WordPress Security: A UK Guide for Small Businesses
WordPress security risks rarely start in core code. A practical, UK-focused guide to plugins, patching, layered defences and compliance for small businesses.
WordPress isn't inherently insecure — plugins and credentials are. A calm, UK-flavoured guide to the baseline that actually works.
This guide sits within our broader series on WordPress maintenance: what it is and what it should cover in 2026 — covering updates, backups, performance and everything else that keeps a WordPress site healthy. Here we focus specifically on security: what the data actually says, where the real risks lie for UK small businesses, and what a sensible baseline looks like.
If you run a WordPress site for your business, you’ve probably seen the headlines. “WordPress hacked again.” The framing suggests the platform itself is the problem. The data tells a different story. Of the 7,966 vulnerabilities disclosed across the WordPress ecosystem in 2024, 96% sat in plugins — not in WordPress core (Patchstack, 2025). The core software had just seven.
If your site gets compromised, it almost certainly won’t be WordPress that let you down. It’ll be a plugin you forgot to update or a password that wasn’t strong enough. This is a practical guide to WordPress security for UK small businesses. No scare tactics. Just what the numbers show, what actually works, and where UK law fits in. And if you’d rather hand this to someone who does it every day, our WordPress Hosting and Maintenance service covers the lot.
What the numbers actually show
The WordPress vulnerability landscape is growing fast. Patchstack, the largest vulnerability database for the WordPress ecosystem, logged 7,966 new vulnerabilities in 2024 — a 34% increase year on year. By 2025 that figure had climbed to 11,334, a further 42% rise (Patchstack, 2025).
The split is stark. In 2024, 96% of those vulnerabilities were in plugins, 4% in themes, and just 7 in WordPress core. A third had no patch available at the time of disclosure (Patchstack, 2025).
On the attack side, Wordfence — one of the largest WordPress security networks — blocked over 54 billion malicious requests in 2024, including 1.1 billion SQL injection attempts (Wordfence, 2025). Sucuri’s scanners detected 681,182 infected sites from 53.2 million scans in the first half of 2024 alone (Sucuri, 2024).
The takeaway: WordPress core is not the weak link. The ecosystem around it — plugins, themes, credentials — is.
Where the real risk sits
Plugins
Plugins are the primary attack surface, and exploitation is measured in hours, not days. When a critical authentication bypass was disclosed in the OttoKit / SureTriggers plugin (CVE-2025-3102), attackers were exploiting it in the wild within four hours. The plugin had over 100,000 active installations (BleepingComputer, 2025).
LiteSpeed Cache — installed on roughly six million sites — saw 58,952 exploit attempts within 24 hours of CVE-2024-28000 being disclosed (Wordfence, 2024). WPML, with over a million active installs, had a CVSS 9.9 remote code execution vulnerability (CVE-2024-6386) patched in 2024 (Wordfence, 2024).
These aren’t obscure edge cases. They’re mainstream plugins on mainstream sites.
Credentials
Sucuri’s 2023 analysis of infected WordPress databases found a malicious administrator account in 55.2% of cases and a backdoor in 49.21% (Sucuri, 2024). Weak or reused passwords remain one of the simplest routes in.
Automated, indiscriminate attacks
If you’re thinking “my site’s too small to be a target” — attacks aren’t targeted; they’re automated. Wordfence data shows the average WordPress site receives roughly 43 probe requests per day. Their network blocks approximately 215 million hits daily across monitored sites (Wordfence, 2025). Every site with a login page is a target.
A layered WordPress security baseline that actually works
No single tool or setting makes a WordPress site secure. What works is a layered approach — multiple controls so that when one fails (and eventually, one will), others hold.
- Patch promptly. Apply plugin and theme updates weekly. Security releases should go live immediately. Core major updates: test and deploy within 24–72 hours (Kinsta, 2024; SiteGround, 2025).
- Use a web application firewall (WAF). A WAF with virtual patching — such as Patchstack or Wordfence — blocks known exploit patterns while you apply the actual code fix. Treat virtual patching as time bought, not a permanent solution (Patchstack, 2024).
- Enforce MFA on every admin account. With malicious admin users appearing in over half of infected databases, multi-factor authentication is non-negotiable.
- Run offsite, restore-tested backups. Host backups are more limited than most clients realise. Some hosts explicitly disclaim backup liability in their terms of service, requiring customers to maintain independent offline copies (WP Engine TOS, 2025). Keep your own offsite backups and test restores quarterly.
- Scan for vulnerabilities daily. Cross-reference installed plugin and theme versions against a live CVE feed. Patchstack publishes disclosures and virtual-patch rules before public CVE feeds, with stated lead times of up to 48 hours (Patchstack, 2024).
- Harden the basics. Disable XML-RPC where unused, limit login attempts, review user roles quarterly, and remove inactive accounts.
- Stage and test before deploying. The debate between auto-updating everything and staging with regression testing is real. Matt Mullenweg advocates automatic updates as the default (Mullenweg, 2025). Enterprise agencies like 10up argue every update needs version control, peer review and QA (10up, 2025). The pragmatic middle ground for most small business sites: automated updates with visual regression testing and auto-rollback.
What managed hosting does (and doesn’t) cover
Managed WordPress hosts handle infrastructure, SSL certificates, daily backups, uptime monitoring, and some level of malware scanning. That’s genuinely valuable — but it’s not a maintenance plan.
| Task | Kinsta | WP Engine | Pressable | Cloudways | SiteGround |
|---|---|---|---|---|---|
| Plugin updates + regression | Paid add-on | Higher tiers only | No | Paid add-on | Auto with rollback |
| Custom code / theme QA | No | No | No | No | No |
| Accessibility remediation | No | No | No | No | No |
| SEO monitoring | No | No | No | No | No |
| Vulnerability scanning | WAF only | SPM on higher tiers | Jetpack bundled | Paid add-on | Basic WAF |
The pattern is clear: hosts cover the server layer well. Plugin regression, custom code QA, accessibility and SEO sit outside their scope — and that’s where a maintenance plan or agency retainer picks up.
The UK regulatory lens
WordPress security isn’t just a technical concern for UK businesses — it’s a compliance one.
Article 32 of the UK GDPR requires “appropriate technical and organisational measures” to protect personal data. The ICO and NCSC’s joint guidance explicitly expects “actively managing software vulnerabilities, including using in-support software and the application of software update policies” (NCSC, 2025; ICO, 2025).
Patching posture sits squarely inside UK data-protection enforcement scope.
NCSC Cyber Essentials — increasingly required for government contracts and recommended for all UK businesses — mandates that critical and high-severity CVEs be patched within 14 days (NCSC, 2025).
The DSIT Cyber Security Breaches Survey 2025 found that 43% of UK businesses — roughly 612,000 — experienced a cyber breach or attack in the previous 12 months, with ransomware incidents approximately doubling year on year.
One further layer: if your business sells B2C into the EU, the European Accessibility Act (in application from 28 June 2025) adds accessibility requirements alongside your security obligations (European Commission, 2025). Not strictly security, but part of the same compliance posture a well-maintained site needs.
Frequently asked questions
Is WordPress secure?
Yes. WordPress core is well-maintained and accounts for roughly 1% of all ecosystem vulnerabilities (Patchstack, 2025). The security risk comes from plugins (96% of 2024 disclosures), weak credentials, and sites that aren’t kept up to date. A properly maintained WordPress site with a layered security baseline is as secure as any comparable platform.
How often should I update WordPress?
Core security releases: immediately. Plugin and theme updates: weekly, with security patches applied as soon as they’re available. Core major releases: within 24–72 hours, tested on staging first.
What’s the first thing to do if my site has been hacked?
Take the site offline, restore from a known-clean backup, change every password (admin, database, FTP, hosting), scan for backdoors, and identify the entry point before bringing it back online. If you don’t have a clean backup, that’s the problem to solve first.
What to do next
You don’t need to become a security expert to run a secure WordPress site. You need a documented process, a sensible patching cadence, proper backups, and someone keeping an eye on the dashboard.
If you’d rather hand this to someone who does it every day, our WordPress Hosting and Maintenance service covers patching, backups, monitoring, WAF management and performance — so you can focus on running your business.
Keep reading
Related articles
Product description writing that actually sells: a practical framework for Shopify stores
4 May 2026 · 10 min read
Website Accessibility: A UK Small-Business Guide to WCAG 2.2
27 April 2026 · 12 min read
Website loading time: what’s good, why it matters, and how to fix yours
20 April 2026 · 8 min read
Get in touch
Ready to grow your business online?
Skip the forms. Have a real conversation with someone who can actually help.
— or —
24-hour response guarantee
We'll get back to you within one business day, every time.
No hard sell, ever
Just an honest conversation about whether we're the right fit.
Talk to the people who'll do the work
No account managers or middlemen. Meet your actual team.