WordPress powers over 40% of the web. That number is cited so often it has lost all meaning. Here is the number that matters: over 13,000 WordPress sites are compromised every single day. Not because WordPress is inherently insecure. Because the ecosystem around it — the plugins, the themes, the hosting environments, and the people managing them — creates an attack surface so large that automated bots do not even need to try hard.
The most common vector is not a sophisticated zero-day exploit. It is an outdated plugin with a known vulnerability, sitting on a site whose owner does not know it is there, managed by an agency that stopped checking six months ago.
The Plugin Supply Chain Problem
The WordPress plugin repository contains over 60,000 plugins. The editorial review for new submissions checks for obvious malware and guideline violations. It does not audit code quality, security practices, or long-term maintenance commitments. Once a plugin is approved, updates are published with no further review.
This creates a supply chain problem that most site owners are entirely unaware of. A plugin that was safe when you installed it can become dangerous through several mechanisms. The developer sells the plugin to a new owner who injects malicious code into an update — this has happened repeatedly with popular plugins that had hundreds of thousands of active installations. The developer abandons the plugin, a vulnerability is discovered, and no patch is ever issued. Or the plugin has a dependency on a third-party library that itself becomes compromised.
In each of these scenarios, the site owner sees nothing unusual. The plugin continues to function. WordPress shows no warning. The admin dashboard looks exactly the same. Meanwhile, the site is serving malware to visitors, redirecting search traffic to spam domains, or quietly harvesting form submissions.
What a Compromised Site Actually Looks Like
Most site owners imagine a compromise as a dramatic defacement — their homepage replaced with a political message or a skull and crossbones. That happens, but it is the least common outcome. Attackers who deface sites are amateurs making a point. Professional attackers want your site to keep running normally, because a functioning site is more useful to them.
A professionally compromised WordPress site will typically exhibit one or more of the following behaviours, none of which are visible from the admin dashboard. SEO spam injection: thousands of hidden pages are created on your domain, targeting pharmaceutical, gambling, or adult keywords. Your domain authority — built over years — is leveraged to rank these pages. By the time Google flags it, your domain reputation is damaged, sometimes irreparably.
Redirect chains: visitors arriving from Google are silently redirected through a series of affiliate or malware domains before landing on your site — or never reaching it at all. You would not see this yourself because the redirect typically excludes direct visits and logged-in users. Only your prospective clients, arriving from search, experience it.
Form data interception: contact forms, booking forms, and enquiry forms are duplicated silently to an external server. Every lead that comes through your site is simultaneously delivered to someone else. For professional services firms — solicitors, financial advisers, healthcare providers — this is a data breach with regulatory consequences under UK GDPR.
Why “Just Keep It Updated” Is Not a Strategy
The standard advice for WordPress security is to keep everything updated. This is necessary but wildly insufficient. Updates address known vulnerabilities after they have been disclosed. The window between disclosure and patch can be hours or weeks. The window between an attacker weaponising a vulnerability and the average site owner applying the update is almost always longer.
Automatic updates help, but they introduce their own risks. A plugin update that conflicts with your theme, another plugin, or your PHP version can break your site silently. Auto-updates without monitoring mean you might not discover the breakage until a client tells you — or until Google deindexes your pages because they are returning errors.
A functional security posture for WordPress requires layers. A Web Application Firewall that filters malicious requests before they reach your server. Malware scanning that checks file integrity against known-good baselines. Login hardening — two-factor authentication, rate limiting, renamed login endpoints. Server-level isolation so that a compromised site on shared hosting cannot pivot to yours. And someone — a human being, not a plugin — reviewing security logs, applying updates in a staging environment first, and verifying that nothing has changed that should not have.
The Plugin Audit You Should Run Today
Open your WordPress dashboard right now and count your active plugins. If you have more than fifteen, you almost certainly have plugins installed that are redundant, abandoned, or both. Every plugin is an attack surface. Every plugin is code written by someone you have never met, running with full access to your database.
For each plugin, ask three questions. When was it last updated? If the answer is more than six months ago, it is a risk. How many active installations does it have? Plugins with fewer than a thousand installations have minimal community oversight. Does it still serve a purpose that could not be achieved natively or with a plugin you already have? If the answer is no, remove it — and remove it completely, including its database tables, not just deactivate it.
What Opyx Does Differently
Every site we build and manage sits behind Cloudflare’s Web Application Firewall, which filters known attack patterns before they reach your server. We run daily malware scans against file integrity baselines. Plugin updates are applied in a staging environment, tested, and then deployed to production — never directly. Login endpoints are hardened, rate-limited, and protected by two-factor authentication. And every site runs on isolated hosting infrastructure with a dedicated IP address, so your security posture is never dependent on your hosting neighbours.
This is not premium. This is baseline. The fact that most WordPress sites operate without any of it is the reason 13,000 of them are compromised every day.