Research · 17 min read

600 WordPress Security Scans: What the Data Reveals

By WP Vanguard Team

600 WordPress Security Scans: What the Data Reveals

When we launched WP Vanguard, we had a simple goal: make professional-grade WordPress security scanning accessible to every site owner, not just enterprises with big budgets.

A few months in, we have crossed 600 security scans. Forty to fifty new sites are being scanned every single day. And the data we have collected tells a story that every WordPress site owner should hear.

This post breaks down exactly what we found, the real numbers behind WordPress site health, and why proactive security scanning is no longer optional.


The Numbers Behind 600+ Scans

Let us start with the headline data.

604 completed scans. 99.8% found at least one issue.

That is not a typo. Out of every completed scan we ran, only one came back completely clean. Every other site had something worth looking at, whether it was a misconfigured HTTP header, an outdated plugin with a known CVE, or a critical vulnerability actively being exploited in the wild.

Here is the full breakdown:

Metric Number
Total scans completed 604
Sites with at least one issue 603 (99.8%)
Sites with critical vulnerabilities 43 (7.1%)
Average issues per scan 15.4
Average site health score 63 / 100

The average health score of 63 out of 100 is telling. It means the average WordPress site we scanned is doing okay, but not great. There is room for improvement on almost every site.


How WordPress Sites Are Graded

Every scan produces a health score and a letter grade. Here is how the sites we scanned stack up:

Grade Sites Percentage
A (80-100) 213 36%
B (60-79) 250 42%
C (40-59) 89 15%
D (20-39) 20 3.4%
F (0-19) 18 3%

The good news: 78% of scanned sites got an A or B grade. Most sites are not in critical danger.

The concerning news: 21% of sites scored C or below. That is roughly 1 in 5 sites with meaningful security gaps. For the 3% that scored F, these are sites with serious, immediate problems that need urgent attention.

If you are running a business on WordPress and your site scores a C or below, you are carrying risk that a basic scan can help you understand and address.


What Issues Are We Actually Finding?

The most common issues WP Vanguard flags fall into a few clear categories.

Missing or Weak HTTP Security Headers

This is the most widespread issue across scanned sites. Headers like Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security are simple to add, often one or two lines in your server config, but most sites simply do not have them.

Missing security headers do not mean your site is hacked. But they do mean it is easier to exploit if an attacker finds another entry point. Think of headers as your site's seatbelt. Most trips are fine without one, until they are not.

Outdated Plugins with Known CVEs

This is where things get serious. The WordPress plugin ecosystem is massive, and keeping every plugin updated is genuinely hard. But many of the issues we flag point to plugins that have published CVEs, meaning the vulnerability is publicly known, documented, and in many cases, actively being targeted.

An outdated plugin is not just a cosmetic issue. It is an open door.

SSL Configuration Problems

SSL errors showed up frequently in our scan data. This includes expired certificates, weak cipher suites, mixed content warnings, and in some cases, no HTTPS at all. Google has been penalising non-HTTPS sites for years, but beyond SEO, an invalid SSL certificate means your users' data is not being protected in transit.

Exposed WordPress Configuration and Sensitive Files

A surprisingly common finding: sites with publicly accessible files that should never be reachable from a browser. Things like wp-config.php backups, debug.log files, .env files left in the wrong place, and directory listings that expose your full file structure. These give attackers a roadmap.

Critical Vulnerabilities (7% of Sites)

43 out of 604 scanned sites had at least one critical-severity finding. These are the cases that keep security researchers up at night. A critical vulnerability typically means an unauthenticated attacker can do something catastrophic: take over an admin account, inject code, read your database, or in the worst cases, execute code on the server.

If you are in this 7%, patching should be your priority today.


The Hidden Cost of an Insecure WordPress Site

Before we go further, it is worth talking about what is actually at stake. Many site owners treat security as a technical checkbox rather than a business risk. The data suggests that is the wrong framing.

When a WordPress site gets compromised, the damage goes well beyond the immediate incident. Consider what typically happens:

Google blocklisting. Google crawls billions of pages every day and actively checks for malware, phishing content, and malicious redirects. When a site is flagged, it gets added to Google's Safe Browsing database. Chrome, Firefox, and Safari all pull from this list. Your visitors start seeing a full-screen warning before your site loads. Traffic collapses, sometimes overnight.

Hosting suspension. Most shared hosting providers monitor for malicious activity on their servers. When your site starts sending spam, hosting phishing pages, or participating in DDoS attacks, your account gets suspended. Often without much warning. Your site goes offline and you are scrambling to clean up and restore.

SEO damage. Search rankings are built over months and years. A security incident can wipe that out in days. Malware often injects spammy links, hidden redirects, or Japanese keyword spam into your pages. Google picks this up, and rankings drop. Recovery after a penalty can take months even after the malware is removed.

Data exposure. If your site handles any user data, contact forms, e-commerce transactions, membership accounts, a breach may have compliance and legal implications. Under GDPR and similar regulations, a data breach that is not handled correctly can result in significant fines.

Cleanup costs. Professional malware removal services charge anywhere from a few hundred to several thousand dollars, depending on the severity of the infection and how long it has been there. The longer an infection goes undetected, the more it costs to clean up.

All of this is avoidable. That is the part that is most frustrating about looking at the data. Most of the vulnerabilities we find in our scans have patches available. The sites that get hacked are usually not hacked because of some sophisticated zero-day exploit. They are hacked because of an unpatched plugin that has been sitting vulnerable for weeks or months.


Why 40-50 New Sites Are Being Scanned Every Day

The growth in daily scans reflects something bigger than WP Vanguard's user base growing. It reflects a shift in how WordPress site owners are thinking about security.

For a long time, security was reactive. You got hacked, then you dealt with it. The damage was done: Google blocklist, customer data exposed, revenue lost, reputation hit. The recovery process is expensive, stressful, and never fully complete.

What we are seeing now is a wave of site owners moving to a proactive posture. They want to know what is wrong before an attacker finds it. That is a fundamentally healthier approach to running a website.

The accessibility of tools like WP Vanguard plays a role here too. A surface scan costs nothing and takes under 60 seconds. There is no SSH access required, no technical setup, no plugins to install. You enter a URL and you get results. That removes the main barrier that kept non-technical site owners from ever checking their security posture.


Surface Scans vs Deep Scans: What the Data Shows

Of our 607 total scans, 593 were surface scans and just 10 were deep scans.

That ratio makes sense. Surface scans are fast, free, and do not require server access. They check SSL, HTTP headers, exposed files, plugin versions, and cross-reference against our database of 38,000+ CVEs. For the majority of site owners, a surface scan gives them exactly the intelligence they need.

Deep scans go further. They connect via SSH, run WP-CLI checks across core files, plugins, and uploads, and look for signs of compromise that are invisible from the outside. They are for site owners who want a thorough audit or suspect something is already wrong.

If you have not done a surface scan yet, that is the place to start. If your surface scan comes back with a C grade or lower, a deep scan will tell you the full story.


What a Scan Actually Checks

For those who have not used WP Vanguard before, here is a plain-English breakdown of what our scanner actually looks at.

SSL and HTTPS configuration. We verify that your SSL certificate is valid, not expired, issued by a trusted authority, and correctly configured. We also check that your site properly redirects HTTP to HTTPS and does not serve mixed content.

HTTP security headers. We check for the presence and correct configuration of headers like Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. Each of these headers protects against a specific class of attack.

WordPress version detection. We identify your WordPress version and flag if you are running a version with known security vulnerabilities. WordPress regularly releases security updates and running an outdated version is one of the most common risk factors.

Plugin and theme vulnerability lookup. We detect installed plugins and themes from publicly available signals in your site's HTML and asset URLs, then cross-reference these against our database of 38,000+ CVEs. If you are running a plugin with a known vulnerability, we will tell you exactly which one and what the risk is.

Exposed sensitive files. We check for publicly accessible files that should be protected: wp-config.php, .env, debug.log, backup files, and directory listings. These files can hand attackers the keys to your site.

Blacklist status. We check your domain against major threat intelligence feeds and blacklists to see if your site has already been flagged for malware distribution, phishing, or spam.

Deep scan (SSH-based). For paid deep scans, we go inside your server using SSH. We verify WordPress core file checksums, check plugin file integrity, scan the uploads directory for PHP files that should not be there, and look for signs of backdoors and injected code.

All of this happens in under 60 seconds for a surface scan. The result is a scored report with specific, actionable findings, not a vague warning that "something might be wrong."


WordPress Security News: What Happened This Week

Beyond our own scan data, the broader WordPress security landscape had a significant week. Here is what you need to know.

WordPress Core: Three Emergency Patches in 24 Hours

WordPress pushed three security releases in quick succession, patching CVE-2026-3907, CVE-2026-3906, and CVE-2026-3908. The vulnerabilities included a PclZip path traversal flaw, an authorization bypass in the Notes feature, and an XML external entity injection in the getID3 library. While all three required authentication to exploit, the rapid-fire release was a clear signal that these were being treated seriously. If you are not on the latest WordPress core, update now.

Ally Plugin: Critical SQL Injection Affecting 400,000+ Sites (CVE-2026-2413)

A critical SQL injection vulnerability was found in the Ally plugin, used by over 400,000 WordPress sites. An unauthenticated attacker can exploit unsanitized URL parameters to extract sensitive database information. As of the disclosure date, roughly 250,000 installations were still running the vulnerable version. The fix is available in version 4.1.0. If you use this plugin, check your version immediately.

Calculated Fields Form: Stored XSS (CVE-2026-3986)

A stored cross-site scripting vulnerability was disclosed in Calculated Fields Form versions up to 5.4.5.0. A contributor-level user can inject persistent JavaScript into form settings, which then executes in admin sessions. This type of attack can be used to steal credentials or install backdoors. Update to the latest version.

WPvivid Backup: Remote Code Execution in 900,000-Install Plugin (CVE-2026-1357)

This is a serious one. A critical RCE vulnerability was found in WPvivid Backup and Migration, a plugin with over 900,000 installations. An attacker targeting sites with the "receive backup from another site" feature enabled can achieve arbitrary PHP upload and remote code execution. The fix was released in version 0.9.124. If you run WPvivid, update immediately and disable the feature if you do not use it.

InstaWP Connect: Admin Authentication Bypass (CVE-2025-2636)

A critical authentication bypass vulnerability (CVSS 9.8) in InstaWP Connect allows unauthenticated attackers to log in as any user, including administrators. The plugin is used by 400,000+ sites. Patched in version 0.1.0.86. If this plugin is installed on your site and you are not on the patched version, treat this as an emergency.

Meta Box Plugin: Arbitrary File Deletion (CVE-2025-14675)

Authenticated users with contributor-level access can delete arbitrary files on the server in Meta Box versions up to 5.11.1. While this requires existing access, it can be chained with other vulnerabilities for a more damaging attack. Update to the latest version.

W3 Total Cache: Unauthenticated Code Execution

W3 Total Cache, one of the most widely used caching plugins in the WordPress ecosystem, has an unauthenticated arbitrary code execution vulnerability in versions up to 2.9.1. This is a critical finding for any site running an older version of this plugin. Check your version and update if you are behind.

The broader context: over 200 new WordPress vulnerabilities were disclosed in the past week alone, affecting 98 plugins and 111 themes. This is not an unusual week. This is the normal pace of WordPress security disclosures in 2026.


A Deeper Look at Our Scan Results

The grade and health score data tells one part of the story. Digging into the raw issue data tells another.

Across all 604 completed scans, we found 9,300 individual security issues in total. Here is how they break down by severity:

Severity Total Found Avg per Site
Critical 54 0.09
High 101 0.17
Medium 2,938 4.9
All issues 9,300 15.4

The medium severity category dominates because it captures the most common class of issues: missing security headers, minor configuration gaps, informational exposures. These are not emergencies, but they add up. A site with 15 medium issues has a noticeably weaker security posture than one with none.

The critical and high severity numbers are smaller but carry far more weight. 54 critical issues across 604 sites works out to about 1 in 11 scans finding something critical. At that rate, if you manage a portfolio of WordPress sites and are not scanning them, you almost certainly have at least one critical issue sitting undetected somewhere.

What the grade breakdown reveals about issue patterns:

Grade Avg Issues Avg Critical
A 12 0
B 14.7 0.04
C 19.7 0.21
D 25.5 0.20
F 37.7 0.83

A-grade sites still average 12 issues each, which might seem high until you understand that most of these are medium-severity findings like headers that could be tightened or minor information exposures. No critical issues appear at the A grade level at all.

As the grade drops, issue counts climb steeply. F-grade sites average nearly 38 issues per scan and almost 1 critical issue per site on average. These are not slightly-below-average sites. These are sites with serious, systemic security problems.

Only 1 out of 604 scanned sites had zero issues. That one site had perfectly configured headers, valid SSL, no exposed files, and no detectable vulnerable plugins. It is the exception, not the rule.

496 sites (82%) had issues that were medium severity only with no critical or high findings. For these sites, the findings are real and worth addressing, but they are not in immediate danger. Tightening security headers and keeping plugins updated is the main action.

The remaining 18% had at least one high or critical finding. These are the sites that needed the most urgent attention, and in many cases, the scan was the first time the site owner had any idea something was wrong.


What This Means for Your Site

The data from our scans and the recent vulnerability disclosures point to the same conclusion: most WordPress sites have security gaps, and the threat landscape is moving fast.

A few practical takeaways:

Update everything, regularly. The majority of successful WordPress attacks exploit known, already-patched vulnerabilities. An outdated plugin is not just a minor inconvenience. It is often the specific thing an attacker is looking for.

Do not assume you are too small to be targeted. Automated scanners do not care about your site's traffic or revenue. They scan millions of sites looking for specific vulnerability signatures. If your site has a vulnerable plugin, it will be found.

A surface scan takes 60 seconds and tells you a lot. If you have not scanned your site recently, there is no good reason not to. It is free, it takes less than a minute, and the findings can be genuinely eye-opening. 99.8% of the sites we scanned had at least one issue. Yours probably does too.

Pay attention to your grade. An A or B grade means your site is in reasonable shape. A C, D, or F means you should be taking action. The specific findings in your scan report tell you exactly where to focus.

Critical findings need same-day attention. If your scan returns a critical vulnerability, that is not a deal-with-it-this-weekend situation. Critical means there is a realistic path for an attacker to do serious damage. Treat it accordingly.


For WordPress Agencies and Developers: What This Means for Your Clients

If you manage WordPress sites for clients, the picture our data paints is important context for conversations you are probably already having.

Most clients do not think about security until something goes wrong. They do not know their plugin update history. They do not know what their security headers look like. They certainly do not know if any of their plugins have CVEs against them. They trust you to keep things running, and security is one of those things that is invisible when it is working and catastrophic when it is not.

The 7% critical finding rate is something worth sharing with clients. That means roughly 1 in 14 sites has a critical vulnerability right now. If you are managing ten client sites, statistically speaking, at least one of them probably has a critical issue you do not know about.

WP Vanguard's surface scan can be run on a client site without any access or installation required. You just need the URL. It is a practical tool for a quick security check across your client portfolio, and the report format is clear enough that you can share it directly with a client who is not technical.

For clients with more complex setups, deep scans give you the full picture: file integrity, backdoor checks, everything you need to give an authoritative assessment.


Scanning 600 Sites Was Just the Start

We built WP Vanguard because we believed WordPress site owners deserved better security tools than they had. The data from our first 600+ scans confirms that the problem we set out to solve is real, and it is widespread.

Almost every site we scanned had something to fix. Many had multiple issues across several categories. A handful had critical vulnerabilities that needed immediate attention.

The good news is that most of these issues are fixable. Updated plugins, properly configured headers, valid SSL certificates, cleaned-up exposed files. None of this requires a security background. It requires awareness, and the right tool to surface the problems.

We are scanning 40 to 50 new sites every day. Every scan is a site owner getting information they did not have before. That is what we are here for.


Scan Your WordPress Site Free

If you have read this far and have not scanned your site yet, here is your prompt.

Head to our homepage scanner and enter your URL. You will get a full surface scan in under 60 seconds, no account required, no plugin to install. Your scan will check SSL, security headers, exposed files, known vulnerabilities in your plugins, and give you a health score and letter grade.

If you need to go deeper, deep scans are available for a full SSH-based audit of your core files, plugins, and uploads.

The WordPress threat landscape is not slowing down. 200+ new vulnerabilities a week is the new normal. The question is whether you know what is on your site or not.

Scan your site free now.

wordpress security vulnerability report malware site health wordpress statistics

Related reading

Check Your WordPress Site Security

Free scan, no login required. Find vulnerabilities before attackers do.

Scan Your Site Free

Get weekly WordPress security tips

Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.

WP Vanguard is built by Wbcom Designs, makers of Reign, Jetonomy, Listora, and more. Explore our WordPress products →
← Back to Blog