Why WordPress Is a Popular Target for Cyberattacks

WordPress is a popular target for cyberattacks primarily because of its widespread use, the large ecosystem of plugins and themes with vulnerabilities, and the automation tools hackers use to exploit weak points.

Key reasons include:

• Popularity and Market Share: WordPress powers over 40% of all websites on the internet, making it the largest content management system (CMS). This sheer scale attracts hackers because a single vulnerability can affect millions of sites, maximizing the impact of an attack.

• Vulnerabilities in Plugins and Themes: While the WordPress core is relatively secure (only about 1.1% of vulnerabilities come from it), the vast number of plugins (over 55,000) and themes often have security flaws. Many are not regularly updated or maintained, leaving sites exposed. In 2025 alone, 1,250 vulnerabilities were recorded in plugins and themes.

• Common Attack Methods: Malware is the top threat, affecting about 72.7% of infected WordPress sites, followed by backdoors (69.6%), SEO spam, hacktools, phishing, and defacements. Brute-force login attempts are also very common, with about 65 million attempts daily.

• Automation and AI in Attacks: Hackers increasingly use automated bots and machine learning to scan thousands of WordPress sites rapidly, identifying outdated software and vulnerabilities to exploit in bulk.

• Unpatched Vulnerabilities: In 2024, only about 74.3% of identified WordPress vulnerabilities were patched, leaving a significant number of security holes open for exploitation.

• User Practices: Many WordPress sites remain vulnerable due to outdated plugins, themes, and core software, as well as weak login security. For example, only 34% of WordPress admin accounts globally have two-factor authentication enabled.

In summary, WordPress’s popularity, combined with the complexity and variability of its plugins and themes, and the automation of attacks, make it a frequent and attractive target for cybercriminals.