What Security Research Shows About WordPress Sites in the Wild

Before we migrate a WordPress site, we do a full audit: every plugin, every theme file, every PHP version, every integration. What we find consistently matches what independent security researchers have been documenting for years.

The Plugin Graveyard

WordPress.org lists over 60,000 plugins available for download.¹ The average WordPress site runs a significant number of them — often more than site owners realise, including plugins installed for past projects and never removed. Inactive plugins still contain code. They still represent attack surface. They can still be exploited.

In Patchstack's 2024 State of WordPress Security report, plugin and theme developers failed to provide a timely fix for 46% of disclosed vulnerabilities.² Even diligent site owners who update immediately are left exposed on nearly half of known vulnerabilities — because no patch exists yet.

"Overall 11,334 new vulnerabilities were found in the WordPress ecosystem in 2024 — a 42% increase compared to 2023. Of all new vulnerabilities found, 96.77% originated in plugins."
— Patchstack, State of WordPress Security 2024

PHP Versions Nobody Updated

WordPress's minimum PHP version requirement moves slowly. The platform will often run fine on PHP versions that are years past their security end-of-life date. Updating PHP can break plugin compatibility — so site owners face a choice between a known security exposure and potential site breakage.

WordPress.org publishes live statistics on the PHP versions running across active WordPress installations. As of early 2026, a meaningful percentage of active sites continue to run PHP versions that receive no active security patches.³

End-of-life dates sourced from the official PHP supported versions page.⁴

The Vulnerability Window Problem

The timeline between when a vulnerability is disclosed and when exploitation begins has compressed significantly. Patchstack's research shows automated attacks often begin probing for a disclosed vulnerability within hours — before most site owners have had time to evaluate, test, and apply a patch.²

Wordfence corroborates this from the other side: its Web Application Firewall processes approximately 90,000 attacks per minute targeting WordPress sites.⁵ Most are automated scans checking for known vulnerable versions.

What Gets Left Behind on Purpose

Not everything migrates. We're upfront about this before taking a deposit.

We do not migrate e-commerce. WooCommerce stores, payment integrations, product databases — these are outside our service scope.

We do not migrate membership systems. User accounts, access levels, subscription billing — too much is platform-dependent.

Custom plugin functionality built by a past developer needs to be scoped carefully. Sometimes we rebuild it in vanilla JavaScript. Sometimes clients realise they no longer use it.

Everything else — content, SEO settings, redirects, imagery, contact forms — migrates cleanly.

What Clients Are Most Relieved to Leave Behind

Without exception, the same thing: the update treadmill.

The constant stream of plugin update notices. The anxiety of running them — will something break? — versus not running them — am I exposed? The research shows both risks are real.

When the site is clean HTML hosted on Cloudflare Pages, there is no treadmill. There is nothing to update. The site just exists, exactly as built, for as long as you want it. That is what ownership actually feels like.