Powering 43% of the internet sounds impressive[ref]. It also makes WordPress the world's largest target-rich environment for cybercriminals and fraud infrastructure.
If you're a fraudster, WordPress isn't "just a CMS." It's a massive attack surface with predictable mistakes baked in - and millions of site owners who think security is someone else's job.
So what do attackers actually like about it?
π Weak admin hygiene - Default usernames, reused passwords, and no MFA. Credential stuffing works frighteningly well against wp-admin because site owners rarely monitor login attempts. One compromised admin account means full control - content changes, injected skimmers, fake payment pages, and silent redirects to scam sites.
𧩠Plugin overload and abandonware - The average WordPress site runs 20-30 plugins. Many are maintained by small teams or completely abandoned. One vulnerable plugin enables file-upload abuse, credential-harvesting forms, or silent redirects. With over 70,000 known vulnerabilities across core, plugins, and themes, attackers don't hunt - the vulnerabilities are already indexed.
π³οΈ Outdated cores and themes - Unlike enterprise platforms, patching often gets delayed because "the site still works." Fraudsters scan at scale for known CVEs and exploit them within days. Sucuriβs 2024 remediation data shows WordPress accounts for over 95% of all infected CMS sites they clean up.
π Silent redirects and SEO poisoning - Compromised WordPress sites are often used as infrastructure, not the final scam. Injected JavaScript redirects mobile users to fake prizes, crypto scams, or malicious app downloads - often used for credential theft and payment fraud. Desktop users see nothing. Owners stay unaware for months.
π Brand impersonation at scale - WordPress makes it trivial to clone a legitimate-looking page. Attackers spin up phishing sites mimicking banks, delivery firms, or government portals in minutes. Cheap hosting, fast turnaround, low failure cost.
βοΈ Supply chain and script injection - Attackers don't always target your site directly. Compromising a shared plugin or analytics snippet used by thousands of sites at once is far more efficient - as the 2024 Polyfill.io incident demonstrated, affecting 100,000+ websites through a single poisoned CDN script.
In 2024, Sucuri's SiteCheck[ref] scanner analyzed over 70 million websites and identified more than 1.1 million compromised sites - with Balada Injector (149,000+ detections) and Sign1 (96,000+ detections) leading large-scale campaigns through vulnerable plugins. Malware and malicious redirects accounted for nearly 75% of infections.
π¨What to do about it?
- Individuals - don't assume a website is safe just because it looks professional. Check URLs carefully, especially on mobile.
- Site owners - enforce MFA, patch fast, keep plugins minimal, and disable XML-RPC if unused. Monitor outbound traffic, not just uptime.
- Organizations - treat third-party scripts and plugins as supply chain risk. A WAF at the DNS layer (even a free Cloudflare tier) blocks a significant volume of automated scanning before it reaches your server.
Because fraudsters don't need zero-days. They just need you to click "remind me later".