AI Security Guide → WordPress
WordPress Plugin Vulnerabilities: Why "Just Update" Quietly Fails
Your WordPress core is fine. Seriously — the WordPress team does good work, and core accounts for a rounding error of real-world vulnerabilities.
Your 23 plugins are the problem.
The 2025 Numbers
Read that second one again. Nearly half the time, the update you're told to install doesn't exist. The developer abandoned the plugin, or didn't respond, and the vulnerability went public anyway — with your site still running it. Meanwhile, attackers' automation gets faster every year; exploitation of newly disclosed flaws now begins within hours, not weeks.
The Strategy That Actually Works
- Cut your plugin count. Every plugin is attack surface. For each one ask: does this earn its risk? Target: under 15.
- Delete, don't deactivate. A deactivated plugin's code still sits on your server and can still be exploited. If you're not using it, remove it.
- Check the pulse before you install. Last update date, support thread responses, active installs. An abandoned plugin is a future unpatched vulnerability.
- Add virtual patching. Services like Patchstack (or a WAF with virtual patching) block exploit attempts against known vulnerabilities even when no official fix exists — your only defense against the 46%.
- Basics: 2FA on every admin account, limited login attempts, daily off-site backups you've actually test-restored.
The New Risk: AI-Generated Plugin Code
One more surface most WordPress owners don't think about: custom snippets and mini-plugins generated with AI. That code lives outside the update channel entirely — no developer, no disclosure, no patch, ever. Patchstack flags AI-generated custom code as an expanding attack surface, and the data on AI code quality backs it up: roughly 45% ships with at least one OWASP Top-10 flaw. If you've pasted AI code into your theme's functions.php, read our breakdown of how AI-generated code introduces vulnerabilities before it bites.
→ List your plugins today; delete everything unused (not deactivate — delete)
→ Check the "last updated" date on what remains; replace anything stale
→ Add virtual patching this week
WordPress is one section of the full checklist
The WordPress hardening section of the free checklist walks every step above — plus the seven other AI-era gaps.
Get the Free Checklist →Prefer everything done-with-you, step by step? That's the AI Hack Defense Playbook →
This article is part of our guide to defending against AI cyber attacks on small businesses.