So here's a number that keeps me up at night: 7,966 new security vulnerabilities were found in the WordPress ecosystem last year alone. That's about 22 new holes discovered every single day. And 96% of them were in plugins—not WordPress itself.
If you're running a WordPress site (and odds are you are, since it powers nearly half the web), there's a decent chance at least one of your plugins has a known security vulnerability right now. Not because you did anything wrong—because that's just how the numbers work.
The good news: checking is quick, and fixing it is usually even quicker.
Why Plugins Are the Weak Point
WordPress core—the actual software that runs the site—is pretty secure. A huge team maintains it, millions of eyes review it, and critical updates roll out fast.
Plugins are different. There are over 60,000 free plugins in the WordPress directory. Some are maintained by full teams. Some are passion projects by one developer who may or may not still care. Some haven't been touched in years.
When a security researcher finds a hole in a plugin, they report it. The plugin developer is supposed to fix it before the details go public. But here's the problem: 33% of vulnerabilities aren't fixed before public disclosure. That means a third of the time, hackers learn about the hole before you get a patch to close it.
What Actually Happens When a Plugin Gets Exploited
Let me paint you a picture. There's a plugin called GutenKit—pretty popular page builder stuff. Late last year, researchers found a critical vulnerability in it. A fix was released in October 2024.
Fast forward to October 2025: Wordfence blocked 8.7 million attack attempts against sites still running the old version—in just two days. Eight point seven million.
The fix had been available for a full year. The sites getting attacked just hadn't updated.
What do attackers actually do once they're in? It varies:
- SEO spam injection—your site suddenly has hidden links to sketchy pharmaceutical sites, killing your Google rankings
- Redirect hijacking—visitors get bounced to scam sites
- Backdoor installation—they plant code that lets them back in even after you think you've cleaned up
- Credential theft—they harvest login details from your forms
- Cryptomining—your server quietly mines cryptocurrency for someone else
None of these announce themselves. Your site might be compromised for months before you notice.
The 10-Minute Security Check
Let's find out if you have a problem. This takes about 10 minutes if you've got your WordPress login handy.
Step 1: Log Into Your WordPress Dashboard
Go to yourdomain.com/wp-admin and log in. If you can't log in or don't know the password, that's its own issue—but one for another day.
Step 2: Check for Updates
Look at the left sidebar. There should be an "Updates" section. If you see a red bubble with a number, you have updates waiting.
Click into it. You'll see a list of everything that needs updating: WordPress core, plugins, and themes.
Anything with a security update is urgent. WordPress usually flags these specifically. Update those first.
Step 3: Review Your Plugin List
Go to Plugins → Installed Plugins. Look for:
- Plugins you don't recognize—these might have been installed by a previous developer, or (worst case) by an attacker
- Plugins that are deactivated—if you're not using them, delete them. Even inactive plugins can have vulnerabilities
- Plugins you haven't touched in years—old plugins are usually outdated plugins
Write down the names of anything that looks questionable. We'll check those next.
Step 4: Check Against the Vulnerability Database
WPScan maintains a free database of nearly 70,000 known WordPress vulnerabilities. It's run by security researchers and updated constantly.
Go to wpscan.com and put your site URL in their free scanner. It'll check your visible plugins and themes against their database and flag anything with known issues.
Alternatively, search their database directly for any plugin names you're unsure about. If a plugin has unpatched vulnerabilities, you'll see them listed.
Step 5: Look for Abandoned Plugins
This one's sneaky. A plugin might not have any known vulnerabilities yet—but if nobody's maintaining it, problems will eventually appear.
For each plugin you're running, click through to its page in the WordPress plugin directory (there's usually a "View details" link). Check:
- Last updated—anything over 2 years is a yellow flag, over 3 years is a red flag
- Tested up to—if it says it's tested with WordPress 5.x and we're on 6.x, that's concerning
- Active installations—very low numbers might mean it's been abandoned
1,614 plugins were removed from WordPress.org last year for unpatched security issues. Many of them are still installed on sites that haven't checked.
What to Do If You Find Problems
If the plugin has an update available, update it. That's the easy case.
If the plugin has a known vulnerability but no fix:
- Check if there's an alternative—there usually is. Search for "[plugin name] alternative" or ask in WordPress communities
- Deactivate and delete it—a missing feature is better than a security hole
- Contact the developer—sometimes they've fixed it but just haven't pushed the update to WordPress.org yet
If you're running an abandoned plugin that you absolutely need:
- Find a maintained fork—popular abandoned plugins often get picked up by other developers
- Consider a paid alternative—commercial plugins usually have dedicated support and faster patches
- Get it audited—if it's business-critical, pay a security pro to review the code
Setting Up Auto-Updates (The Smart Way)
WordPress can automatically update plugins. This sounds great in theory—and usually is—but there's a catch: sometimes updates break things.
Here's what I recommend:
For most plugins: Enable auto-updates. In your plugin list, there's an "Enable auto-updates" link for each one. Click it. The small risk of something breaking is worth the bigger risk of staying vulnerable.
For plugins you depend on heavily: Keep auto-updates off, but check for updates weekly. You want to test these updates before they go live.
For WordPress core: Enable automatic minor updates (security patches). These are low-risk and high-reward. Major version updates can wait until you're ready to test.
If you're nervous about updates breaking your site, the answer isn't "never update"—it's "have backups." A good backup system means you can always roll back if something goes wrong.
The Bigger Picture: Why This Matters for Small Businesses
You might be thinking: "I'm a small business. Hackers go after the big fish, right?"
Actually, the opposite. 81% of small businesses experienced a security breach in the past year, according to the Identity Theft Resource Center. Small businesses are targeted precisely because they're less likely to have serious security.
And when it hits, it hits hard. 62.5% of breached small businesses reported costs over $250,000—between lost revenue, cleanup costs, and regulatory fines.
Keeping your plugins updated isn't paranoia. It's the digital equivalent of locking your front door.
Quick Checklist to Print Out
Here's your 10-minute monthly audit:
- ☐ Log into WordPress dashboard
- ☐ Click Updates—apply any waiting, especially security updates
- ☐ Go to Plugins—delete anything deactivated you don't need
- ☐ Check for plugins not updated in 2+ years
- ☐ Run WPScan's free scanner if you want extra peace of mind
- ☐ Verify backups are running (separate topic, equally important)
Set a calendar reminder. First Monday of every month. Takes 10 minutes, prevents months of headaches.
What YouGrow Does Differently
Every YouGrow site gets automatic security updates handled for you. I test updates before they go live, keep backups running, and monitor for vulnerabilities you don't have to think about. It's part of the $79/month—not an extra charge.
But honestly? Even if you're not a YouGrow client, please do this audit. I'd rather you have a secure site with someone else than an insecure one anywhere. Security holes hurt everyone when compromised sites get used to attack others.
Got questions about what you found during your audit? Reach out. Happy to take a look and point you in the right direction—whether or not we end up working together.