Quarterly WordPress Threat Intelligence Report – Q3 2025

by

As the leader in WordPress security, Wordfence provides unparalleled security coverage that fully encompasses protection, active monitoring, detection, and response all built around our threat intelligence, demonstrating a strong commitment to security. Our mission is to ensure comprehensive defense-in-depth for every layer of a WordPress website’s security.

It’s important to understand that a complete security solution requires both protection and detection; while protection is crucial for preventing initial compromises, detection is equally vital for a wholesome WordPress site security strategy.

📢 There’s a Wordfence Option for Every Site Owner

Whether you run a personal blog or manage hundreds of client websites, Wordfence has a plan tailored to your needs:

Wordfence Free – Industry-leading Web Application Firewall (WAF) blocking 95% of known threats out of the box, malware scanning, Two-Factor Authentication (2FA), and more. 30-day delay on malware signatures and new firewall rules.

Wordfence Premium – Real-time firewall and malware signature updates, plus powerful tools like an audit log for deeper insight and monitoring.

Wordfence Care – Around-the-clock monitoring by our team, hands-on remediation if something goes wrong, and priority support for true peace of mind.

Wordfence Response – All the benefits of Wordfence Premium and Care with one hour response times for immediate remediation of security breaches.

👉 Compare Plans

This quarterly report highlights trends and changes in the WordPress security landscape, empowering you as a site owner to proactively protect your website against current vulnerabilities and threats, and to better understand the protections Wordfence provides through it’s robust threat intelligence.

Threat Intelligence Key Highlights Q3 2025

As the industry leader in WordPress security we have access to attack telemetry and vulnerability intelligence that no other security provider can compare to. We know exactly what vulnerabilities will become a target for threats, what the biggest threats to WordPress are, and how to prioritize remediation and protection against WordPress. The following presents some key highlights of WordPress threats and vulnerabilities in Q3 2025.

Total Vulnerabilities Published
1,857
-32.4% from previous quarter
High Threat Vulnerabilities
137
-29.0% from previous quarter
Common & Dangerous Vulnerabilities
78
-48.0% from previous quarter
WAF Attacks Blocked
9.7B
-23.4% from previous quarter
Brute Force Attacks Blocked
19.2B
+98.9% from previous quarter
Sites Infected
495K
-23.0% from previous quarter
👉 What this means for site owners: Keep plugins and themes updated regularly, enable 2FA, run regular security scans, follow strong password security, and rely on a WAF like Wordfence for protection before vulnerabilities are patched and continuous monitoring.

Wordfence Vulnerability Intelligence Highlights for Q3 2025

This section breaks down the vulnerabilities disclosed in Q3 2025 along with highlighting any trends or changes from the previous quarter.

The Wordfence Bug Bounty Program’s primary mission is to attract the highest quality vulnerability research in the WordPress space based on high impact and high severity vulnerabilities that are the most likely to be exploited. Due to this, you can rest assured knowing that you have the best protection available for vulnerabilities that pose the most significant risk to your site before they are even disclosed to the vendor.

Did you know? Wordfence provides the most comprehensive vulnerability intelligence for WordPress, with over 29,000 known vulnerabilities cataloged in our database. Our team adds dozens to hundreds of new vulnerabilities every week, ensuring the Wordfence plugin’s vulnerability scanner, and our free Vulnerability Intelligence API, alert you the moment a new vulnerability is detected.

Total Vulnerabilities Published
1,857
-32.4% from previous quarter
Total WAF Rules Released
7
-81.6% from previous quarter

Total Vulnerabilities Published

In Q3, there were 1,857 vulnerabilities added to the Wordfence Intelligence vulnerability database. Wordfence was responsible for remediating and disclosing 34.2% of the total. The following chart highlights the trend in new vulnerabilities disclosed over this period.

Total Vulnerabilities Published By Month

Total High Threat Vulnerabilities Published

In Q3, there were 137 high threat vulnerabilities added to the Wordfence Intelligence vulnerability database. These vulnerabilities pose the most significant threat to WordPress websites as attackers are very likely to target them in the real-world, and they can generally lead to full site compromise with minimal requirements. Often generic, or non-WordPress specific firewalls do not provide adequate protection against these vulnerabilities. Wordfence was the source of disclosure for 74.5% of those vulnerabilities, highlighting how the Wordfence firewall can provide you with the fastest protection for WordPress vulnerabilities that actually pose a risk to your site.

Total High Threat Vulnerabilities Published By Month

Total Common and Dangerous Vulnerabilities Published

In Q3, there were 78 common and dangerous vulnerabilities added to the Wordfence Intelligence vulnerability database. Wordfence was responsible for remediating and disclosing 38.5% of these common and dangerous vulnerabilities. These vulnerabilities are some of the most commonly found in WordPress plugins and themes, but are still prime targets for attackers who are looking for low hanging fruit to exploit.

Total C&D Vulnerabilities Published By Month

Patch Status of Reported Vulnerabilities

At the end of Q3, there were 950 vulnerabilities that remained unpatched. This highlights the importance of utilizing a security scanner like Wordfence that will alert you when an unpatched vulnerability is present on your site so you can take remedial action, like removing the software, immediately.

Patch Status

Install Count Distribution of Affected Software

The following highlights the average distribution of install counts for software affected by vulnerabilities reported in this quarter.

Install Count Distribution of Published Vulnerabilities

Authentication Level To Exploit Distribution

Most vulnerabilities disclosed in Q3 required contributor-level access to exploit. This is the same as from Q2 2025 where contributor-level access was required to exploit.

Authentication Level Distribution of Published Vulnerabilities

Affected Software Type Distribution (Plugins/Themes/Core)

As usual, the majority of the vulnerabilities disclosed in Q3 were plugin related vulnerabilities.

Software Type Distribution of Published Vulnerabilities

Top 10 Vulnerability Classes Published

The following highlights the most commonly published vulnerabilities in Q3 2025.

Vulnerability Type Total Vulns
CWE 79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 729
CWE 862: Missing Authorization 279
CWE 352: Cross-Site Request Forgery (CSRF) 251
CWE 89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 109
CWE 98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 96
CWE 200: Exposure of Sensitive Information to an Unauthorized Actor 58
CWE 502: Deserialization of Untrusted Data 57
CWE 434: Unrestricted Upload of File with Dangerous Type 51
CWE 22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 47
CWE 918: Server-Side Request Forgery (SSRF) 35

Vendors Registered for the Vulnerability Management Portal

This quarter, we had 196 vendors sign up to manage their WordPress software’s security through the Vulnerability Management Portal (+64.7% from previous quarter). This covers 1,220 distinct plugins and themes (+123.0% from previous quarter). Vendors who register for the Wordfence Vulnerability Management Portal demonstrate a strong commitment to WordPress security as they are notified in real-time when a new vulnerability has been discovered or reported in their software. If you’re a WordPress vendor and you’d like to sign up for real-time vulnerability alerts and centralized vulnerability management, get started here.

Total Vendors Registered Over Period
Total Plugins/Themes Registered Over Period

Wordfence Threat Intelligence Summary for Q3 2025

This section highlights the past quarters trend among vulnerabilities attackers are targeting and password attacks they are initiating.

Threat intelligence is at the heart of Wordfence’s industry-leading security solutions. As the largest security provider for WordPress, we collect and analyze attack telemetry from millions of sites worldwide. This unparalleled visibility gives us real-time insight into what attackers are targeting and when, empowering us to deliver the fastest and most effective protection for WordPress.

Web Application Firewall (WAF) Attack Data Highlights

Did you know? Wordfence leverages attack telemetry from over 5 million protected websites to continuously strengthen the security features of the Wordfence plugin. Sites running Wordfence Premium, Care, or Response automatically block IP addresses actively engaged in malicious activity across WordPress, even when those attacks don’t target a known vulnerability, keeping your site safe from the latest and emerging threats.

WAF Rule Requests Blocked/Logged
9.7B
-23.4% from previous quarter
Blocked From IP Threat Feed
2.7B
-34.2% from previous quarter
Total WAF Rules Released
7
-81.6% from previous quarter
Unique IPs in WAF Attacks
9.1M
+41.5% from previous quarter
Unique IPs From Blocklist
176K
+32.1% from previous quarter
Unique User Agents
25.3M
+36.9% from previous quarter

Total Requests Blocked and Logged by the Wordfence Firewall Over Q3

The following chart highlights how many exploit and probing requests the Wordfence Firewall has blocked over the course of Q3.

WAF Rule Attacks Blocked Over Period

Top 10 User Agents Engaged in Exploiting Vulnerabilities

The following chart highlights the top 10 user agents that have been used in exploit and enumeration attempts across the network of sites we protect.

Total Requests User Agents
2,315,286,643 Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
1,325,879,364 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
484,531,132 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
124,651,638 Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
106,525,977 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36
102,747,529 Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36Team Anon Force
100,307,059 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
98,875,433 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.1.2.3 Safari/537.36 Edg/121.0.623.86
94,183,828 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
93,236,723 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36

 

Top 10 Unique Vulnerabilities Targeted by Attackers

The following section highlights the top 10 unique vulnerabilities being targeted by attackers.

Vulnerability Total Blocked Requests
SureTriggers <= 1.0.78 – Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation 38,225,789
Hunk Companion <= 1.8.4 – Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation 5,951,700
Rank Math SEO <= 1.0.40.2 – Privilege Escalation via Unprotected REST API Endpoint 5,816,161
LiteSpeed Cache <= 6.3.0.1 – Unauthenticated Privilege Escalation 4,316,318
WooCommerce Payments 4.8.0 – 5.6.1 Authentication Bypass and Privilege Escalation 4,199,069
POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API 3,152,939
Frontend File Manager < 4.0 & N-Media Post Front-end Form < 1.1 & – Arbitrary File Upload 3,102,946
GutenKit <= 2.1.0 – Unauthenticated Arbitrary File Upload 2,202,638
Discount Rules for WooCommerce <= 2.0.2 – Missing Authorization 2,136,265
Bears Backup <= 2.0.0 – Unauthenticated Remote Code Execution 1,548,320

 

Top 10 Attacking Countries

The following section highlights the top 10 countries engaged in initiating attacks against WordPress websites.

Top Attacking Countries

Top 10 Attacking IP Addresses

The following are the top 10 IP Addresses engaged in targeting WordPress website vulnerabilities.

IP Address Total Requests
89.248.172.183 108,893,529
4.197.236.174 56,622,875
193.142.147.5 56,077,587
196.251.66.148 52,906,999
185.177.72.144 48,481,934
45.134.225.130 45,778,254
196.251.66.73 41,481,977
196.251.66.191 39,986,910
196.251.85.115 36,214,725
209.141.32.143 34,202,573

 

Top 5 “Generic” Vulnerability Types Targeted By Attackers

This section highlights the most attacked common vulnerability types.

Top 5 Blocked Generic WAF Rules

Password Attacks Data Highlights

Did you know? Wordfence includes a robust suite of password protection features, all available in the free version of the plugin. Features like Two-Factor Authentication (2FA), blocking logins using known compromised passwords, and preventing brute-force login attempts help safeguard your WordPress users and administrators from unauthorized access.

Brute Force Attacks Blocked
19.2B
+98.9% from previous quarter
Unique IPs in Brute Force
25.7M
+7.1% from previous quarter
Avg Requests Per IP
748
+85.6% from previous quarter

Total Password Attacks Blocked by the Wordfence Firewall Over Q3

The following chart highlights how many password attacks the Wordfence Firewall has blocked over the course of Q3.

Password Attacks Blocked Over Period

Top 10 Countries with the Most Distinctly Unique IP Addresses Engaged in Password Attacks

The following chart highlights countries with the most unique IP addresses originating from them engaged in password attacks.

Top 10 Countries with Distinctly Unique IP Addresses Engaged in Password Attacks

Top 10 Countries with the Highest Volume of Password Attacks Blocked

While the above chart highlights countries with the most unique IP Addresses targeting them. The following chart highlights countries with the most password attack activity based on number of requests, rather than distinctly unique IP Addresses.

Top 10 Countries by Total Password Attacks

Password Attacks Blocked by Type

This section highlights what password attack techniques are the most common.

Password Attacks Blocked by Type

Wordfence Malware Intelligence Report for Q3 2025

This section highlights common trends and patterns in malware attack data across the sites Wordfence protects.

No security solution would be complete without malware detection or scanning. It’s a critical element to website security that if your site gets hacked, it gets detected so that you can take swift remedial action to protect your business and brand reputation.

Did you know? Wordfence’s Malware Signatures are used to provide protection on your site. They are not just used for detecting a compromise, they are also used for blocking uploads of malicious files that match our malware signatures through the Wordfence Firewall.

Malware Attack Data Highlights

Unique Malware Files
33.7M
+4.4% from previous quarter
Malware Signatures Released
230
-36.8% from previous quarter
Sites with Malware
495K
-23.0% from previous quarter
Avg Infected Files Per Site
62.2
+15.4% from previous quarter
Avg Malware Variations Per Site
2.6
+18.2% from previous quarter

Number of Distinct Sites With Malware Detected Over Q3

The following chart highlights the average amount of sites with at least once piece of malware detected over the course of Q3.

Total Number of Distinct Sites With Malware Each Day

Malware Detected by File Type

The following chart highlights the most commonly detected malware based on file type. PHP files are often associated with webshells, backdoors, infostealers, and skimmers while files like JavaScript and HTML are often associated with spam.

Malware Detected by File Type

Malware Detected Based on Uploaded Location

The following chart highlights where malware is most commonly uploaded.

Most Common Directory Malware Detected In

Report Archives for Q3 2025

Access the complete collection of detailed vulnerability and bug bounty reports published during Q3 2025. These archives provide comprehensive documentation of all security issues identified and addressed throughout the quarter.

Weekly Vulnerability Report Archive

In case you missed any of the weekly vulnerability reports from Q3, you can find the complete list of them here:

Monthly Bug Bounty Report Archive

If you missed any of the monthly Bug Bounty Program Reports from Q3, you can find those all here:

Conclusion: Key Takeaways For Site Owners

When it comes to securing your WordPress site, a defense-in-depth strategy is essential. No single solution can stop every attack, but by layering protection, detection, and active monitoring, you dramatically reduce your risk and increase your ability to respond quickly when threats emerge.

Protection

The first line of defense is preventing attacks from succeeding in the first place. A strong firewall, timely vulnerability patches, and hardened configurations help block malicious traffic before it ever reaches your site. By leveraging Wordfence’s threat intelligence, you’re protected against the latest exploits that attackers are actively using in the wild. This proactive protection ensures your site is guarded not just against known threats, but against emerging attack patterns.

Detection

Even the best defenses can be tested, which is why detection is critical. Comprehensive scanning helps identify vulnerabilities, malware, or suspicious changes on your site that could signal an attempted compromise. With Wordfence’s real-time scanning powered by global attack data, you gain visibility into threats that may have slipped past other layers of defense, allowing you to act before they cause serious damage.

Active Monitoring

Continuous monitoring serves as your early warning system. Real-time alerts about critical events, login attempts, and file changes help you stay ahead of threats. Wordfence’s comprehensive monitoring doesn’t just tell you something happened, it provides the context and intelligence you need to understand the severity and respond appropriately. This constant vigilance means you’re never flying blind when it comes to your site’s security posture.

Security isn’t a “set it and forget it” task. Active monitoring ensures your site is continuously observed for suspicious behavior, login attempts, and traffic anomalies. Attackers often probe sites for weaknesses over time; having real-time monitoring means you’ll know immediately if your site is being targeted. Wordfence’s monitoring tools provide alerts and insights so you can take swift action, whether that’s blocking an attacker, tightening access, or responding to a detected vulnerability.

By combining protection, detection, and monitoring, you create a strong defense-in-depth strategy for your WordPress site. Wordfence brings all three layers together in one solution, making it simple to secure your site and stay ahead of attackers. Install Wordfence today and put industry-leading security to work for you.

The post Quarterly WordPress Threat Intelligence Report – Q3 2025 appeared first on Wordfence.

Leave a Comment