WordPress Faces 90,000 Attacks Per Minute. Here's Why.

WordPress powers roughly 43% of all websites on the internet.¹ It also accounts for more than 90% of all CMS-targeted attacks.² That ratio is not a coincidence.

Understanding why WordPress is so frequently targeted requires understanding something about how it is built — and why the thing that makes it popular is the same thing that makes it vulnerable.

The Scale of the Problem

Wordfence, which operates one of the largest WordPress security platforms, has documented an average of 90,000 attacks per minute targeting WordPress sites.³ Patchstack's 2024 State of WordPress Security report found that 11,334 new vulnerabilities were disclosed in the WordPress ecosystem in 2024 alone — a 42% increase compared to the previous year.⁴

These are not minor advisories. Patchstack found that 17% of 2024 vulnerabilities carried a high severity score, meaning they were candidates for automated, mass-scale exploitation.⁴

The Plugin Problem

WordPress without plugins is a basic blogging platform. WordPress with plugins is everything from an e-commerce store to a booking system. That flexibility is the product. Plugins are also the attack surface.

In 2024, plugins were the source of 96.77% of all newly disclosed WordPress vulnerabilities, according to Patchstack's annual security report.⁴ The WordPress core itself is comparatively secure. The problem is everything built on top of it.

Each plugin is a separate codebase, maintained by a separate developer, with its own update cycle and security practices. When a researcher finds a flaw in a popular plugin, exploitation often begins within hours of disclosure — before most site owners have had a chance to apply a patch.

The Attack Is Automated

This is the part most business owners misunderstand. Nobody is targeting your specific site. The attacks are automated — bots scanning millions of sites continuously, checking for known vulnerable plugin versions, weak passwords, exposed configuration files.

Patchstack found that plugin and theme developers failed to provide a timely fix for 46% of disclosed vulnerabilities in 2024.⁴ Site owners were left exposed with no patch available, regardless of how diligent they were about updating.

What Happens After a Hack

The most common WordPress compromises are not dramatic. The attacker is not interested in destroying your site — they are interested in using it. According to Sucuri's research, the most common outcomes include SEO spam injection, malicious redirects sending mobile visitors to scam sites, and use of your server as a spam relay — which gets your domain blacklisted.⁵

Google's Safe Browsing service blacklists approximately 70,000 websites per week for malware or phishing.⁶

The Structural Fix

Patching plugins faster helps. A security scanner helps. Two-factor authentication helps. None of it eliminates the underlying problem, which is architectural: WordPress sites are running applications. Running applications have attack surface.

A static HTML site is not a running application. It is a file. Files cannot be injected with PHP. Files cannot relay spam. Files cannot have their admin panel brute-forced because there is no admin panel. This is not a configuration choice — it is a structural property of how the site works.