Most WordPress hacks aren’t sophisticated. They walk in through a plugin the site owner forgot they installed in 2022.
Patchstack tracked 4,200+ WordPress vulnerabilities in 2024 alone. Roughly 97% of them lived in plugins, not in WP core. Sites running 30+ plugins are about 8x more likely to be compromised than sites running under 15. The math is brutal and the pattern repeats every week.
The plugin patterns that keep getting hacked
We see the same five categories on almost every compromised site we clean up. Not specific plugins — patterns.
- Abandoned slider plugins. Anything where the “Last updated” line on the WordPress.org page is 2023 or earlier. Sliders touch the DOM, accept admin input, and almost always ship file-upload handlers. Stale code in that surface area is a guaranteed entry point.
- Contact form plugins from defunct vendors. The vendor’s site is gone, the support forum is dead, and the plugin still has 40,000 active installs. Forms handle untrusted input by definition. No maintainer means no patches.
- “All-in-one” page builder add-on bundles. The 50-widgets-for-Elementor packs. Each widget is its own attack surface and the bundle ships them all whether you use them or not. One unmaintained widget compromises the whole site.
- Social-feed and Instagram-embed plugins that haven’t shipped in 8+ months. They call external APIs, cache remote content, and frequently run on every page. When the auth flow breaks they get abandoned fast.
- “Security” plugins from unknown vendors. The cruelest category. We’ve pulled actual backdoors out of plugins marketed as malware scanners. If the vendor has no public security disclosure process and no track record, it’s not a security plugin — it’s a liability with a lock icon.
What to use instead
Replacements should be maintained, audited, and run by vendors who fix CVEs in days, not quarters.
- Security: Wordfence or Sucuri. Both have full-time security teams and ship patches the same week a CVE drops.
- WAF + edge protection: Cloudflare in front of the site. Blocks 90% of bot traffic before it touches WordPress.
- Forms: Fluent Forms, or native WP core forms for simple cases. Both are actively maintained and don’t bundle a dozen integrations you’ll never use.
- Sliders: MetaSlider, or just a native Gutenberg gallery block. Most sites that “need” a slider don’t.
- Social feeds: A static embed or a server-side cron pulling the feed, not a third-party plugin polling your homepage on every load.
The 15-minute plugin audit
Block off 15 minutes. Open WP Admin → Plugins. Then:
- List every active plugin. Any plugin you can’t immediately explain the purpose of — flag it.
- For each, open its WordPress.org page. Check “Last updated.” Anything older than 6 months is a yellow flag. Older than 12 months is a red flag.
- Search WPScan and Patchstack for the plugin name. If there’s an unpatched CVE in the last 90 days, treat it as actively exploited.
- Deactivate anything flagged. Wait 48 hours. If nothing breaks, delete it — don’t just deactivate. Deactivated plugins still ship code that can be loaded by an attacker.
What happens after compromise
Cleanup math is unkind. Professional malware removal runs $1,500-$8,000 per incident depending on how deep the infection went. Add Google blacklist recovery, email-deliverability damage (your mail server gets flagged), and SEO loss from indexed spam pages. Sites we’ve seen lost 30-60% of organic traffic for 3-6 months after a serious compromise.
A Bergen County client of ours ran into this last spring. They’d inherited a site with an abandoned slider plugin and a “security” plugin from a vendor whose website didn’t resolve. Week 3 of a paid campaign, the homepage started serving Japanese SEO spam. Cleanup took six days. The campaign spend during those six days — gone.
How AJD handles this
Plugin hygiene is part of our Technical Maintenance pillar. Every site we manage gets a monthly plugin audit, a Patchstack/WPScan cross-check, and a Cloudflare-fronted WAF. Plugins past the 6-month threshold get reviewed, replaced, or removed before they become the headline.
Whether you work with us or not, run the 15-minute audit this week. Most sites we look at have at least one plugin that should’ve been removed two years ago.
Want a second set of eyes on your plugin stack? We’ll run the audit, flag the risks, and tell you exactly what to swap — no commitment required.
