The Importance Of Regular WP Maintenance And My New Project
Hey hey!
It's been a while since I last posted here.
I spent a lovely two weeks on vacation, but was also pretty busy with various cleanups and my own new project.
Today, I'd like to discuss the importance of WP maintenance, and also introduce what I've been working on part-time over the last couple of months.
A little quiz on WP security
Do you know how many vulnerabilities have been discovered in WordPress, themes, and plugins over the last 20 years?
The answer is almost 30k, or roughly 4 new vulnerabilities per day!
What's more, the tempo of discoveries grows exponentially with time, just like the usage of WP, and the development of themes and plugins for it.
If you take a look at the last page of WordFence's vulnerability database, you can see around 30 vulnerabilities disclosed in the 2003-2006 period, or roughly 1 vulnerability per month.
However, if you start looking from page 1, you can see that most working days see at least a few new vulnerabilities, and it's not uncommon to see even 10-20 new vulnerabilities disclosed in a single day.
WP vulnerabilities and your website
The vulnerability count is growing by the day, and so is the number of malicious actors and cybersecurity attacks.
As computing power is getting stronger and more available, and especially with the rise of AI and automation, the risk of your website getting hacked is increasing by the day.
In the past, the luxury of being hacked was reserved for those with high-profile websites, preferably with payment processing or assets worth investing a lot of time, resources, and technical knowledge.
Today, there are so many bots and automatic scripts that crawl the web nonstop, finding vulnerabilities and breaking into websites, leaving the decision and the eventual heist for later.
With so many victims to choose from, the malicious actors will eventually invest more time into those worth exploiting, leaving the other websites infected, often broken, and/or with severe SEO, marketing, and sometimes even legal penalties.
Keeping your WP website updated regularly prevents those less skilled from breaching without effort, minimizing your risk of getting exploited by a lot.
Why do people avoid updating their websites regularly?
The sooner the update is there and you update, the better chance you have of doing it in a breeze.
However, in my experience, a ton of WP owners, especially those running a small business, fail to update in a prompt manner.
For the most part, the reason is simply neglect.
After all, why would you update something that seemingly works fine?
And as we discussed above, that's the mindset that makes you an easy target in today's cyberspace.
As time goes by, more and more updates get pending, increasing the chances of compatibility issues, broken websites after updates, and, of course, the security risks involved.
That's why I always recommend regular updates and maintenance, which prevent security issues and minimize risks involved with issues related to performing updates, even when performed by non-technical.
A simple demonstration of today's capabilities and the importance of regular maintenance
Remember from above about my new project?
From April to July, I've tried covering the most severe and widespread new vulnerabilities on this website, additionally reaching out to as many website owners as I could find, and notifying them of the immediate risks via email.
The result? Less than 1% reply rate, a few "thanks" and "I appreciate you" here and there.
If you ask me, this deeply disturbing statistic is showing how bad the security awareness is among the WP owners.
The solution? I've decided to invest some time in a demonstration of how bad this situation is. So here's what I did:
I rented an RDP server with moderate specs and a good internet connection, and created a simple script that does the following:
- Scan a predefined list of domains
- Find and save any domains linked from this domain(to slowly but surely increase the domains database)
- Scan the domain to see if it's WP, and if it is, which theme and plugins are active there
- Rinse and repeat
In just a bit over a month, the script and the $25/month server managed to find more than 100 million domains, out of which more than 15 million turned out to be built with WordPress.
TLDWP - your source for WP stats
The project is still in its early stages, but the plan is to eventually add the most popular plugins and themes per category, as well as to tie the vulnerability databases with the site, showing the risks and the number of affected websites in nearly real time.
For now, I will give you just a couple of tiny examples:
On October 3rd, 2025, a highly severe vulnerability was found in the "OAuth Single Sign On – SSO (OAuth Client)" plugin. This vulnerability is marked as critical, with a score of 9.8 / 10, and officially goes by the ID of CVE-2025-9485.
According to my project, TLDWP, anyone with basic programming knowledge(or by using AI), and $25 per month to spare on an average RDP server, can instantly find more than 1000 WP websites running this plugin.
Once you have the vulnerability, and know which websites are likely to have it unpatched, this becomes an easy gig for anyone with the not-so-ethical motivation.
Here's another example, with much larger potential impact(do note that examples like this pop up pretty much weekly, if not more often):
On September 29, 2025, a vulnerability CVE-2025-8877 was publicly disclosed.
The vulnerability was rated with high severity and a score of 7.5 / 10.
This vulnerability affected websites running the premium plugin called AffiliateWP, and according to my little project, at least 16k domains were affected.
These are just a few quick examples from this month. If we go back just a month to September 2025, we can see even more severe examples, such as the CVE-2025-9816 one, which potentially affected at least 95k domains.
Final Words
Hopefully I was able to make you rethink your WP maintenance strategy or at least seek professional help.
Nowadays, it's easier than ever for hackers to quickly gather intel and come up with both highly targeted and spray-and-pray strategies.
Failing to play along and invest some time in regular WP maintenance may make you a victim more easily than you may have considered so far.