Issue 6

97% of WordPress hacks come from one place

Almost all WordPress vulnerabilities come from plugins and themes, not core. A 20-minute audit to find the abandoned and risky plugins on your site — and why a maintained site is a safe one.

One honest look at your plugin list and you'll know where almost all of your security risk actually lives.

securitywordpressmaintenance

Here's a number that should change how you think about WordPress security: 97% of vulnerabilities come from plugins and themes — not WordPress core itself. The platform is solid. The stuff you bolt onto it is the problem.

And the volume is climbing. Over 11,000 new vulnerabilities were logged across the WordPress ecosystem last year — a 42% jump — with cross-site scripting (XSS) the single biggest category. Most of it rides in on plugins that are outdated, abandoned, or just unnecessary.

The 20-minute plugin audit

  1. Open Plugins and sort by the "Last updated" info on each one.
  2. Flag anything not updated in 12+ months. An abandoned plugin is a door no one's locking.
  3. Flag anything you can't name a current reason for. "Might need it" isn't one.
  4. For flagged plugins: find a maintained alternative, or remove them (back up first, deactivate, test, delete).
  5. Turn on auto-updates for the ones you keep — most breaches exploit a hole that was patched months ago.

Time: 20 minutes. Risk: low if you back up first and remove one plugin at a time.

Evidence

This tracks with the wider data: 78% of WordPress sites hacked in 2025 had at least one plugin running an outdated version, and researchers estimate over half of WordPress vulnerabilities trace back to plugins site owners never patched (Colorlib, 2026 WordPress hacking statistics). An abandoned plugin doesn't just carry today's risk — it carries every vulnerability found in it from now on, since no one's shipping a fix.

Want it checked properly?

If you'd rather not judge which plugins are safe to remove yourself, the Maintenance Risk Check flags the abandoned, outdated and risky items on your site without you having to interpret "last updated" dates yourself.

How we can work together

Reply with how many active plugins you're running — I'll tell you if that's a red flag for your type of site.

How we can work together

If you want a second pair of eyes on your WordPress stack, use the archive as a starting point, then take the next step that fits your stage.

Reply with how many active plugins you're running — I'll tell you if that's a red flag for your type of site.