Hidden Security Risks of WordPress and What You Should Do About It

May 10, 2023
0 minute read

Over the last few weeks, there have been multiple instances of security vulnerabilities discovered in WordPress and its plugins, which have affected over a million sites worldwide. These include an exploitable vulnerability in the popular Elementor Pro plugin, an ongoing malware injection campaign known as Balada Injector that's been active since 2017, and a vulnerability found in the All-In-One Security (AIOS) plugin. 

As a WordPress site owner or agency that manages multiple sites, it's essential to understand the potential risks associated with such vulnerabilities and take proactive steps to minimize them, for you and your clients. In this blog post, we'll discuss the hidden security risks of using WordPress and suggest some effective measures that you can take to manage these risks effectively.


The Astonishing Dominance of WordPress - and the Alarming Security Risks It Poses




WordPress is by far the most popular CMS platform on the internet, with over 810 million websites using it - that's a staggering 43% of all websites. But with great popularity comes great risk, and the dominance of WordPress in the market makes it a prime target for hackers and cybercriminals. In fact, WordPress is the most hacked CMS platform on the internet, with hackers actively searching for vulnerabilities in WordPress sites every day.


Digital agencies, which serve dozens or more business customers, need to be especially mindful of the security risks associated with WordPress. While the platform offers many benefits, including its open-source software tools and user-friendly interface, it also presents significant challenges, such as hosting costs, maintenance, and security.

To mitigate the security risks of using WordPress, digital agencies should take a proactive approach to securing their clients' sites. This could involve implementing security plugins, keeping plugins and themes updated, using strong passwords, and regularly backing up site data. By taking these steps, agencies can help to ensure that their clients' WordPress sites are as secure as possible, and avoid the potentially devastating consequences of a hack or data breach.


Spotlight on three recent WordPress security issues

To get a sense of the security risks facing WordPress users, let's take a closer look at three recent incidents that highlight some of the vulnerabilities in the platform.

1. The first incident involves a bug in the Elementor Pro WordPress plugin, which was discovered during March, and reported by Bleeping Computer on March 31, 2023. Security researchers found that the bug could be used by hackers to take over a site completely, particularly when the plugin was installed alongside WooCommerce. Fortunately, the developers of Elementor Pro quickly released a patch for the bug, and users were advised to upgrade to version 3.11.7 or later. The latest version available at the time of writing is 3.12.2.

2. Another recent incident involving WordPress security concerns the Balada Injector malware campaign, which was reported by various sources, including this post in The Hacker News from April 10, 2023. This campaign has been active since 2017 and has infected over 1 million WordPress sites, allowing hackers to gain admin access to servers that host these sites. Once a single site is compromised, hackers can potentially gain access to all other sites hosted on the same server. Researchers consider it an Advanced Persistent Threat (APT) to digital assets, which is one of the worst nightmares of any security manager.

3. The third security issue I want to discuss was reported on April 11, 2023 in the Search Engine Journal, and was related to the All-In-One Security (AIOS) plugin for WordPress. This vulnerability is believed to impact more than 1 million websites. Similar to Balada Injector malware, the exploit allows hackers to gain access to sensitive files and folders on the hosting server, putting website owners' data and privacy at risk. This vulnerability is a significant concern for businesses that host their websites on WordPress. For digital agencies, which may host multiple websites on the same server, this issue poses a broader risk to their entire portfolio.


What makes security in the WordPress model a challenge?


It's crucial to acknowledge that security vulnerabilities most likely do exist in any software system. That's why companies invest in a vast range of security controls, including tools and processes, and hire security experts to mitigate the security risks. As a user of any software tools, it's essential to keep them up to date. Effective patch management is perhaps the most crucial control that you should implement. This applies to operating systems and it holds true for WordPress servers. However, the core model of WordPress poses significant challenges for anyone who builds and maintains WordPress sites, particularly for their security personnel.

WordPress's flexibility is both a strength and a weakness when it comes to security. The ability to add custom themes and plugins provides an enormous amount of flexibility for developers and users. However, this also means that developers of themes or plugins have the ability to alter the server-side code directly, which can increase the risk of introducing security vulnerabilities. One change to a file can compromise the database, the server, and potentially impact other websites on the same server. Additionally, accessing the root folder of a machine running multiple WordPress sites poses a serious security risk.

Patch management in WordPress by itself is a challenge. While the platform can be configured to automatically update itself and plugins, this feature can also be disabled, leaving sites vulnerable to known security threats. Additionally, updating WordPress and its components can sometimes lead to compatibility issues with plugins, themes, and other customizations, which can further complicate the patching process.

If you manage multiple WordPress sites, each of them needs to be updated individually. For large agencies maintaining dozens or hundreds of websites, this could quickly become a significant operational burden.

Lastly, unlike managed services, where a team of experts handles security operations, on-premises WordPress deployments require constant attention to potential threats and vulnerabilities. The agency maintaining the sites must regularly monitor them, assess risks, and apply security updates. If a security breach occurs, the consequences are entirely on the agency to manage.


Cloud-based CMS: A better way to manage security










Managing security risks in a cloud environment, particularly with a software-as-a-service (SaaS) model, can be more cost-effective and efficient. By subscribing to a cloud-based CMS, you are essentially transferring the risk management responsibility to the provider. This is where Duda comes into play. Unlike many other providers, Duda was specifically designed from the ground up to cater to the needs of digital agencies - Its platform was built for scale and efficiency, making it a great candidate for agencies in all sizes. Below we will discuss the security advantages of using Duda over WordPress.


  • The isolated cloud environment provided by Duda is a key advantage when it comes to security, no one (including Duda personnel without specific permissions) can execute code on Duda's servers. This is a fundamental security control that helps mitigate the risk of Remote Code Execution (RCE) attacks.



  • Duda's system undergoes routine updates, multiple times a day (utilizing fully automated CI/CD processes). With our established processes and expertise, we can address critical vulnerabilities as soon as they become public knowledge. For example, when the Log4Shell zero-day vulnerability was made public in December 2021, we were able to quickly apply the necessary patches to mitigate any potential risks.



  • One of the advantages of Duda is that it owns its entire code-base, allowing for complete control over its security measures. Duda routinely updates its dashboard and editor-shell, templates and widgets, as well as the runtime environment in which hosted sites are rendered. Additionally, any third-party components used are vet based on formal privacy and security assessments, and once integrated are thoroughly tested and updated on an ongoing basis to meet Duda's security requirements, ensuring that the platform remains secure.



  • In addition to the above, Duda invests in other areas of security, such as protection against DDoS attacks, computing scalability, multiple-zone availability, backup and recovery mechanisms, and many others. These measures ensure that Duda's platform remains secure and available, even in the face of potential attacks or other unforeseen events.


What about Duda’s App Store and app providers? How do we assure security there? Duda's approach to app integration is fundamentally different from WordPress's plugins. Apps do not directly install source code onto Duda's servers. Instead, they have access to structured, scoped, and secured APIs that limit the potential for malicious activity.

While apps can install JS code onto websites, this is a known zone where no sensitive information should be stored. In the event of any malicious activity, Duda can quickly remove the code across all sites. Additionally, we treat app providers like any other third-party software provider and use a similar process to assess their privacy and security maturity.



Duda app store

Summary: Should you move to a cloud-based CMS?


At the end of the day, cybersecurity is all about managing cyber risks to your digital assets and reducing them to an acceptable level. As a digital agency owner or employee, the websites you host and maintain for your clients are likely among your most sensitive assets.

While WordPress is an excellent environment for building websites and offers a vast array of ready-made components, such as themes and plugins, its security risks may not be worth it for your business. If that's the case, you should consider transitioning to a cloud-based CMS like Duda, which offers superior security measures, including isolated cloud environments, routine updates, and 3rd-party component testing, to protect your assets from potential cyber threats.


Did you find this article interesting?


Thanks for the feedback!
A screenshot of a plumber's website with a
By Renana Dar May 5, 2025
Many SMBs still hesitate to embrace eCommerce. As the agency partner, you have the opportunity to tear down the perceived walls of eCommerce and show clients how eCommerce can make their business more efficient, accessible, and profitable. Read all about it!
A computer screen with a graph on it and a purple background.
By Santi Clarke April 24, 2025
Learn how platform ecosystems drive revenue and why they are essential for the growth of SaaS businesses.
By Santi Clarke April 24, 2025
One of the greatest challenges for SaaS platforms is keeping users engaged long-term. The term “stickiness” refers to a product's ability to retain users and make them want to return. In the context of SaaS platforms, creating a sticky product means that users consistently find value, experience seamless interactions, and continue using the product over time. The following are 7 practical strategies you can take to improve the stickiness of your SaaS solution. 1. Offer websites that help customers build their digital presence One of the most effective ways to make your SaaS platform sticky is by offering websites to your users. Many businesses today need an online presence, and by providing a platform where your customers can easily build and manage their websites, you increase their reliance on your product. When you offer users a website-building solution, you’re helping them create something foundational to their business. Websites, in this case, aren’t just a tool—they become a part of their identity and brand. This deepens their engagement with your platform, as they need your product to maintain and update their site, ultimately making them less likely to churn. Plus, websites naturally encourage frequent updates, content creation, and customer interactions, which means your users will return to your platform regularly. When you can give your users the tools to create something so essential to their business, you make them more dependent on your platform. This creates a higher barrier to exit, as migrating a fully built website to another service is no small task. In fact, websites are some of the stickiest products you can sell, so adding them to your product portfolio can be one of the best decisions you can to keep your customers using your technology for the long haul. 2. Deliver continuous value through product innovation The key to keeping users coming back to your SaaS platform is ensuring that they consistently see value in it. This means not only meeting their immediate needs but also evolving to address their growing demands. Constant product innovation is essential for keeping your users satisfied and invested in your platform. One way to achieve this is through regular updates that add new features or improvements based on user feedback. A SaaS platform that evolves with its users will keep them engaged longer, making it harder for competitors to steal their attention. Encourage user feedback and prioritize updates that create tangible improvements. This creates an ongoing relationship with your users, which boosts stickiness. 3. Offer a multi-product solution Another powerful way to increase your platform’s stickiness is by offering a suite of products or features that integrate well together. When your users adopt multiple products, they are more likely to stay because they become embedded in your ecosystem. The benefits of this strategy are clear. Research shows that once users adopt more than one product, especially when they integrate >4 tools into their workflow, their likelihood of churn decreases significantly. This happens because the more a user integrates into your suite of products, the harder it is for them to switch to a competitor. These users have invested time in learning your ecosystem and rely on it for their day-to-day operations, making it much harder for them to make the switch. 4. Create a personal connection with your users Human connection is one of the most powerful drivers of user retention. People don’t want to feel like they’re using a cold, faceless platform. By offering exceptional customer support, personalized communication, and community engagement, you build a relationship with your users that goes beyond the product itself. Make sure your support team is responsive, knowledgeable, and empathetic. You can also consider offering tailored onboarding experiences to ensure users understand how to make the most of your platform. When users feel like their success matters to you, they are more likely to remain loyal. 5. Leverage data to personalize the user experience Using data to drive personalization is another strategy that can significantly increase the stickiness of your platform. By tracking user behavior and usage patterns, you can tailor the experience to each individual user’s needs. This could mean recommending features they haven’t yet explored or sending them reminders about tools they may not be fully utilizing. Personalization gives users the feeling that the platform was designed specifically for them, making it harder to walk away from. By demonstrating that you understand their unique needs, you can build a stronger connection and ultimately increase retention rates. 6. Focus on seamless integrations and API capabilities To further increase stickiness, consider expanding your product’s ability to integrate with other tools your users already rely on. Whether it’s email marketing software, CRM systems, or social media management tools, seamless integrations add tremendous value by making it easier for users to incorporate your platform into their existing workflows. The more your product can work in tandem with other popular tools, the more indispensable it becomes. In fact, users who depend on integrations are less likely to churn since their entire ecosystem is tied to your platform’s functionality. 7. Encourage user advocacy and community building User advocacy is another powerful tool in building a sticky product. When users feel a sense of community or even ownership over the platform, they become your most passionate promoters. Encourage your users to share their success stories, join community forums, or contribute to product development through beta testing or feedback loops. A thriving user community not only increases user engagement but also creates a sense of loyalty. When users are part of something larger than themselves, they are more likely to remain committed to your platform, reducing churn and increasing lifetime value. Create deep, lasting customer relationships Making your SaaS platform sticky is all about creating a deep, lasting connection with your users. This requires building a platform that continuously delivers value, creating a seamless and personalized experience, and integrating features that keep users coming back. By focusing on product innovation, offering a multi-product ecosystem, and fostering strong user relationships, you’ll be well on your way to reducing churn and boosting user retention. Stickiness isn’t just a nice-to-have; it’s essential for long-term success. Focus on creating a platform that users can’t imagine living without, and you’ll see them stick around for the long haul.
Show More

Latest posts