IM DOMINATOR · AI Hack Defense
Get the Free Checklist

AI Security Guide → WordPress

WordPress Plugin Vulnerabilities: Why "Just Update" Quietly Fails

By Benjamin Hübner · Updated June 2026

Quick answer: 11,334 new vulnerabilities hit the WordPress ecosystem in 2025, and 96–97% were in plugins, not core (Patchstack). The standard advice — "keep everything updated" — fails because 46% of disclosed vulnerabilities never got a fix before public disclosure. The real strategy: fewer plugins, reputable developers, virtual patching, and deleting (not deactivating) what you don't use.

Your WordPress core is fine. Seriously — the WordPress team does good work, and core accounts for a rounding error of real-world vulnerabilities.

Your 23 plugins are the problem.

The 2025 Numbers

11,334 new vulnerabilities in the WordPress ecosystem in 2025 — a 42% jump over 2024. 96–97% were in plugins, not core.Source: Patchstack, State of WordPress Security 2026
46% of disclosed vulnerabilities never received a fix from the plugin developer before public disclosure.Source: Patchstack, State of WordPress Security 2026

Read that second one again. Nearly half the time, the update you're told to install doesn't exist. The developer abandoned the plugin, or didn't respond, and the vulnerability went public anyway — with your site still running it. Meanwhile, attackers' automation gets faster every year; exploitation of newly disclosed flaws now begins within hours, not weeks.

The Strategy That Actually Works

  1. Cut your plugin count. Every plugin is attack surface. For each one ask: does this earn its risk? Target: under 15.
  2. Delete, don't deactivate. A deactivated plugin's code still sits on your server and can still be exploited. If you're not using it, remove it.
  3. Check the pulse before you install. Last update date, support thread responses, active installs. An abandoned plugin is a future unpatched vulnerability.
  4. Add virtual patching. Services like Patchstack (or a WAF with virtual patching) block exploit attempts against known vulnerabilities even when no official fix exists — your only defense against the 46%.
  5. Basics: 2FA on every admin account, limited login attempts, daily off-site backups you've actually test-restored.

The New Risk: AI-Generated Plugin Code

One more surface most WordPress owners don't think about: custom snippets and mini-plugins generated with AI. That code lives outside the update channel entirely — no developer, no disclosure, no patch, ever. Patchstack flags AI-generated custom code as an expanding attack surface, and the data on AI code quality backs it up: roughly 45% ships with at least one OWASP Top-10 flaw. If you've pasted AI code into your theme's functions.php, read our breakdown of how AI-generated code introduces vulnerabilities before it bites.

📌 ACTION STEP
→ List your plugins today; delete everything unused (not deactivate — delete)
→ Check the "last updated" date on what remains; replace anything stale
→ Add virtual patching this week

WordPress is one section of the full checklist

The WordPress hardening section of the free checklist walks every step above — plus the seven other AI-era gaps.

Get the Free Checklist →

Prefer everything done-with-you, step by step? That's the AI Hack Defense Playbook →

This article is part of our guide to defending against AI cyber attacks on small businesses.

BH

Benjamin Hübner — founder of IM Dominator and AiMarketingReviews.com. Informational only, not professional cybersecurity advice.