According to Roger Montti’s article on Search Engine Journal, “Report Shows WordPress Sites Are Getting Hacked At Faster Rate,” new research from the security company Patchstack indicates that WordPress vulnerabilities are being exploited far more quickly than in the past, often within hours of public disclosure.
Exploits Are Happening Faster Than Ever
Montti reports that the Patchstack State of WordPress Security report found that attackers frequently begin exploiting newly discovered vulnerabilities almost immediately. According to the analysis, roughly half of high-impact vulnerabilities are exploited within 24 hours, and the weighted median time to the first exploit is just five hours.
This dramatically shortens the window for site owners to patch vulnerabilities, turning security updates into a race against time.
Plugin Ecosystem Driving Most Vulnerabilities
The report shows that the majority of WordPress vulnerabilities continue to come from plugins rather than WordPress core. In 2025 alone, researchers discovered 11,334 vulnerabilities in the WordPress ecosystem, a 42% increase from 2024.
Specifically,
- 36% were considered serious threats requiring rapid mitigation
- 17% had high severity scores likely to be exploited at scale
Many of these vulnerabilities were linked to premium plugins and themes, particularly those distributed through marketplaces like Envato, where limited access to source code can make security analysis more difficult.
Premium Plugins Show High Exploit Rates
Although premium plugins often appear to have fewer publicly reported vulnerabilities, Patchstack found that 76% of vulnerabilities discovered in premium components were exploitable in real-world attacks.
The report also identified 33 critical vulnerabilities in premium components, compared to only 12 found in free plugins.
Patch Delays And Weak Infrastructure Defenses
Montti highlights another concern raised in the report: delays in patch availability. Developers failed to provide timely fixes for 46% of vulnerabilities, leaving sites exposed during the period when attackers are most active.
Even hosting-level protections offer limited coverage. Patchstack’s testing found that only 26% of vulnerability-based attacks were blocked by hosting security defenses such as web application firewalls.
Older Vulnerabilities Still Heavily Targeted
The report also reveals that attackers frequently target older, unpatched vulnerabilities. Among the ten most exploited vulnerabilities observed by Patchstack, six were discovered before 2025, underscoring the ongoing risk posed by outdated plugins.
Growing Attack Surface
Looking ahead, Montti notes that the WordPress attack surface is expanding beyond traditional plugins and themes. Security challenges now include custom-coded plugins, third-party JavaScript and PHP libraries, and AI-generated code, all of which may bypass traditional update and security monitoring workflows.
Key Takeaway
The report suggests that WordPress security is increasingly defined by speed and visibility. With attackers exploiting vulnerabilities within hours and new components expanding the ecosystem, site owners must move faster on updates and monitor not only installed plugins but also custom code and external dependencies.