90% of WordPress Vulnerabilities Come from Plugins Here’s Why

Posted on July 13, 2025

WordPress is the most popular content management system (CMS) in the world, powering over 43% of all websites globally. With that kind of reach comes a huge ecosystem of plugins that add features and functionality to WordPress sites.

But here’s the problem: Plugins are also the #1 source of vulnerabilities.

In fact, according to security experts at Patchstack, plugins have consistently been the source of over 90% of all reported WordPress vulnerabilities.

If that stat alarms you, it should. But don’t worry, this article will explain why this happens, how to spot risky plugins, and what you can do to protect your website without sacrificing the flexibility WordPress is known for.

Why Plugins Cause So Many Problems

Let’s start with a simple question: What is a plugin?

A plugin is a piece of software you install on top of WordPress to extend its functionality. Think of it like an app for your phone; it adds features your core system doesn’t have.

There are plugins for:

  • Contact forms
  • SEO optimization
  • Caching and performance
  • Security
  • Page builders
  • eCommerce (like WooCommerce)
  • Booking systems
  • Custom integrations

But every plugin you install also:

  • Adds new code to your website
  • Introduces new potential entry points for hackers
  • Relies on third-party developers to keep it updated and secure

That last point is the biggest problem: Anyone can build and publish a WordPress plugin.

While there are many brilliant developers in the WordPress community, not all plugins are created equally. Some are poorly written. Others are abandoned after a few updates. Some aren’t tested for compatibility with newer WordPress versions, and others have serious flaws that attackers can exploit.

Real-World Examples of Plugin-Based Attacks

Let’s take a look at some examples that show just how dangerous a vulnerable plugin can be:

  1. Recent Critical Bug in LayerSlider (2024) A high-severity vulnerability discovered in the popular LayerSlider plugin allowed unauthenticated attackers to extract sensitive information, including database credentials and security keys, from websites. With over a million active installations, this bug put a massive number of sites at immediate risk.
  2. The Infamous Slider Revolution (RevSlider) Attack This widely-used plugin was behind one of the most notorious mass-hack events in WordPress history. The vulnerability allowed remote code execution, leading to thousands of infected websites worldwide and serving as a foundational lesson in plugin security for the entire community.
  3. WP File Manager Zero-Day A critical vulnerability in this plugin allowed attackers to upload malicious scripts directly into a WordPress site without needing any login credentials. It was exploited by hackers within hours of its discovery, leading to widespread infections.

The Big Reasons Plugins Get Exploited

Let’s break down why plugin vulnerabilities are so common:

  1. Too Many Plugins, Not Enough Oversight There are over 60,000 free plugins in the official WordPress repository, plus thousands of premium ones. While the WordPress team reviews submissions, ongoing quality control for every plugin update is a monumental task.
  2. Outdated Plugins Are a Goldmine Once a plugin is abandoned or no longer maintained, it becomes an open door. Hackers actively scan the web looking for sites running outdated plugins with known vulnerabilities.
  3. Poorly Written Code Many plugins are developed by solo developers or small teams with limited resources. Sometimes the code is rushed or lacks proper security validation, creating accidental backdoors.
  4. Excessive Permissions Some plugins ask for far more access than they actually need. A simple contact form plugin shouldn’t need full admin-level control, but sometimes they request it, creating a huge security risk if exploited.

Who’s Responsible for Plugin Security?

Security is a shared responsibility. Here’s how it breaks down:

  • Plugin Developers should follow best practices, sanitize inputs, and fix bugs quickly.
  • WordPress.org does its best to remove dangerous plugins from the repository but often only after the damage is reported.
  • Site Owners are ultimately responsible for what’s installed on their site, which includes actively monitoring for outdated or vulnerable plugins.
  • Hosting Providers offer some protection at the server level but can’t always stop application-level exploits from plugins.

How to Use Plugins Safely (Without Breaking Your Site)

WordPress plugins aren’t the enemy; you just need to use them wisely.

Follow This Checklist:

  1. Only Install What You Really Need The fewer plugins you use, the smaller your attack surface. Avoid “plugin stacking” just to add minor features.
  2. Choose Reputable Plugins Look for a high install count, frequent updates, good reviews, and active support forums. If a plugin hasn’t been updated in over 6-12 months, consider it a red flag.
  3. Avoid Nulled or Pirated Plugins These often contain hidden malware. Always download from official sources or trusted marketplaces (like CodeCanyon or directly from developer sites).
  4. Keep Everything Updated Set a weekly schedule to update your WordPress core, themes, and plugins. For busy site owners, this is where automated tools like DreamCore Monitor become invaluable, as they track available updates for you.
  5. Run Compatibility Checks Before Updating Use a staging site or a recent backup before applying major plugin updates, especially for critical plugins related to eCommerce, payments, or security.
  6. Use a Monitoring & Alert Tool This is where many site owners fall short. If a plugin you use becomes a known vulnerability, you need to know fast. Real-time alerts can give you the crucial head start you need to secure your site.
  7. Remove Unused Plugins (Don’t Just Deactivate) Deactivated plugins can still be exploited in some cases. If you’re not using it, delete it.

How DreamCore Monitor Helps Catch Plugin Issues Early

At DreamCore Monitor, we’ve seen firsthand how plugin vulnerabilities can quietly sink a business. That’s why we’ve built a monitoring tool made for WordPress and WooCommerce.

  • Plugin Health Checks: Get notified if a plugin you’re using is flagged as vulnerable in major security databases.
  • Smart Update Monitoring: Know what’s changed and when. We alert you when updates are available, so you can test and apply them safely using a staging site.
  • Performance Impact Alerts: Some plugins slow down your site without warning. We help you spot those, too.
  • Change Tracking: See when plugins were added, removed, or changed—perfect for teams or client reporting.
  • Monthly Security & Maintenance Reports: Get a non-technical overview of your site’s health, great for agencies and business owners alike.

Final Thoughts

WordPress is powerful because of its flexibility, and plugins are a big part of that. But with great power comes great responsibility.

The fact that over 90% of WordPress vulnerabilities come from plugins doesn’t mean you should fear them. It means you need to manage them smartly. A little awareness, a solid update routine, and a reliable monitoring tool go a long way in keeping your site safe and successful.

If you’re not sure whether your plugins are secure, or if you haven’t updated them in a while, now is the time to take action.

Want to Stay Ahead of Security Issues?

Try DreamCore Monitor free for 45 days. We’ll keep an eye on your site, so you can focus on what matters.

  • Know what’s happening behind the scenes.
  • Get alerted early.
  • Stay safe without getting technical.

Start Monitoring Now