broken.

The Architectural Alternative

Modern static-site frameworks don’t have this problem. Not because they’re magically more secure, but because they’re architecturally different.

A WordPress site is essentially a small application running on a server. The pieces that can be attacked include a live database, a PHP runtime, an admin login page, 15-25 plugins with varying security standards, a theme with its own codebase, a file upload system, and an admin panel reachable from any browser. Every one of those is a potential entry point, and most have had documented exploits in the last two years.

A modern static site, by contrast, is pre-built HTML files served from a CDN. There’s nothing running on a server that an attacker can poke at, no database to query, no admin to log into.

That’s it. No database to inject malicious queries into, no admin login to brute-force, no plugin quietly updating its own code, no PHP processing user input on every request. The “attack surface” — the number of things a hacker can practically target — drops from dozens of potential entry points to a handful, and the handful that remain are scoped narrowly enough to audit thoroughly.

The only server-side code runs in isolated, purpose-built API endpoints — like a contact form handler or a speed test tool. These are small, auditable, and don’t have access to a database full of content. If you want to see how this works in practice, our speed grader tool is a good example: it’s a single-purpose endpoint that calls Google’s API and returns results. No database, no admin panel, no plugin chain.

Migration as a Security Decision

Most business owners think of website migration as a design project, making the site look better. But increasingly, a growing number are treating it as a security decision.

Consider the numbers: if you’re spending $100-$300/month on WordPress security monitoring, managed hosting with firewalls, and backup services, that’s $1,200-$3,600 per year just to mitigate the risks of a platform choice. And that spending doesn’t eliminate the risk. It just reduces it. One unpatched plugin, one delayed update, one zero-day exploit, and you’re dealing with a breach anyway.

A migration to a modern framework costs $5,000-$20,000 upfront (see our Services page for specifics) and essentially eliminates the ongoing security overhead. No plugins to patch. No database to protect. No admin panel to lock down. Hosting costs drop significantly because there’s no database, no PHP, and no server-side processing to pay for.

The businesses we work with — HVAC companies, dental practices, law firms, accounting firms — handle sensitive customer information. A breach isn’t just embarrassing; it can trigger regulatory issues. For these businesses, the migration conversation often starts with speed and ends with security. Once you understand the architectural difference, it’s hard to justify staying on a platform that requires constant vigilance to remain safe.

For a full walkthrough of the migration process, including how we handle content, SEO, and the transition, read our complete guide to migrating off WordPress.

How to Assess Your Current Risk

Before you decide anything, you should know where you stand right now. Here’s a quick self-assessment:

Count your active plugins. Go to your WordPress dashboard and look at the Plugins page. If you have more than 10 active plugins, your attack surface is significant. More than 20? It’s large.
Check when each plugin was last updated. If any plugin hasn’t been updated in more than 6 months, it may have unpatched vulnerabilities. If it hasn’t been updated in over a year, it almost certainly does.
Check your site’s SSL certificate. Visit your site and look for the padlock icon in the browser. If it’s not there, you have a basic security issue that’s also hurting your SEO.
Run a speed and performance test. Security and performance often go hand in hand — a slow site loaded with plugins is usually a vulnerable site loaded with plugins. Our speed grader won’t test security directly, but it will tell you how overloaded your site is.
Ask your developer or hosting company: When was the last security audit? What’s the incident response plan if the site is compromised?

If any of those answers make you uncomfortable, it’s worth having a conversation about your options. You can reach out to us directly — no pressure, just an honest look at your situation.

Frequently Asked Questions

Q: Is WordPress itself insecure? A: WordPress core is maintained by a dedicated team and is reasonably secure on its own. The problem is that almost no one runs WordPress core alone. The plugins and themes that make WordPress functional are where 96% of vulnerabilities originate (Patchstack 2025). So the practical answer is: WordPress as it’s actually used by businesses is significantly less secure than the alternatives.

Q: I have a security plugin installed. Isn’t that enough? A: A security plugin can detect and block some known attacks, but it’s still a plugin — meaning it’s another piece of third-party code that could itself contain vulnerabilities, and it can’t protect against zero-day exploits in other plugins. It’s a lock on a house with 20 unlocked windows. Better than nothing, but not a structural solution.

Q: How often do small businesses actually get hacked? A: More often than you’d think. Automated attacks don’t distinguish between a Fortune 500 company and a local dental practice. Bots scan for known WordPress vulnerabilities 24/7, and they don’t check your revenue before exploiting a flaw. Small businesses are actually preferred targets because they’re less likely to have monitoring in place and slower to detect a breach.

Q: What happens to my site’s security during the migration process? A: Your existing WordPress site stays live and unchanged until the new site is ready. We build everything on a separate staging environment. On launch day, we switch your domain to the new site — which, being static files on a CDN, immediately has a near-zero attack surface. Your old WordPress installation is then taken offline entirely.

Q: Can I just remove plugins to reduce risk? A: You can, and you should remove any plugins you’re not actively using. But the plugins you’re keeping are the ones that provide the functionality your site needs — forms, SEO, analytics, backups. You can’t remove those without losing features. That’s the fundamental tension with WordPress: the things that make it functional are the things that make it vulnerable.