Security

Is WordPress secure in 2026? The honest answer

By Ali Yasin Jatoi 8 min readUpdated July 2, 2026
Reviewed by Ali Yasin Jatoi, Founder & Lead Engineer· Updated July 2, 2026

Quick answer

WordPress core is secure. WordPress core plus a random collection of outdated plugins on cheap shared hosting is not. In 2026 the WordPress core codebase itself is one of the most audited in open-source software; over 90% of successful attacks come through vulnerable plugins, weak admin passwords, or unpatched PHP versions — not through WordPress itself. Seven controls (updates, 2FA, strong passwords, limited login attempts, WAF, offsite backups, and a maintained plugin stack) eliminate 95% of real-world incidents.

Narrated evidence · engineer walkthrough

Where WordPress vulnerabilities actually come from

From Wordfence's 2025 threat report: 96% of plugin vulnerabilities disclosed in the last year were in plugins with fewer than 100,000 active installs — long-tail, poorly maintained plugins.

The remaining 4% were in mainstream plugins but were patched within 24 hours of disclosure; sites that ran the update were fine.

Core WordPress vulnerabilities are rare and typically require an authenticated user to exploit — meaning your admin account has to already be compromised.

The single biggest attack vector in 2026 is credential stuffing on wp-login.php using leaked password databases from other breaches.

The 7 controls that eliminate 95% of incidents

  • 1. Tested plugin, theme, and core updates on a schedule (weekly at minimum). Not auto-updates — tested updates.
  • 2. 2FA on every admin account. WP 2FA or the built-in Application Passwords + a hardware key.
  • 3. Strong passwords enforced via a password policy plugin. 16+ characters, no reuse.
  • 4. Limit login attempts (Limit Login Attempts Reloaded, or your host's built-in rate limiting). Blocks credential stuffing.
  • 5. A real WAF in front of the site. Cloudflare's WAF or Wordfence Premium. Blocks the vast majority of known-CVE probes.
  • 6. Verified offsite backups. Not on the same host. Restored on staging monthly to prove they actually work.
  • 7. A maintained plugin stack — audit twice a year and remove anything unmaintained for over 12 months or with under 10,000 installs.

What still gets through

Zero-days in mainstream plugins. Rare, but happen. A WAF catches most of the exploitation attempts before the patch ships.

Insider threats — an admin account that gets phished. 2FA + hardware key stops most of this. Password-only 2FA (SMS or TOTP) is vulnerable to real-time phishing kits.

Supply-chain attacks — a plugin developer pushes a malicious update. Extremely rare but nearly impossible for a small site to prevent alone. This is where having a monitored care plan matters — a human notices the anomaly before it spreads.

Common questions

Is WordPress the most secure CMS?+

It's neither the most nor the least. WordPress core is well-audited and patched fast. The insecurity comes from the plugin ecosystem being open and unmoderated, which is also what makes WordPress flexible. Managed platforms like Webflow and Shopify have smaller attack surfaces because they don't allow third-party server-side code, but they trade flexibility for that.

Do I need a security plugin on WordPress?+

You need the controls a security plugin provides, but not necessarily a dedicated 'security plugin'. Wordfence and Solid Security bundle 2FA, WAF, login limiting, and file integrity monitoring. Alternatively you can get 2FA from a dedicated plugin, WAF from Cloudflare, and login limiting from your host. Either approach works.

How often is WordPress hacked?+

Sucuri's 2024 hacked site report analysed 8,000+ infected sites and found 96% ran WordPress — but that's largely because WordPress runs 43% of the web. Normalised for market share, the incident rate is comparable to other CMSs. The failure pattern is nearly always outdated plugins, not WordPress itself.

Want help with this?

The pages below go deeper, by service and by city.

Want this handled for you?

Book a call and we will review your site before recommending anything.

Call Book a call