WordPress powers roughly 40% of all websites on the internet, which makes it a consistent target. The core WordPress software is maintained by a large team and patched quickly when vulnerabilities are found. Plugins are a different story.
Most successful WordPress attacks do not exploit the core platform at all - they go through plugins. Specifically, they exploit plugins that site owners have not updated, or plugins that were abandoned by their developers and never received a patch in the first place.
Why Plugins Are the Weak Point
The WordPress plugin ecosystem has over 59,000 plugins in the official directory, developed by independent authors with widely varying security practices. When a security researcher discovers a vulnerability in a plugin, they report it to the developer. If the developer is active, a patch gets released. If the developer is not active - or if an attacker finds the vulnerability before anyone reports it - the window of exposure can be significant.
The attack mechanics vary. Common plugin vulnerabilities include SQL injection (where malicious input manipulates your database), cross-site scripting (where attackers inject code into your pages), and broken authentication flaws (where the plugin creates an unintended path to administrative access). All of these are exploitable at scale through automated scanning tools that bad actors run continuously across the web.
The WPScan Vulnerability Database
WPScan maintains one of the most comprehensive databases of known WordPress vulnerabilities, covering core, plugins, and themes. Each entry includes the affected versions, the CVE identifier (a standardised vulnerability ID used across the security industry), and a severity rating.
The database is freely searchable at wpscan.com. You can look up any plugin by name to see its vulnerability history. This is a useful step when evaluating a new plugin before installing it - check whether it has a pattern of unpatched vulnerabilities or a long-standing open issue.
WPScan also provides a free API for personal use, which the WPScan WordPress plugin uses to automate checking against your installed plugin list. The free tier covers a meaningful number of daily API calls for small sites.
Checking Your Installed Plugins
There are two main approaches for WordPress sites.
Wordfence Security is the more widely used option. The free version includes a vulnerability scanner that checks your installed plugins, themes, and core files against a threat intelligence feed. After installing Wordfence, run a scan from Wordfence > Scan. Any plugins with known vulnerabilities will be flagged in the results with details and recommended action.
The WPScan plugin connects directly to the WPScan database and provides a dedicated vulnerability report. It is a lighter tool focused specifically on vulnerability detection rather than the broader firewall and monitoring features Wordfence includes.
Either approach is significantly better than no scanning at all.
What to Do When You Find a Vulnerability
If an update is available: Update immediately. Do not delay. A patched version exists because someone already confirmed the vulnerability is real and exploitable.
If no update exists yet: This is harder. Deactivate and delete the plugin while you wait. A deactivated plugin cannot be exploited through its code paths. Check the plugin's support forum to see whether the developer has acknowledged the issue and is working on a fix. If there has been no response in a week or two, start looking for an alternative plugin.
If the plugin is abandoned: An abandoned plugin - generally defined as one that has not been updated in over two years - is a security liability regardless of whether a known CVE exists today. Security researchers have not necessarily looked at it, which means vulnerabilities may exist but simply have not been discovered and catalogued yet. Remove it and find a maintained replacement.
Avoiding Risky Plugins Before Installation
Before adding any plugin to your site, check three things:
- Last updated date - in the plugin directory, this appears in the right sidebar. If it has not been updated in two years, be cautious.
- Active installs and ratings - widely used plugins attract more scrutiny, both from security researchers and from developers who have incentive to maintain them.
- WPScan history - search the plugin name in the WPScan database to see whether it has a pattern of vulnerabilities or unresolved issues.
A leaner plugin list is also a more secure one. Every plugin you install is another surface area to monitor. Audit your installed plugins periodically and remove anything you are not actively using.
Your hosting provider is a layer of defence, but not a substitute for keeping your plugins current. Combine regular updates, periodic scanning, and careful plugin selection, and you eliminate the vast majority of WordPress attack vectors before they become a problem.
