WordPress.com, the website creation and e-commerce platform owned by Automattic, has revealed that its global Web Application Firewall (WAF) blocks an average of 12,000 malicious requests per second. Of these, around 165 requests per second are directly linked to attempts to exploit known security vulnerabilities.
Over the past twelve months, WordPress.com’s WAF has filtered billions of potentially harmful interactions across its hosted websites. In Spain alone, the system blocked over 1.1 billion malicious requests and prevented approximately 15.3 million direct attack attempts, underscoring the scale of today’s automated threat landscape.
Persistent Threats Driven by Poor Maintenance
While cyberattacks continue to increase year on year, WordPress.com notes that most successful intrusions stem from avoidable vulnerabilities such as outdated components, weak passwords, or unsafe configuration practices. The company stresses that prevention and continuous monitoring remain the most effective defence measures for website owners.
Outdated Plugins and Weak Passwords
Unpatched plugins and obsolete themes remain among the most common entry points for attackers. According to WordPress.com telemetry, a significant portion of intrusion attempts originate from extensions with known vulnerabilities or older versions that were never updated. Threat actors frequently scan the internet for outdated components, exploiting even minor weaknesses in neglected sites.
The second major risk area involves poor password management. Many users still rely on predictable or reused passwords, often without multi-factor authentication (MFA). These weak credentials make it easier for attackers to gain unauthorised access, hijack administrator accounts, and deploy malicious code.
“Keeping your site secure is not a one-time task. Regular updates, strong passwords, and multi-factor authentication form the foundation of a resilient defence,” stated a WordPress.com spokesperson.
Excessive Permissions and Insecure Custom Code
Beyond traditional attack surfaces, misconfigured user permissions also pose a serious risk. Granting administrators or editors more privileges than necessary increases the likelihood of exploitation if an account is compromised. WordPress.com recommends applying the principle of least privilege, limiting access to only what each role requires.
Another emerging vector involves custom code added without adequate review. Poorly written scripts, insecure third-party API integrations, or direct theme file modifications can all introduce critical vulnerabilities. Site owners are advised to work with trusted developers, audit all code before deployment, and use automated analysis tools to identify potential weaknesses early.
Improving Website Security
Website integrity directly influences customer trust and brand reputation. WordPress.com recommends combining secure operational practices with robust technical safeguards: update plugins and themes regularly, remove unused extensions, perform scheduled backups to safe locations, and enable strong passwords with two-factor authentication.
Built-in protection features on the WordPress.com platform — including automatic updates, data encryption, and continuous monitoring — help maintain site availability even during attempted attacks. These safeguards ensure that both individual creators and enterprise clients can focus on managing content while backend systems maintain constant vigilance.
As web threats continue to rise, maintaining disciplined security hygiene remains the best defence against compromise. Consistent patching, access control, and secure coding practices are critical to keeping WordPress websites — and their users — safe from the 12,000 attacks that occur every second across the platform.