By Aurélien Debord ·
In short
Yes, WordPress accounts for the overwhelming majority of hacked websites. No, that doesn't mean it's less secure. It's simply the most-used CMS in the world, open source and with a well-known structure: it's the most profitable target for automated attacks, not the most fragile one.
In practice, WordPress core is almost never the culprit: out of the thousands of vulnerabilities reported each year, only a handful touch the core, and none are rated as serious. The risk comes from outdated plugins and themes, weak passwords and a lack of maintenance. A WordPress site kept up to date and properly maintained is a perfectly secure solution.
"WordPress gets hacked all the time, pick something else." If you've ever discussed your website with a developer or read a couple of forums, you've come across this idea. It's persistent, and it didn't come out of nowhere: WordPress does get hacked, a lot.
But "lots of WordPress sites get hacked" and "WordPress is less secure" are two different claims. The first is true. The second, much less so. Let's look at what recent security reports actually say, and untangle correlation from cause.
The number you see everywhere comes from Sucuri, a company that specializes in cleaning up compromised sites (now owned by GoDaddy). In its annual hacked website report, 95.5% of the sites its teams cleaned in 2023 were running WordPress. Joomla trails far behind at 1.7%, Magento at 0.6%.
Out of context, that figure is devastating for WordPress's reputation. Except that Sucuri takes the trouble to comment on it, in black and white, right next to the chart:
"It is important to clarify that these figures do not mean that these platforms are more or less secure than other platforms. Instead, they highlight the widespread adoption and usage of these CMS platforms." — Sucuri, 2023 Hacked Website Report
In other words: the company producing the most damning number for WordPress refuses to draw the conclusion people attribute to it. Coming from them, the caveat is worth pausing on. And to understand why they make it, you have to look at who uses WordPress.
WordPress powers more than 40% of all websites on the planet, and nearly 60% of those that use a CMS (source: W3Techs, 2026). No competitor comes close: Shopify, Wix, Squarespace, Joomla and Drupal split the leftovers, each below 8% of the CMS market.
When a technology powers four sites out of ten, it mechanically becomes the most interesting target for anyone who wants to hack at scale. And that's exactly what this is about: most attacks aren't targeted operations run by a human against your site. They're bots scanning the web continuously, looking for a known flaw to exploit across as many sites as possible.
For these bots, WordPress ticks every box:
/wp-login.php URL, a /wp-content/plugins/ folder, a wp_users table: you can recognize a WordPress site in a single request. A bot knows exactly where to strike, without even having to explore.It's an attacker's logic, purely economic. WordPress is attacked first for the same reason the best-selling car models get stolen more: not because they lock worse, but because they're everywhere and the lock is known by heart.
This is the point the rumour systematically forgets. When people say "WordPress is full of holes," they should specify what they mean, because "WordPress" refers to two very different things: the software itself (the core), and everything you bolt onto it (plugins and themes).
The two main data providers for the ecosystem are blunt about it.
Patchstack, which catalogues WordPress vulnerabilities, counted around 8,000 new vulnerabilities in 2024. Of that total, 96% were in plugins, 4% in themes, and only 7 in WordPress core, none of them deemed dangerous enough to pose a real risk. The following year, out of more than 11,000 vulnerabilities recorded, only 6 touched the core, all low priority.
Wordfence, for its part, confirms it independently: out of the 8,223 vulnerabilities disclosed in 2024, only 5 affected WordPress core. Their conclusion is explicit: "WordPress Core continues to remain secure."
Two independent sources reach the same finding: WordPress core accounts for less than 0.1% of the ecosystem's vulnerabilities each year, and none of them are truly critical. The WordPress software itself is solid.
So the risk doesn't come from WordPress. It comes from what you install on top of it. And there, the problem is no longer technical, it's human.
If the core is healthy, how do hundreds of thousands of sites get compromised every year? Through three entry points, always the same ones, and none of them is inevitable.
Outdated plugins and themes. This is by far the number one cause. A popular plugin left without updates for six months, when a fix already exists, is a wide-open door. The worst part is that many attacks exploit flaws that have already been patched: the fix exists, the plugin developer released it, but the site never installed it. The hole isn't in the software, it's in the upkeep.
Weak passwords. In 2024 alone, Wordfence blocked more than 55 billion password attacks (brute force and credential stuffing). An admin account protected by admin / password123, with no two-factor authentication, always falls eventually. No line of WordPress code can prevent that.
Lack of monitoring. Sucuri notes a detail that directly contradicts the received wisdom: in 2023, only 39% of infected sites had an outdated CMS core at the time of the attack. In other words, six hacked sites out of ten were running an up-to-date core: they were compromised through a plugin, a password or an access point, not the software. And nearly one compromised site in two contained at least one backdoor, which means that without a thorough cleanup, the attacker comes back.
It always comes back to the same thing: a WordPress site doesn't get hacked because it runs WordPress, but because it isn't kept up to date. That's exactly what we see on every job involving a hacked WordPress site: behind the compromise, there's almost always a forgotten plugin or a poorly protected access point.
Take the most common type of hack, the one we see most often: SEO spam. Your site starts displaying, without your knowledge, pages for online pharmacies, counterfeits or casinos. Often in Japanese (the infamous Japanese keyword hack), often visible only to Google and not to you, thanks to a concealment technique called cloaking (the server shows one page to the visitor and a different one to the search engine).
At Sucuri, SEO spam accounted for more than 20% of the sites cleaned in 2023, making it one of the most widespread infection families. And that's precisely where the "it's WordPress's fault" argument collapses.
Because this kind of attack exploits no WordPress-specific feature. Sucuri says so explicitly about Japanese SEO spam:
"The spam can affect any website including those using popular Content Management Systems (CMS) like WordPress, Drupal, Joomla or Magento." — Sucuri
What the attacker is after is your domain's SEO authority: your age, your backlinks, your position in Google. Not a WordPress flaw. They graft their content onto your reputation to push their own pages up the search results. Whether your site runs on WordPress, Drupal, Magento or is entirely hand-coded changes nothing about their goal.
Google isn't fooled either. In its spam policies, the search engine defines "hacked content" and "cloaking" without ever mentioning a single platform: these are categories of abuse that concern every site on the web, full stop. In 2022, Google's anti-spam systems detected ten times more hacked sites than the previous year, across all CMS platforms. Hacked content hits the whole web. It's nothing specific to WordPress.
"Fine, but then I'll pick Joomla, or a custom-built site, and I'll be safe." It's tempting, but it's an optical illusion.
Joomla, Drupal and Magento get hacked too, they appear in the same Sucuri reports. If they make up a smaller share of compromised sites, it's simply because there are far fewer of them online. Adjusted for their numbers, the risk is anything but obvious. As for the "custom" site built by a contractor, it doesn't get the benefit of an ecosystem that publishes security fixes continuously: a flaw in its bespoke code can stay open for years without anyone noticing.
Choosing an obscure CMS to "fly under the radar" is what's known as security through obscurity. It works until the day it doesn't, and on that day, you're on your own, with no community and no automatic updates to back you up. Choosing a CMS is a real decision, but it should be made for the right reasons (your needs, your team, your budget), not to flee a phantom danger.
This is where we get to the real subject. A WordPress site's security isn't decided the moment you choose WordPress. It's decided every month, over time.
WordPress itself has done its part. Since version 3.7, released in 2013, core security updates install automatically, in the background, with no action on your part. That's one of the reasons core flaws are closed so quickly and so rarely exploited. WordPress handles its riskiest layer on its own.
The rest is on you, and it comes down to a few habits:
| The habit | What it blocks |
|---|---|
| Update plugins, theme and PHP | Exploits of already-patched flaws (the #1 cause) |
| Strong passwords + two-factor authentication (2FA) | The 55 billion password attacks per year |
| Remove unused plugins | Forgotten entry points |
| Serious hosting | Account isolation and abnormal-activity detection |
| Automatic backups | A fast rollback when something goes wrong |
None of these points is exotic. It's exactly what good WordPress site maintenance covers: applying updates at the right pace, monitoring, backing up. A maintained site rarely gets hacked, and when an incident does happen, you get it back up fast because you have a clean copy on hand.
Hosting matters more than people think, too. One thing that's often overlooked: nearly a quarter of WordPress installations still run on a PHP version below 8.0, a good chunk of them on PHP 7.4, which has received no security fixes since late 2022. Running your site on an obsolete language is a flaw that has nothing to do with WordPress. Hence the value of choosing your hosting well: a recent PHP version, built-in backups, monitoring.
A site that suddenly shows a critical error without you having touched anything, unknown pages appearing in Google, a sudden slowdown: these are possible signs of a compromise. If you see them, follow our guide to clean and secure a hacked WordPress site.
And for those who want to shrink the attack surface even further, architectures exist: a headless WordPress separates the back office from the public front end, and a JAMstack approach serves static pages with no database exposed in real time. Fewer accessible components, fewer risks. But these are architectural choices, not an admission that WordPress is dangerous.
No. The real question was never "WordPress or not WordPress." It's: "is this site maintained, yes or no?"
WordPress isn't less secure than the others. It's more targeted because it's more used, and more visible because it's open source. Its software side is actually remarkably solid. Everything else (plugins, passwords, updates, hosting) depends on how rigorously the site is maintained. An abandoned WordPress will get hacked. A maintained one won't.
The debate about CMS security is really a debate about maintenance. And that's good news: it's entirely in your hands.
Wondering whether your WordPress site is properly protected, or has it just been hacked? Get in touch for a diagnosis, or discover our WordPress maintenance offer so you never have to ask the question again.
Whether you need a new site, a takeover of an existing one, or expert maintenance, we help your marketing and communications teams rely on a reliable, high-performing WordPress that's easy to manage.
Let's discuss your project →Discover our other WordPress tips
Your WordPress site has been hacked? Suspicious redirects, injected pages, Google warnings... Here's a concrete action plan to clean your site, identify the vulnerability, and prevent it from happening again.
"There has been a critical error on this website": this message replacing your homepage is a fatal PHP error. Here's how to identify it, understand where it comes from, and fix it, cause by cause.
The Site Editor (formerly Full Site Editing) lets you visually modify every part of a WordPress site: header, footer, templates, global styles. Here's what it concretely changes, the key concepts, and whether you should make the switch.
How much does a business website cost in 2026? From $0 DIY to $27,500+ with an agency. Discover real prices by provider type, technology, and the recurring costs to plan for.
