There is that plugin you installed on a Tuesday night at 11pm because the contact form stopped working and the client was waiting. You clicked install, it worked, and you moved on. That was 2023.
It is still running. It has not been updated in 14 months. And somewhere on the internet, an automated scanner has already found it.
Nobody is targeting you. That’s worse.
That is the first thing to understand: you are not the victim of a hoodie-wearing hacker who decided to go after your plumber’s website or recipe blog. You are the victim of a bot running 24/7, scanning millions of sites, looking for known vulnerable plugin versions.
It is documented. WPScan maintains a public database of WordPress vulnerabilities. At the time of writing, it lists thousands of documented flaws across plugins, themes and core versions. Most have a patch available. Most affected sites have not applied it.
The Sucuri annual report on compromised sites is even more direct: year after year, poorly maintained CMS platforms account for the vast majority of infections treated. WordPress leads the pack, not because it is inherently less secure, but because it is everywhere and its installations age badly.
The usual suspects
Certain plugins appear repeatedly in compromise reports. Not necessarily the most obscure ones. Often the most popular, precisely because their massive install base makes them profitable targets for attackers.
Form builders like Contact Form 7 or WPForms, page builders abandoned by their developers, sliders that were trendy in 2017, SEO plugins from a bygone era. And above all: premium plugins bought once, activated, and whose licence expired without anyone renewing the updates.
Patchstack publishes an annual whitepaper on the state of WordPress security. Their 2024 conclusion is unambiguous: 97% of documented vulnerabilities concern third-party plugins and themes, not the WordPress core itself. In other words, WordPress is not the problem. What you put inside it is.
What it actually costs
A compromised site is not necessarily a homepage replaced by a message in Cyrillic. It is often invisible. A silent redirect to a phishing site for mobile visitors. SEO spam injected into your pages for fraudulent link building. A cryptocurrency mining script slowing your site down without you understanding why.
Google eventually detects it. Your site gets blacklisted. Google Safe Browsing displays a red warning before visitors even reach your page. Your SEO takes a hit that will take months to recover from.
What to do concretely
First, the inventory. Log into your back-office and honestly look at your plugin list. How many are active? How many are deactivated but still installed? A deactivated plugin remains an attack vector if its code is still on the server.
Then, automatic updates. WordPress has allowed per-plugin automatic updates since version 5.5. It is not perfect, it can break compatibility, but it is infinitely better than 14 months without a patch. For critical sites, WP-CLI lets you automate updates from the command line and integrate them into a clean deployment process.
To audit your installation, WPScan in its free version already gives you a clear picture of known vulnerabilities on your site. Wordfence on the plugin side remains an accessible reference, with an integrated scanner and real-time alerts.
Finally, backups. Not on the same server. Not once a month. A daily offsite backup is what makes the difference between restoring in 20 minutes and rebuilding the site from scratch.
Security is a habit, not a project
The problem with security is that it looks like insurance. Invisible when it works, catastrophic when it does not. Nobody updates their plugins on a Tuesday night when everything is fine. Everyone regrets it on Wednesday morning when the site shows a blank page.
Fifteen minutes a week. A look at the WordPress dashboard, pending updates, security alerts. That is all it takes to stay out of next year’s Sucuri statistics.
Your 2023 plugin is watching you. It is just waiting for you to look away.