WordPress is the most-targeted CMS on the internet — not because it is insecure, but because it powers 43.5% of all websites. Market dominance makes it the most valuable target for attackers. Wordfence reported blocking over 100 billion malicious requests across its network in 2024 alone. But here is the critical nuance most WordPress security articles miss: WordPress core is not the problem. Patchstack reports 96–97% of WordPress vulnerabilities come from plugins and themes, not core. This guide covers the 2026 threat landscape, the five vulnerability types to understand, the supply-chain attacks that bypass plugin-level security, the server-level protection that actually works, and a practical UK site-level security checklist including GDPR breach obligations.
The WordPress security landscape in 2026 · Top 5 WordPress vulnerability types · The plugin supply-chain risk · Server-level protection: why Imunify360 beats plugin security · Site-level security checklist · Plesk WP Toolkit security features · WordPress incident response · UK GDPR breach obligations · Cyber Essentials and compliance · Frequently asked questions
WordPress is the most-attacked CMS worldwide. The volume is staggering: 100+ billion malicious requests blocked across the Wordfence network in 2024 alone. But WordPress core is maintained by a dedicated security team, receives regular patches and has had very few critical vulnerabilities in recent years. The real threat lives in the ecosystem.
The 2.5x increase in disclosed vulnerabilities reflects both improved discovery and a genuinely expanding attack surface as the plugin ecosystem grows.
For UK businesses running WordPress sites that handle customer data, process payments or represent their brand online, understanding and addressing these threats is a business priority — not just a technical one.
Understanding the types of vulnerabilities helps prioritise defences.
| Rank | Type | % of WP vulns | What it does | Typical target |
|---|---|---|---|---|
| 1 | Cross-Site Scripting (XSS) | ~50% | Injects malicious scripts that execute in visitors' browsers | Plugin output, form fields, comment fields, custom fields |
| 2 | SQL Injection (SQLi) | ~10–15% | Manipulates database queries to extract, modify or delete data | Search forms, URL parameters, custom queries in plugins |
| 3 | Cross-Site Request Forgery (CSRF) | ~10% | Tricks authenticated users into performing unintended actions | Admin forms, settings pages, plugin configuration |
| 4 | Broken Access Control | ~8–10% | Allows unauthorised access to restricted functions or data | REST API endpoints, admin-only features, user role bypasses |
| 5 | PHP Object Injection | ~5–7% | Exploits unserialisation of user-controlled data to execute arbitrary code | Serialised data in options, cookies, custom plugin storage |
Cross-Site Scripting is the number one WordPress vulnerability type because it is the easiest to introduce accidentally. Any plugin that outputs user-provided data without proper sanitisation creates an XSS vector. With 60,000+ plugins — many written by solo developers with limited security training — XSS vulnerabilities appear constantly. A single unsanitised output in a popular plugin can expose millions of sites.
From a hosting perspective, XSS is best mitigated by a Web Application Firewall (WAF) that inspects HTTP requests and blocks malicious payloads before they reach WordPress. Server-level defence that no WordPress plugin can replicate as effectively, because the WAF operates below the application layer.
SQL injection has declined in frequency as WordPress core functions like $wpdb->prepare() provide parameterised queries. However, plugins that construct their own database queries — particularly search plugins, custom post type plugins and data management tools — continue to introduce SQLi vulnerabilities. A successful SQL injection can extract your entire database, including customer data, order histories and admin credentials.
The most alarming trend in WordPress security in 2025–2026 is plugin supply-chain attacks. Not about poorly coded plugins — about well-coded, trusted plugins being deliberately compromised.
Several documented 2024 incidents followed exactly this pattern. A plugin with 30,000+ installations was acquired, had malware injected into the next update, compromised thousands of sites before the WordPress.org security team could intervene.
Supply-chain attacks bypass every site-level security measure. The malware arrives through WordPress's own update mechanism — the same channel you trust for security patches. Your security plugin sees a "legitimate" update from a "trusted" source and allows it through.
The only defence that catches this reliably is server-level malware scanning that inspects the actual code in plugin files after installation — regardless of where the code came from. Imunify360 on smartxhosting.uk WordPress hosting scans all PHP files in real time, detecting malicious code patterns even when they arrive via a "trusted" update.
A second, more preventable supply-chain risk comes from nulled (pirated) premium themes and plugins. Paid products distributed for free on unofficial sites, with licensing checks removed — and malware added.
Using nulled plugins is the digital equivalent of installing software from a USB stick found in a car park. The malware typically includes backdoors, SEO spam injection and credential harvesting. If you find a premium plugin available for free on an unofficial site, it is compromised until proven otherwise.
WordPress security plugins (Wordfence, Sucuri, Solid Security) operate inside WordPress — as PHP code running within the same environment they are trying to protect. This creates a fundamental limitation: if an attacker compromises WordPress or PHP, the security plugin is compromised too. Like hiring a security guard who sits inside the room being robbed.
Imunify360 operates at the server level — beneath WordPress. It inspects traffic, scans files and blocks threats before they reach your WordPress installation. This architectural difference is why server-level security is fundamentally stronger.
| Layer | What it does | Why server-level is better |
|---|---|---|
| ML-powered WAF | Inspects every HTTP request, blocks XSS, SQLi, CSRF, file inclusion, OWASP Top 10 | Operates below PHP — catches attacks before WordPress loads. ML adapts to new attack patterns automatically |
| Real-time malware scanning | Scans all PHP files for malicious signatures, backdoors, injected content. Auto-cleanup | Scans at file-system level — catches malware in plugin updates before WordPress executes it. Detects supply-chain attacks |
| PHP Hardening | Patches known PHP vulnerabilities in the runtime itself — without waiting for the plugin developer to release a fix | Unique to server-level. When a PHP vulnerability is discovered, Imunify360 can patch the PHP execution environment immediately. No WordPress plugin can modify PHP itself |
| DDoS and brute-force protection | Network-level DDoS mitigation and intelligent rate limiting on login endpoints | Absorbs attacks before they consume WordPress resources; prevents your server from falling over under attack |
Every smartxhosting.uk WordPress plan includes Imunify360 at no additional cost. No premium tier, no separate add-on. ML-powered WAF, real-time malware scanning, PHP Hardening and DDoS protection active from day one of your hosting subscription.
Server-level protection catches the most dangerous threats. Site-level practices reduce the attack surface that the server has to defend. Both layers matter.
define('DISALLOW_FILE_EDIT', true); in wp-config.php).Plesk WP Toolkit adds a WordPress-specific security layer that bridges the gap between Imunify360 (server-level) and site-level practices.
Checks all installed plugins and themes against known vulnerability databases. Flagged plugins highlighted in the dashboard with severity ratings; prioritise updates or replacements. Catches vulnerabilities disclosed but not yet exploited — the window where patching prevents compromise.
Automatically updates WordPress core, plugins and themes. Before each update, takes a snapshot. If the update causes a problem (site error, broken layout, plugin conflict), it automatically rolls back. Solves the tension between "update immediately for security" and "updates might break my site".
One-click application of 12+ best-practice configurations:
On shared hosting, WP Toolkit ensures each WordPress installation runs in its own isolated environment. A compromise of one site on the server cannot propagate to others. Particularly important for agencies or developers managing multiple WordPress sites on the same smartxhosting.uk plan.
If your site is compromised, work through the following sequence.
If personal data on your WordPress site was accessed during the compromise, UK GDPR Article 33 requires notification to the ICO within 72 hours of becoming aware of the breach.
Personal data includes: user accounts with email addresses, WooCommerce customer records, contact form submissions, comment author details, analytics data with IP addresses or cookies.
Article 34 may require notifying affected individuals directly if the breach is likely to result in high risk. Obtain legal advice for specific situations; ICO prefers over-notification to under-notification.
For UK businesses tendering for public-sector contracts or handling sensitive data, Cyber Essentials certification demonstrates baseline security practices. WordPress-relevant requirements:
Compliance is achievable with the practices in this guide plus documented procedures. Certification helps win public-sector contracts and signals competence to enterprise clients.
For PCI-DSS (if you accept card payments), compliance is substantially more involved — but a compliant hosting environment (Imunify360 + SSL + WAF + backups) is the foundation.
Is WordPress core actually secure?
Yes. WordPress core is maintained by a dedicated security team and has had very few critical vulnerabilities in recent years. The security problem is not WordPress itself — it is the ecosystem around it. Patchstack reports 96–97% of WordPress vulnerabilities come from plugins and themes, not core. Keeping core updated is important, but plugin and theme management is where the real risk lives.
Is Wordfence or Imunify360 better for WordPress security?
They operate at different levels and are complementary rather than competing. Wordfence is a WordPress plugin running inside your installation — adds a WAF, malware scanner and login protection at the application level. Imunify360 is a server-level suite running beneath WordPress — provides an ML WAF, PHP Hardening, real-time malware scanning and DDoS protection across the entire server. The key advantage of Imunify360 is that it catches threats before they reach WordPress, and its PHP Hardening patches vulnerabilities in the PHP runtime itself — something no WordPress plugin can do. On smartxhosting.uk, Imunify360 is included on every plan.
How many WordPress plugins is it safe to have?
No hard limit, but fewer is better. Each plugin adds code that can contain vulnerabilities and increases your attack surface. A well-built site typically runs 10–15 quality plugins. Sites with 30–50 have a significantly higher risk profile. Quality over quantity: actively maintained plugins from reputable developers, remove anything unused, keep everything updated.
My WordPress site has been hacked — what should I do?
Act immediately: (1) Take the site offline. (2) Restore from the most recent clean backup. (3) If no clean backup, scan and remove malware using Imunify360 auto-cleanup. (4) Change all passwords. (5) Update all plugins, themes, core. (6) Identify the entry point. (7) If the site handles personal data, assess whether a UK GDPR breach notification is required (72 hours to ICO).
Do I still need a security plugin if my hosting includes Imunify360?
Imunify360 covers server-level protection comprehensively — WAF, malware scanning, PHP Hardening, DDoS. You do not need a separate WAF/malware scanner plugin. However, you may still benefit from a lightweight 2FA plugin (WP 2FA) and a security headers configuration if Imunify360 does not configure those at server level. Principle: server handles heavy security; plugins cover WordPress-specific hardening Imunify360 does not.
What is PHP Hardening and why does it matter?
PHP Hardening is Imunify360's feature that patches known PHP runtime vulnerabilities at the server level — before a plugin developer has released a fix. When a PHP vulnerability is disclosed, Imunify360 can patch the PHP execution environment immediately, protecting all WordPress sites on the server against that specific attack vector. No WordPress-level plugin can do this.
How often should I scan for malware?
Imunify360 does real-time file system scanning continuously. For additional assurance, run manual scans via Plesk WP Toolkit or Wordfence weekly. After a known incident or suspected compromise, scan immediately and then 24 hours later to catch any delayed-trigger malware.
Are backups enough to protect against ransomware?
A recent clean backup is the most effective ransomware recovery tool. Combined with immutable or off-site backups (UpdraftPlus to Google Drive, or smartxhosting.uk server backups), you have a path to recovery even if the attack encrypts your current site. Test restores periodically to validate.
What is the Google "This site may be hacked" warning and how do I remove it?
Google flags sites serving malware or demonstrating spam behaviour. To remove: clean the site completely (Imunify360 + manual inspection), then request a review in Google Search Console > Security Issues. Review typically takes 3–14 days.
Should I buy cyber insurance for my UK WordPress site?
Worth considering if you handle significant customer data or process payments. UK cyber insurance policies increasingly require baseline security controls (Cyber Essentials certification, MFA, patch management, backups) — the same controls covered by this guide. Policy premiums reward demonstrably secure setups.
Launch your WordPress site on smartxhosting.uk
UK hosting with the Plesk WordPress Toolkit, LiteSpeed Cache, Redis object caching, Imunify360 server-level security, free Let’s Encrypt SSL, free CDN and daily backups — from £2/month.
View WordPress hosting plans →