The WordPress plugin ecosystem produced more disclosed security vulnerabilities in 2025 than in any year on record. Not incrementally more. Roughly 42% more than 2024, which was itself a record year. I ran through Patchstack's annual State of WordPress Security report this week and the number stopped me: 11,334 vulnerabilities across plugins, themes, and core software in twelve months.

WordPress powers roughly 43% of all websites globally, according to W3Techs. It is the CMS underneath most business sites across Ireland and the rest of the world. The plugin ecosystem is exactly what makes WordPress flexible and useful. It is also the attack surface that security researchers documented more than 11,000 times last year.

If you run a business website on WordPress, this is not your hosting company's problem to absorb silently in the background. It requires an active response from the infrastructure supporting your site. Most business owners I speak to are completely unaware the problem exists at this scale.

WordPress Core Is Not the Issue. Plugins Are.

Let me be precise here, because there is a version of this story that is deeply unfair to WordPress itself.

The actual WordPress software, the core platform, had six security vulnerabilities disclosed in the whole of 2025, all rated low risk. Six. WordPress core is not the problem.

Roughly 91% of all disclosed vulnerabilities are in plugins. The remainder are in themes. The core platform has a dedicated security team and a rigorous review process. The plugin ecosystem has 60,000-plus plugins, many maintained by individual developers working on them in their spare time. WordPress.org does not security-audit plugins before they go live. The review process screens for obvious malicious code. That is not the same as a security audit.

This matters for how you think about the risk. The platform is not the liability. The optional add-ons sitting on top of it are. A business running WordPress with a minimal, well-maintained plugin set is in a genuinely different risk position to one running 30 plugins, five of which have not been updated since 2022.

For a practical grounding in what a secure, maintained WordPress setup actually requires, the WordPress Security and Backup Guide for Irish Websites covers the operational baseline in concrete terms. The difference between a maintained and an unmaintained installation is not a minor gap.

The Five-Hour Window

This is the part of the 2025 data that changed my view on what unmanaged hosting actually exposes a business to.

The median time from public vulnerability disclosure to active mass exploitation is five hours, according to Patchstack's analysis of 2025 data. Roughly 20% of weaponised vulnerabilities are actively exploited within six hours of disclosure. Around 45% within twenty-four hours.

Here is what that timeline means in practice. A security researcher discovers a flaw in a popular plugin. They follow responsible disclosure, alert the developer, and wait for a fix. The moment that disclosure goes public, automated scanning tools begin sweeping the internet for every site running that plugin version. Within five hours, the first wave of exploitation attempts is underway. Within a day, automated attack scripts have tested millions of sites.

Your site is in that pool. It got indexed by those tools years ago. The only question is whether the plugin has been patched before the window opens.

The detail that compounds this is the patching gap. Patchstack found that roughly 46% of the vulnerabilities disclosed in 2025 had no developer patch available at the time of disclosure. The vulnerability is public. Attackers know about it. No patch exists. The only defences in that situation are removing the affected plugin entirely or having your hosting provider's web application firewall blocking the known exploit pattern at the network edge, before the plugin developer has even shipped a fix.

Wordfence's 2024 Annual Security Report found that around 35% of vulnerabilities disclosed that year were still unpatched as of April 2025. These are not edge cases in obscure plugins. These are live vulnerabilities, on live sites, with no remediation applied.

Each plugin connection is a potential entry point. The exploitation window is now measured in hours, not days.

What Unmanaged Looks Like When It Matters

Consider a scenario that follows a pattern we see repeatedly. A contact form plugin releases a security update. The developer sends a notification email. It arrives in an inbox between an invoice and a supplier query, flagged as low priority. Nobody acts on it that day. The hosting plan has no automatic update mechanism and no web application firewall.

That is not negligence. That is a busy business owner running a business.

Meanwhile, the exploitation window opened within hours of the vulnerability going public. The Sucuri 2023 Hacked Website Report, based on analysis of tens of thousands of compromised sites, found that over 39% of affected CMS installations were running outdated software at the time of infection. Not ancient software. Outdated. The kind of outdated that accumulates when nobody has a system that patches without waiting for someone to notice.

The disaster patterns documented with plugin auto-updates show the same dynamic from both ends: not updating at all is obviously dangerous, but updating without a safety net causes its own class of breakage. The answer is not manual vigilance by a business owner who has more pressing things to manage. The answer is infrastructure that handles this cycle reliably, without requiring their attention.

What Changes When Someone Is Watching

A managed WordPress hosting environment does two things that matter here.

First, it applies plugin updates automatically or routes them through a staging environment for verification. Either way, the window between a vulnerability being patched and your site running that patch is measured in hours, not days or weeks. A nightly backup fires before the update runs. If something breaks, the rollback is there without a rebuild.

Second, the better-managed platforms run a web application firewall with virtual patching capability. When a vulnerability is disclosed, the WAF provider writes a rule blocking the known exploit pattern, even before the plugin developer has shipped a fix. That roughly 46% of disclosed vulnerabilities with no available patch becomes significantly less dangerous when your hosting provider is blocking the exploit at the network edge.

Web60's managed WordPress infrastructure runs on this model: automatic plugin updates with pre-update backups and one-click staging, server-level security hardening, and fail2ban intrusion prevention. The intent is that the business owner never needs to make a security decision inside a five-hour exploitation window.

One honest limitation worth stating plainly: no managed hosting environment stops a zero-day in the window before the WAF vendor has written a detection rule for it. That gap is real. The backups and rapid incident response exist precisely because perfect prevention does not. Know the tradeoff.

The Scenario Where Managed Hosting Is Not the Answer

If you are running a large enterprise WordPress deployment with a dedicated DevOps team, automated CI/CD pipelines, and the capacity to evaluate every plugin update against a full test suite before it touches production, that model is the right one. Enterprise managed platforms at the top of the market handle compliance governance at that scale correctly.

A small accountancy firm in Sligo running a website for client enquiries does not have a DevOps team. They have a website. The question for them is not whether they can build an enterprise security posture from scratch. It is whether their hosting provider has one built into the platform they are already paying for.

Conclusion

The 2025 numbers are not an indictment of WordPress as a platform. WordPress core is among the most scrutinised codebases in open source software. The vulnerability count is an argument against running WordPress on infrastructure with no active security posture, in an ecosystem where the exploitation window has collapsed to hours.

The business owner who checks email twice a day is not going to patch their plugins within five hours of a disclosure. The platform that patches automatically, monitors continuously, and backs up nightly does not need them to. That is the gap the 2025 numbers are measuring.