Hidden Security Risks of WordPress and What You Should Do About It
BY Uri Hoter-Ishay May 10, 2023
0 minute read

Over the last few weeks, there have been multiple instances of security vulnerabilities discovered in WordPress and its plugins, which have affected over a million sites worldwide. These include an exploitable vulnerability in the popular Elementor Pro plugin, an ongoing malware injection campaign known as Balada Injector that's been active since 2017, and a vulnerability found in the All-In-One Security (AIOS) plugin. 

As a WordPress site owner or agency that manages multiple sites, it's essential to understand the potential risks associated with such vulnerabilities and take proactive steps to minimize them, for you and your clients. In this blog post, we'll discuss the hidden security risks of using WordPress and suggest some effective measures that you can take to manage these risks effectively.


The Astonishing Dominance of WordPress - and the Alarming Security Risks It Poses




WordPress is by far the most popular CMS platform on the internet, with over 810 million websites using it - that's a staggering 43% of all websites. But with great popularity comes great risk, and the dominance of WordPress in the market makes it a prime target for hackers and cybercriminals. In fact, WordPress is the most hacked CMS platform on the internet, with hackers actively searching for vulnerabilities in WordPress sites every day.


Digital agencies, which serve dozens or more business customers, need to be especially mindful of the security risks associated with WordPress. While the platform offers many benefits, including its open-source software tools and user-friendly interface, it also presents significant challenges, such as hosting costs, maintenance, and security.

To mitigate the security risks of using WordPress, digital agencies should take a proactive approach to securing their clients' sites. This could involve implementing security plugins, keeping plugins and themes updated, using strong passwords, and regularly backing up site data. By taking these steps, agencies can help to ensure that their clients' WordPress sites are as secure as possible, and avoid the potentially devastating consequences of a hack or data breach.


Spotlight on three recent WordPress security issues

To get a sense of the security risks facing WordPress users, let's take a closer look at three recent incidents that highlight some of the vulnerabilities in the platform.

1. The first incident involves a bug in the Elementor Pro WordPress plugin, which was discovered during March, and reported by Bleeping Computer on March 31, 2023. Security researchers found that the bug could be used by hackers to take over a site completely, particularly when the plugin was installed alongside WooCommerce. Fortunately, the developers of Elementor Pro quickly released a patch for the bug, and users were advised to upgrade to version 3.11.7 or later. The latest version available at the time of writing is 3.12.2.

2. Another recent incident involving WordPress security concerns the Balada Injector malware campaign, which was reported by various sources, including this post in The Hacker News from April 10, 2023. This campaign has been active since 2017 and has infected over 1 million WordPress sites, allowing hackers to gain admin access to servers that host these sites. Once a single site is compromised, hackers can potentially gain access to all other sites hosted on the same server. Researchers consider it an Advanced Persistent Threat (APT) to digital assets, which is one of the worst nightmares of any security manager.

3. The third security issue I want to discuss was reported on April 11, 2023 in the Search Engine Journal, and was related to the All-In-One Security (AIOS) plugin for WordPress. This vulnerability is believed to impact more than 1 million websites. Similar to Balada Injector malware, the exploit allows hackers to gain access to sensitive files and folders on the hosting server, putting website owners' data and privacy at risk. This vulnerability is a significant concern for businesses that host their websites on WordPress. For digital agencies, which may host multiple websites on the same server, this issue poses a broader risk to their entire portfolio.


What makes security in the WordPress model a challenge?


It's crucial to acknowledge that security vulnerabilities most likely do exist in any software system. That's why companies invest in a vast range of security controls, including tools and processes, and hire security experts to mitigate the security risks. As a user of any software tools, it's essential to keep them up to date. Effective patch management is perhaps the most crucial control that you should implement. This applies to operating systems and it holds true for WordPress servers. However, the core model of WordPress poses significant challenges for anyone who builds and maintains WordPress sites, particularly for their security personnel.

WordPress's flexibility is both a strength and a weakness when it comes to security. The ability to add custom themes and plugins provides an enormous amount of flexibility for developers and users. However, this also means that developers of themes or plugins have the ability to alter the server-side code directly, which can increase the risk of introducing security vulnerabilities. One change to a file can compromise the database, the server, and potentially impact other websites on the same server. Additionally, accessing the root folder of a machine running multiple WordPress sites poses a serious security risk.

Patch management in WordPress by itself is a challenge. While the platform can be configured to automatically update itself and plugins, this feature can also be disabled, leaving sites vulnerable to known security threats. Additionally, updating WordPress and its components can sometimes lead to compatibility issues with plugins, themes, and other customizations, which can further complicate the patching process.

If you manage multiple WordPress sites, each of them needs to be updated individually. For large agencies maintaining dozens or hundreds of websites, this could quickly become a significant operational burden.

Lastly, unlike managed services, where a team of experts handles security operations, on-premises WordPress deployments require constant attention to potential threats and vulnerabilities. The agency maintaining the sites must regularly monitor them, assess risks, and apply security updates. If a security breach occurs, the consequences are entirely on the agency to manage.


Cloud-based CMS: A better way to manage security










Managing security risks in a cloud environment, particularly with a software-as-a-service (SaaS) model, can be more cost-effective and efficient. By subscribing to a cloud-based CMS, you are essentially transferring the risk management responsibility to the provider. This is where Duda comes into play. Unlike many other providers, Duda was specifically designed from the ground up to cater to the needs of digital agencies - Its platform was built for scale and efficiency, making it a great candidate for agencies in all sizes. Below we will discuss the security advantages of using Duda over WordPress.


  • The isolated cloud environment provided by Duda is a key advantage when it comes to security, no one (including Duda personnel without specific permissions) can execute code on Duda's servers. This is a fundamental security control that helps mitigate the risk of Remote Code Execution (RCE) attacks.



  • Duda's system undergoes routine updates, multiple times a day (utilizing fully automated CI/CD processes). With our established processes and expertise, we can address critical vulnerabilities as soon as they become public knowledge. For example, when the Log4Shell zero-day vulnerability was made public in December 2021, we were able to quickly apply the necessary patches to mitigate any potential risks.



  • One of the advantages of Duda is that it owns its entire code-base, allowing for complete control over its security measures. Duda routinely updates its dashboard and editor-shell, templates and widgets, as well as the runtime environment in which hosted sites are rendered. Additionally, any third-party components used are vet based on formal privacy and security assessments, and once integrated are thoroughly tested and updated on an ongoing basis to meet Duda's security requirements, ensuring that the platform remains secure.



  • In addition to the above, Duda invests in other areas of security, such as protection against DDoS attacks, computing scalability, multiple-zone availability, backup and recovery mechanisms, and many others. These measures ensure that Duda's platform remains secure and available, even in the face of potential attacks or other unforeseen events.


What about Duda’s App Store and app providers? How do we assure security there? Duda's approach to app integration is fundamentally different from WordPress's plugins. Apps do not directly install source code onto Duda's servers. Instead, they have access to structured, scoped, and secured APIs that limit the potential for malicious activity.

While apps can install JS code onto websites, this is a known zone where no sensitive information should be stored. In the event of any malicious activity, Duda can quickly remove the code across all sites. Additionally, we treat app providers like any other third-party software provider and use a similar process to assess their privacy and security maturity.



Duda app store

Summary: Should you move to a cloud-based CMS?


At the end of the day, cybersecurity is all about managing cyber risks to your digital assets and reducing them to an acceptable level. As a digital agency owner or employee, the websites you host and maintain for your clients are likely among your most sensitive assets.

While WordPress is an excellent environment for building websites and offers a vast array of ready-made components, such as themes and plugins, its security risks may not be worth it for your business. If that's the case, you should consider transitioning to a cloud-based CMS like Duda, which offers superior security measures, including isolated cloud environments, routine updates, and 3rd-party component testing, to protect your assets from potential cyber threats.

Did you find this article interesting?


Thanks for the feedback!
A picture of an eye with the words duda x audioeye on it

5 tips for creating a more accessible eCommerce experience

By Scotty Strehlow May 13, 2025
Learn 5 key tips to improve web accessibility, including alt text, color contrast, keyboard navigation, descriptive links, and usable forms, ensuring an inclusive shopping experience for all.
A graph showing the Core Web Vitals technology report

We just broke our industry-leading Core Web Vitals record - 82%! Our latest technical improvements explained.

By Ronny Shapiro May 13, 2025
Duda just broke its Core Web Vitals record—82% of sites now pass all metrics. Discover the latest performance optimizations, including smarter caching and bfcache support.
An image of an office space website being generated by Duda's AI website builder

AI website builders reimagined for professionals

By Renana Dar May 12, 2025
Most AI website builders prioritize speed and simplicity but fall short on flexibility and control. This blog explores how a professional-grade approach to AI site building meets the needs of agencies and teams building at scale.
Show More

Latest posts