Hidden Security Risks of WordPress and What To Do About It

Hidden Security Risks of WordPress and What You Should Do About It

Over the last few weeks, there have been multiple instances of security vulnerabilities discovered in WordPress and its plugins, which have affected over a million sites worldwide. These include an exploitable vulnerability in the popular Elementor Pro plugin, an ongoing malware injection campaign known as Balada Injector that's been active since 2017, and a vulnerability found in the All-In-One Security (AIOS) plugin.

As a WordPress site owner or agency that manages multiple sites, it's essential to understand the potential risks associated with such vulnerabilities and take proactive steps to minimize them, for you and your clients. In this blog post, we'll discuss the hidden security risks of using WordPress and suggest some effective measures that you can take to manage these risks effectively.

The Astonishing Dominance of WordPress - and the Alarming Security Risks It Poses

WordPress is by far the most popular CMS platform on the internet, with over 810 million websites using it - that's a staggering 43% of all websites. But with great popularity comes great risk, and the dominance of WordPress in the market makes it a prime target for hackers and cybercriminals. In fact, WordPress is the most hacked CMS platform on the internet, with hackers actively searching for vulnerabilities in WordPress sites every day.

Digital agencies, which serve dozens or more business customers, need to be especially mindful of the security risks associated with WordPress. While the platform offers many benefits, including its open-source software tools and user-friendly interface, it also presents significant challenges, such as hosting costs, maintenance, and security.

To mitigate the security risks of using WordPress, digital agencies should take a proactive approach to securing their clients' sites. This could involve implementing security plugins, keeping plugins and themes updated, using strong passwords, and regularly backing up site data. By taking these steps, agencies can help to ensure that their clients' WordPress sites are as secure as possible, and avoid the potentially devastating consequences of a hack or data breach.

Spotlight on three recent WordPress security issues

To get a sense of the security risks facing WordPress users, let's take a closer look at three recent incidents that highlight some of the vulnerabilities in the platform.

1. The first incident involves a bug in the Elementor Pro WordPress plugin, which was discovered during March, and reported by Bleeping Computer on March 31, 2023. Security researchers found that the bug could be used by hackers to take over a site completely, particularly when the plugin was installed alongside WooCommerce. Fortunately, the developers of Elementor Pro quickly released a patch for the bug, and users were advised to upgrade to version 3.11.7 or later. The latest version available at the time of writing is 3.12.2.

2. Another recent incident involving WordPress security concerns the Balada Injector malware campaign, which was reported by various sources, including this post in The Hacker News from April 10, 2023. This campaign has been active since 2017 and has infected over 1 million WordPress sites, allowing hackers to gain admin access to servers that host these sites. Once a single site is compromised, hackers can potentially gain access to all other sites hosted on the same server. Researchers consider it an Advanced Persistent Threat (APT) to digital assets, which is one of the worst nightmares of any security manager.

3. The third security issue I want to discuss was reported on April 11, 2023 in the Search Engine Journal, and was related to the All-In-One Security (AIOS) plugin for WordPress. This vulnerability is believed to impact more than 1 million websites. Similar to Balada Injector malware, the exploit allows hackers to gain access to sensitive files and folders on the hosting server, putting website owners' data and privacy at risk. This vulnerability is a significant concern for businesses that host their websites on WordPress. For digital agencies, which may host multiple websites on the same server, this issue poses a broader risk to their entire portfolio.

What makes security in the WordPress model a challenge?

It's crucial to acknowledge that security vulnerabilities most likely do exist in any software system. That's why companies invest in a vast range of security controls, including tools and processes, and hire security experts to mitigate the security risks. As a user of any software tools, it's essential to keep them up to date. Effective patch management is perhaps the most crucial control that you should implement. This applies to operating systems and it holds true for WordPress servers. However, the core model of WordPress poses significant challenges for anyone who builds and maintains WordPress sites, particularly for their security personnel.

WordPress's flexibility is both a strength and a weakness when it comes to security. The ability to add custom themes and plugins provides an enormous amount of flexibility for developers and users. However, this also means that developers of themes or plugins have the ability to alter the server-side code directly, which can increase the risk of introducing security vulnerabilities. One change to a file can compromise the database, the server, and potentially impact other websites on the same server. Additionally, accessing the root folder of a machine running multiple WordPress sites poses a serious security risk.

Patch management in WordPress by itself is a challenge. While the platform can be configured to automatically update itself and plugins, this feature can also be disabled, leaving sites vulnerable to known security threats. Additionally, updating WordPress and its components can sometimes lead to compatibility issues with plugins, themes, and other customizations, which can further complicate the patching process.

If you manage multiple WordPress sites, each of them needs to be updated individually. For large agencies maintaining dozens or hundreds of websites, this could quickly become a significant operational burden.

Lastly, unlike managed services, where a team of experts handles security operations, on-premises WordPress deployments require constant attention to potential threats and vulnerabilities. The agency maintaining the sites must regularly monitor them, assess risks, and apply security updates. If a security breach occurs, the consequences are entirely on the agency to manage.

Cloud-based CMS: A better way to manage security

Managing security risks in a cloud environment, particularly with a software-as-a-service (SaaS) model, can be more cost-effective and efficient. By subscribing to a cloud-based CMS, you are essentially transferring the risk management responsibility to the provider. This is where Duda comes into play. Unlike many other providers, Duda was specifically designed from the ground up to cater to the needs of digital agencies - Its platform was built for scale and efficiency, making it a great candidate for agencies in all sizes. Below we will discuss the security advantages of using Duda over WordPress.

The isolated cloud environment provided by Duda is a key advantage when it comes to security, no one (including Duda personnel without specific permissions) can execute code on Duda's servers. This is a fundamental security control that helps mitigate the risk of Remote Code Execution (RCE) attacks.

Duda's system undergoes routine updates, multiple times a day (utilizing fully automated CI/CD processes). With our established processes and expertise, we can address critical vulnerabilities as soon as they become public knowledge. For example, when the Log4Shell zero-day vulnerability was made public in December 2021, we were able to quickly apply the necessary patches to mitigate any potential risks.

One of the advantages of Duda is that it owns its entire code-base, allowing for complete control over its security measures. Duda routinely updates its dashboard and editor-shell, templates and widgets, as well as the runtime environment in which hosted sites are rendered. Additionally, any third-party components used are vet based on formal privacy and security assessments, and once integrated are thoroughly tested and updated on an ongoing basis to meet Duda's security requirements, ensuring that the platform remains secure.

In addition to the above, Duda invests in other areas of security, such as protection against DDoS attacks, computing scalability, multiple-zone availability, backup and recovery mechanisms, and many others. These measures ensure that Duda's platform remains secure and available, even in the face of potential attacks or other unforeseen events.

What about Duda’s App Store and app providers? How do we assure security there? Duda's approach to app integration is fundamentally different from WordPress's plugins. Apps do not directly install source code onto Duda's servers. Instead, they have access to structured, scoped, and secured APIs that limit the potential for malicious activity.

While apps can install JS code onto websites, this is a known zone where no sensitive information should be stored. In the event of any malicious activity, Duda can quickly remove the code across all sites. Additionally, we treat app providers like any other third-party software provider and use a similar process to assess their privacy and security maturity.

Summary: Should you move to a cloud-based CMS?

At the end of the day, cybersecurity is all about managing cyber risks to your digital assets and reducing them to an acceptable level. As a digital agency owner or employee, the websites you host and maintain for your clients are likely among your most sensitive assets.

While WordPress is an excellent environment for building websites and offers a vast array of ready-made components, such as themes and plugins, its security risks may not be worth it for your business. If that's the case, you should consider transitioning to a cloud-based CMS like Duda, which offers superior security measures, including isolated cloud environments, routine updates, and 3rd-party component testing, to protect your assets from potential cyber threats.

Duda study finds AI-optimized websites drive 320% more traffic to local businesses

By Shawn Davis • April 16, 2026

Website builder analysed 69M AI crawler visits across over 850,000 websites in February 2026 to determine key trends and characteristics that increase local AEO

Core web vitals: What agencies need to know in 2026

By Shawn Davis • April 1, 2026

Core Web Vitals aren't new, Google introduced them in 2020 and made them a ranking factor in 2021. But the questions keep coming, because the metrics keep changing and the stakes keep rising. Reddit's SEO communities were still debating their impact as recently as January 2026, and for good reason: most agencies still don't have a clear, repeatable way to measure, diagnose, and fix them for clients. This guide cuts through the noise. Here's what Core Web Vitals actually measure, what good scores look like today, and how to improve them—without needing a dedicated performance engineer on every project. What Core Web Vitals measure Google evaluates three user experience signals to determine whether a page feels fast, stable, and responsive: Largest Contentful Paint (LCP) measures how long it takes for the biggest visible element on a page — usually a hero image or headline — to load. Google considers anything under 2.5 seconds good. Above 4 seconds is poor. Interaction to Next Paint (INP) replaced First Input Delay (FID) in March 2024. Where FID measures the delay before a user's first click is registered, INP tracks the full responsiveness of every interaction across the page session. A good INP score is under 200 milliseconds. Cumulative Layout Shift (CLS) measures visual stability — how much page elements unexpectedly move while content loads. A score below 0.1 is good. Higher scores signal that images, ads, or embeds are pushing content around after load, which frustrates users and tanks conversions. These three metrics are a subset of Google's broader Page Experience signals, which also include HTTPS, safe browsing, and mobile usability. Core Web Vitals are the ones you can most directly control and improve. Why your clients' scores may still be poor Core Web Vitals scores vary dramatically by platform, hosting, and how a site was built. Some of the most common culprits agencies encounter: Heavy above-the-fold content . A homepage with an autoplay video, a full-width image slider, and a chat widget loading simultaneously will fail LCP every time. The browser has to resolve all of those resources before it can paint the largest element. Unstable image dimensions . When an image loads without defined width and height attributes, the browser doesn't reserve space for it. It renders the surrounding text, then jumps it down when the image appears. That jump is CLS. Third-party scripts blocking the main thread . Analytics pixels, ad tags, and live chat tools run on the browser's main thread. When they stack up, every click and tap has to wait in line — driving INP scores up. A single slow third-party script can push an otherwise clean site into "needs improvement" territory. Too many web fonts . Each font family and weight is a separate network request. A page loading four font files before rendering any text will fail LCP, especially on mobile connections. Unoptimized images . JPEGs and PNGs served at full resolution, without compression or modern formats like WebP or AVIF, add unnecessary weight to every page load. How to measure them accurately There are two types of Core Web Vitals data you should be looking at for every client: Lab data comes from tools like Google PageSpeed Insights, Lighthouse, and WebPageTest. It simulates page loads in controlled conditions. Lab data is useful for diagnosing specific issues and testing fixes before you deploy them. Field data (also called Real User Monitoring, or RUM) comes from actual users visiting the site. Google collects this through the Chrome User Experience Report (CrUX) and surfaces it in Search Console and PageSpeed Insights. Field data is what Google actually uses as a ranking signal — and it often looks worse than lab data because it reflects real-world device and connection variability. If your client's site has enough traffic, you'll see field data in Search Console under Core Web Vitals. This is your baseline. Lab data helps you understand why the scores are what they are. For clients with low traffic who don't have enough field data to appear in CrUX, you'll be working primarily with lab scores. Set that expectation early so clients understand that improvements may not immediately show up in Search Console. Practical fixes that move the needle Fix LCP: get the hero image loading first The single most effective LCP improvement is adding fetchpriority="high" to the hero image tag. This tells the browser to prioritize that resource over everything else. If you're using a background CSS image for the hero, switch it to anelement — background images aren't discoverable by the browser's preload scanner. Also check whether your hosting serves images through a CDN with caching. Edge delivery dramatically reduces the time-to-first-byte, which feeds directly into LCP. Fix CLS: define dimensions for every media element Every image, video, and ad slot on the page needs explicit width and height attributes in the HTML. If you're using responsive CSS, you can still define the aspect ratio with aspect-ratio in CSS while leaving the actual size fluid. The key is giving the browser enough information to reserve space before the asset loads. Avoid inserting content above existing content after page load. This is common with cookie banners, sticky headers that change height, and dynamically loaded ad units. If you need to show these, anchor them to fixed positions so they don't push content around. Fix INP: reduce what's competing for the main thread Audit third-party scripts and defer or remove anything that isn't essential. Tools like WebPageTest's waterfall view or Chrome DevTools Performance panel show you exactly which scripts are blocking the main thread and for how long. Load chat widgets, analytics, and ad tags asynchronously and after the page's critical path has resolved. For most clients, moving non-essential scripts to load after the DOMContentLoaded event is a meaningful INP improvement with no visible impact on the user experience. For websites with heavy JavaScript — particularly those built on frameworks with large client-side bundles — consider breaking up long tasks into smaller chunks using the browser's Scheduler API or simply splitting components so the main thread isn't locked for more than 50 milliseconds at a stretch. What platforms handle automatically One of the practical advantages of building on a platform optimized for performance is that many of these fixes are applied by default. Duda, for example, automatically serves WebP images, lazy loads below-the-fold content, minifies CSS, and uses efficient cache policies for static assets. As of May 2025, 82% of sites built on Duda pass all three Core Web Vitals metrics — the highest recorded pass rate among major website platforms. That baseline matters when you're managing dozens or hundreds of client sites. It means you're starting each project close to or at a passing score, rather than diagnosing and patching a broken foundation. How much do Core Web Vitals actually affect rankings? Honestly, they're a tiebreaker — not a primary signal. Google has been clear that content quality and relevance still dominate ranking decisions. A well-optimized site with thin, irrelevant content won't outrank a content-rich competitor just because its CLS is 0.05. What Core Web Vitals do affect is the user experience that supports those rankings. Pages with poor LCP scores have measurably higher bounce rates. Sites with high CLS lose users mid-session. Those behavioral signals — time on page, return visits, conversions — are things search engines can observe and incorporate. The practical argument for fixing Core Web Vitals isn't just "because Google said so." It's that faster, more stable pages convert better. Every second of LCP improvement can reduce bounce rates by 15–20% depending on the industry and device mix. For client sites that monetize through leads or eCommerce, that's a revenue argument, not just an SEO argument. A repeatable process for agencies Audit every new site before launch. Run PageSpeed Insights and record LCP, INP, and CLS scores for both mobile and desktop. Flag anything in the "needs improvement" or "poor" range before the client sees the live site. Check Search Console monthly for existing clients. The Core Web Vitals report surfaces issues as they appear in field data. Catching a regression early — before it compounds — is significantly easier than explaining a traffic drop after the fact. Document what you've improved. Clients rarely see Core Web Vitals scores on their own. A monthly one-page performance summary showing before/after scores builds credibility and makes your technical work visible. Prioritize mobile. Google uses mobile-first indexing, and field data shows that mobile CWV scores are almost always worse than desktop. If you only have time to optimize one version, do mobile first. Core Web Vitals aren't a one-time fix. Platforms change, new scripts get added, campaigns bring in new widgets. Build the audit into your workflow and treat it like any other ongoing deliverable, and you'll stay ahead of the issues before they affect your clients' rankings. Duda's platform is built with Core Web Vitals performance in mind. Explore how it handles image optimization, script management, and site speed automatically — so your team spends less time debugging and more time building.

Why systems, not tools, are the future of vertical SaaS

By Ilana Brudo • March 31, 2026

Vertical SaaS must transition from tools to an AI-powered Vertical Operating System (vOS). Learn to leverage context, end tech sprawl, and maximize retention.