Your WordPress Site Is a Target. Not an Opinion — a Statistic.
Web Development
· 9 min read
11,334 vulnerabilities were discovered in the WordPress ecosystem in 2025 — 91% in plugins. Median time to first exploit after public disclosure: 5 hours. What this means for your company website and what you can do.
A few years ago, it was enough for a website to show up in Google.
Today, things are more complex. Customers search for information using ChatGPT, Gemini, Claude or Perplexity. AI systems understand, analyse and recommend content in a fundamentally different way from classic search engines — and they have their own criteria for which sites they choose to cite and recommend.
But there is a subject we rarely discuss in conversations about a website’s "future readiness": the security and technical performance of the platform it runs on.
And if your website runs on WordPress — especially if it was built 3-5 years ago and hasn’t been fundamentally revisited since — the 2026 data should get your attention.
What the 2026 numbers say about WordPress
These are not opinions. They come from Patchstack’s annual State of WordPress Security in 2026 report, published in February 2026, and from Wordfence and SolidWP reports for the first quarter of the year.
- 11,334 new vulnerabilities discovered in the WordPress ecosystem in 2025 — the highest number ever recorded, a 42% increase from 2024.
- 91% of vulnerabilities are not in WordPress itself but in plugins. The WordPress core is relatively well secured; plugins are the primary attack surface.
- 43% of vulnerabilities can be exploited without authentication — an attacker needs no password or account, they can attack directly, automatically, from anywhere.
- Median time to first attack after a vulnerability is published: 5 hours. Not days, not weeks.
- 52% of plugin developers did not patch vulnerabilities before they became public.
- 46% of discovered vulnerabilities had no patch available at the time of disclosure.
- The average WordPress site runs 20-25 plugins — every plugin is a dependency, every dependency is a potential vulnerability.
A real example from May 2026
There is no need to resort to hypothetical scenarios. On 8 May 2026, Wordfence discovered a critical vulnerability in the Burst Statistics plugin — an analytics tool used by over 200,000 WordPress websites.
The vulnerability, catalogued as CVE-2026-8181 with a severity score of 9.8 out of 10, allowed anyone — without any account, without any password — to take full control of a site, including creating fake administrator accounts.
The patch arrived on 12 May. Between 8 and 12 May, Wordfence blocked over 7,400 attacks targeting this vulnerability in a single day.
Burst Statistics is an analytics plugin, not a security one. It is not "suspicious" or obscure. It is a normal, popular tool used by tens of thousands of sites for good reasons. And it was an open door for four days.
Speed: the other problem you keep postponing
Security is an acute problem. Speed is a chronic one — less dramatic, but with equally concrete effects.
Core Web Vitals are the metrics Google uses to measure the real performance of a website from the user’s perspective. The most important one, LCP (Largest Contentful Paint), measures how long it takes for the main content to appear on screen. The "good" threshold in 2026: under 2 seconds.
The problem with WordPress is not that the platform is fundamentally slow. The problem is that every plugin adds scripts, styles and database requests. A site with 20 plugins — the average number — has 20 dependencies loading on every visit, often sequentially, often blocking page rendering.
And the consequence is no longer just an impatient user who leaves. Recent research shows that poor performance removes you from AI results too. Systems like ChatGPT, Perplexity or Google AI Overviews that cite and recommend content have their own selection criteria — and your site’s speed and technical structure are part of them. A slow or poorly structured site is less likely to be cited by an AI system, regardless of how good the content is.
Speed is not an advantage you gain. It is the floor you have to stand on to be in the game at all.
Why it is not WordPress’s fault — and why it still matters
It is worth saying directly: WordPress is not a bad platform. It powers 43.5% of all websites on the internet. The plugin ecosystem has allowed millions of people to build functional websites without advanced technical knowledge.
The problem is not WordPress itself. The problem is how your specific site was built and the context in which it runs today.
A WordPress site built 4-5 years ago, with plugins chosen then, with a theme that no longer receives active updates, with a data structure that hasn’t been revisited — that site runs today in a completely different ecosystem from the one it was designed for. It has not evolved. The threats have.
What the alternative looks like in practice
Over the past 2 years, we have helped companies make the transition from WordPress to applications and sites built on modern technologies — React, Next.js, headless systems with dedicated CMSs, structured APIs.
The concrete difference is not visual, even though the design changes too. It is architectural:
- No third-party plugin dependencies — the code running on the site is written and controlled specifically for you, not sourced from external dependencies with their own attack surface.
- Measurable loading speed — the sites we deliver achieve LCP scores under 1.2 seconds under real conditions, compared to 3-6 seconds on typical WordPress installations with plugins.
- Semantic structure for AI — content is marked up and structured so that AI systems can correctly understand, cite and recommend it.
- Simplified administration — no plugin updates, no version conflicts, no "the site broke after an update".
What we do concretely if you get in touch
We do not propose a migration to everyone. The first step is an analysis of your current site — free, with no obligation.
We check: the real performance score, the vulnerabilities of active plugins, technical structure against AI Search requirements and whether there are or aren’t real benefits to modernisation.
If there are no clear benefits, we will tell you directly. There is no point for you or for us in a migration that does not bring measurable value. If there are, we present a concrete proposal: what gets built, in how much time, at what cost and with what expected results.
Before you close this page
If your site runs WordPress and is more than 3 years old, ask yourself three quick questions: do you know how many active plugins it has? Do you know when the last security audit was? Do you know how long it takes to load on a phone with an average 4G connection?
If you don’t have answers to all three, it is worth a look. It takes 30 minutes and costs nothing.