Is WordPress core the main reason WordPress sites get hacked?

No, I have not seen evidence that WordPress core is the main reason WordPress sites get hacked.

In the compromised WordPress sites we have investigated, the root cause has always been outside core. We usually find a vulnerable plugin, an outdated theme, a stolen password, weak credentials, or a site that has not been maintained.

Our investigation pattern is simple:

  • 0% traced to actual WordPress core
  • About 75% traced to plugins or themes
  • About 25% traced to stolen or weak passwords

That does not mean WordPress core can never have a security bug. Any large software project can. But in the real compromised sites we work on, WordPress core has not been the entry point.

So when someone asks, “Is WordPress insecure?” I think the better question is, “Is this WordPress site being managed securely?”

What is the difference between WordPress core risk and WordPress ecosystem risk?

WordPress core risk comes from the main WordPress software, while WordPress ecosystem risk comes from plugins, themes, passwords, hosting, and maintenance habits.

This distinction matters because people often blame WordPress for problems caused by add-ons or poor site management.

WordPress core is the central platform. It gets regular updates and a lot of attention from developers, security researchers, and site owners.

The WordPress ecosystem is much bigger and much less consistent. A normal site might include:

  • A commercial or custom theme
  • Contact form plugins
  • SEO plugins
  • Page builders
  • Security plugins
  • Caching plugins
  • Ecommerce plugins
  • Analytics tools
  • Third-party integrations

Every plugin and theme adds more code. More code means more places where something can be outdated, poorly written, abandoned, or misconfigured.

What evidence points away from WordPress core as the main problem?

The strongest evidence is that we have traced 0% of our investigated compromises to actual WordPress core.

When we clean and investigate a hacked WordPress site, we do not just guess. We look for the likely entry point.

That usually means checking:

  • Outdated plugins
  • Outdated themes
  • Known plugin or theme vulnerabilities
  • Modified files
  • Unexpected admin users
  • Login activity
  • Weak or reused passwords
  • Old software that has not been patched

The pattern has been consistent. We do not find attackers getting in through WordPress core. We find plugins, themes, and passwords.

If you remember one thing from this article, remember this: I have never seen evidence of a WordPress core security risk being the cause in the compromises we investigate. It has always been a plugin, a theme, or a password issue.

Are plugins usually the bigger WordPress security risk?

Yes, plugins are usually the bigger WordPress security risk because they add third-party code from many different developers.

That does not mean every plugin is bad. Many plugins are reliable, well maintained, and built by good developers.

But the plugin ecosystem is open. Plugins in the WordPress repository can be uploaded by many different developers as long as they meet basic standards. That is not the same thing as a full security audit.

This is why I do not blindly trust a plugin just because it has a lot of downloads.

Before we install or keep a plugin, we want to know:

  • Is the plugin actively maintained?
  • When was it last updated?
  • Does the developer respond to issues?
  • Does the plugin have a history of serious vulnerabilities?
  • Do we actually need it?
  • Can we replace it with a safer or simpler option?

The more plugins a site has, the more careful we need to be. Each one becomes part of the site’s security picture.

Are themes usually the main WordPress security problem?

Themes can be a security problem, but we have seen fewer theme-related issues than plugin-related issues.

One reason may be that many site owners use paid themes. Paid themes often have better code quality, support, and update processes than random free or abandoned themes.

Still, themes can absolutely be the entry point for a hack.

Theme risk goes up when a theme is:

  • Very old
  • No longer maintained
  • Downloaded from an untrusted source
  • Heavily customized
  • Bundled with outdated scripts
  • Bundled with outdated plugins

We recently worked on a site that had not been updated in eight years. The attacker got in through the theme, not WordPress core.

Because the site was so old, we could not just click update and call it done. We had to clean the site first, then manually patch it because normal updates were not practical.

That was not a WordPress core problem. It was an old theme and long-term maintenance problem.

How much do weak passwords contribute to WordPress compromises?

Weak or stolen passwords account for about 25% of the WordPress compromises we investigate.

This is important because no software vulnerability is needed when an attacker has valid login credentials.

If someone gets an admin username and password, they can log in like a normal user. At that point, WordPress core is not the issue.

Passwords create risk when they are:

  • Weak
  • Reused across websites
  • Shared between users
  • Leaked in another breach
  • Stored somewhere unsafe

Security plugins and firewalls can help, but they do not fully solve weak passwords by themselves.

In our experience, Wordfence stops many plugin-based issues. But it cannot stop low-strength passwords unless stronger login protections, especially two-factor authentication, are turned on.

Does Wordfence or a firewall fix WordPress security?

No, Wordfence or a firewall can reduce risk, but it does not fix every WordPress security problem.

A firewall can block many known exploit attempts, especially when attackers are targeting vulnerable plugins.

That is useful. We like tools that reduce exposure to known attacks.

But a firewall is not a replacement for basic security work. It will not fully protect a site if:

  • Admin passwords are weak
  • Two-factor authentication is disabled
  • Plugins are abandoned
  • The theme is outdated
  • The site has not been maintained in years
  • Old admin users still have access

I think of Wordfence as one good layer. It is not the whole security plan.

What do people get wrong when they say “WordPress is insecure”?

People get it wrong when they confuse WordPress popularity, plugin risk, and poor maintenance with WordPress core insecurity.

WordPress is popular, so attackers scan for WordPress sites. That does not prove WordPress core is the main security problem.

It proves attackers know there are a lot of WordPress sites with possible weak spots, such as:

  • Outdated plugins
  • Old themes
  • Weak passwords
  • Reused passwords
  • Old admin accounts
  • Unmanaged hosting
  • No two-factor authentication

Another mistake is counting every WordPress-related vulnerability as if it belongs to WordPress core.

A plugin vulnerability is not a core vulnerability. A patched vulnerability is not the same as an unpatched website. A hard-to-exploit issue is not the same as an actively exploited one.

That context changes the conclusion.

What security mistakes make WordPress sites look insecure?

The biggest security mistakes are skipped updates, careless plugin choices, weak passwords, no two-factor authentication, poor backups, and unmanaged hosting.

These mistakes are common because many WordPress sites are launched and then left alone.

Someone builds the site. Plugins get installed. A theme gets customized. Admin users are created. Then nobody takes ownership of maintenance.

Over time, the risk builds:

  • Plugins stop getting updated
  • Themes fall behind
  • Old users keep admin access
  • Passwords get reused
  • Backups stop being tested
  • Hosting settings go unchecked

When the site gets hacked, WordPress gets blamed. But in most cases we see, the issue is neglect, not WordPress core.

No, site owners should not blindly trust popular plugins just because they have many downloads.

Downloads can be a useful signal, but they are not proof that a plugin is secure.

A plugin can be popular and still have a vulnerability. It can also change ownership, slow down maintenance, or stop receiving meaningful updates.

Before using a plugin, we try to answer a few practical questions:

  • Do we really need this plugin?
  • Is it still maintained?
  • Does it come from a developer we trust?
  • Does it have recent unresolved security issues?
  • Can we get the same result with less code?

This is one of the easiest ways to reduce real WordPress risk. Use fewer plugins, choose better plugins, and keep them updated.

What should WordPress site owners do to reduce the real risks?

WordPress site owners should focus on updates, plugin quality, strong authentication, backups, and hosting hygiene.

These steps address the problems we actually see during compromised site investigations:

  • Keep WordPress core updated.
  • Keep plugins updated.
  • Keep themes updated.
  • Remove plugins and themes you do not use.
  • Avoid nulled plugins and nulled themes.
  • Do not blindly trust plugins because of download count.
  • Use strong, unique passwords for every admin account.
  • Turn on two-factor authentication for administrators.
  • Use least-privilege access instead of making everyone an admin.
  • Remove old users who no longer need access.
  • Use a web application firewall to reduce known plugin attacks.
  • Choose hosting that is maintained properly.
  • Keep backups that are tested and recoverable.
  • Replace abandoned plugins before they become a problem.

None of this requires treating WordPress core as the enemy. It requires managing the parts of the site that most often fail.