Quarterly WordPress Threat Intelligence Report – Q4 2025

by

 

As the leader in WordPress security, Wordfence provides unparalleled security coverage that fully encompasses protection, active monitoring, detection, and response all built around our threat intelligence, demonstrating a strong commitment to security. Our mission is to ensure comprehensive defense-in-depth for every layer of a WordPress website’s security.

It’s important to understand that a complete security solution requires both protection and detection; while protection is crucial for preventing initial compromises, detection is equally vital for a wholesome WordPress site security strategy.

📢 There’s a Wordfence Option for Every Site Owner

Whether you run a personal blog or manage hundreds of client websites, Wordfence has a plan tailored to your needs:

Wordfence Free – Industry-leading Web Application Firewall (WAF) blocking 95% of known threats out of the box, malware scanning, Two-Factor Authentication (2FA), and more. 30-day delay on malware signatures and new firewall rules.

Wordfence Premium – Real-time firewall and malware signature updates, plus powerful tools like an audit log for deeper insight and monitoring.

Wordfence Care – Around-the-clock monitoring by our team, hands-on remediation if something goes wrong, and priority support for true peace of mind.

Wordfence Response – All the benefits of Wordfence Premium and Care with one hour response times for immediate remediation of security breaches.

👉 Compare Plans

This regular report highlights trends and changes in the WordPress security landscape, empowering you as a site owner to proactively protect your website against current vulnerabilities and threats, and to better understand the protections Wordfence provides through it’s robust threat intelligence.

Threat Intelligence Key Highlights Q4 2025

As the industry leader in WordPress security we have access to attack telemetry and vulnerability intelligence that no other security provider can compare to. We know exactly what vulnerabilities will become a target for threats, what the biggest threats to WordPress are, and how to prioritize remediation and protection against WordPress. The following presents some key highlights of WordPress threats and vulnerabilities in Q4 2025.

Total Vulnerabilities Published
2,213
+19.2% from previous quarter
High Threat Vulnerabilities
131
-4.4% from previous quarter
Common & Dangerous Vulnerabilities
100
+28.2% from previous quarter
WAF Attacks Blocked
9.1B
-6.1% from previous quarter
Brute Force Attacks Blocked
13.8B
-28.0% from previous quarter
Sites Infected
467K
-5.7% from previous quarter
👉 What this means for site owners: Keep plugins and themes updated regularly, enable 2FA, run regular security scans, follow strong password security, and rely on a WAF like Wordfence for protection before vulnerabilities are patched and continuous monitoring.

Wordfence Vulnerability Intelligence Highlights for Q4 2025

This section breaks down the vulnerabilities disclosed in Q4 2025 along with highlighting any trends or changes from the previous quarter.

The Wordfence Bug Bounty Program’s primary mission is to attract the highest quality vulnerability research in the WordPress space based on high impact and high severity vulnerabilities that are the most likely to be exploited. Due to this, you can rest assured knowing that you have the best protection available for vulnerabilities that pose the most significant risk to your site before they are even disclosed to the vendor.

Did you know? Wordfence provides the most comprehensive vulnerability intelligence for WordPress, with over 29,000 known vulnerabilities cataloged in our database. Our team adds dozens to hundreds of new vulnerabilities every week, ensuring the Wordfence plugin’s vulnerability scanner, and our free Vulnerability Intelligence API, alert you the moment a new vulnerability is detected.

Total Vulnerabilities Published
2,213
+19.2% from previous quarter
Total WAF Rules Released
20
+185.7% from previous quarter

Total Vulnerabilities Published

In Q4, there were 2,213 vulnerabilities added to the Wordfence Intelligence vulnerability database. Wordfence was responsible for remediating and disclosing 49.7% of the total. The following chart highlights the trend in new vulnerabilities disclosed over this period.

Total Vulnerabilities Published By Month

Total High Threat Vulnerabilities Published

In Q4, there were 131 high threat vulnerabilities added to the Wordfence Intelligence vulnerability database. These vulnerabilities pose the most significant threat to WordPress websites as attackers are very likely to target them in the real-world, and they can generally lead to full site compromise with minimal requirements. Often generic, or non-WordPress specific firewalls do not provide adequate protection against these vulnerabilities. Wordfence was the source of disclosure for 74.8% of those vulnerabilities, highlighting how the Wordfence firewall can provide you with the fastest protection for WordPress vulnerabilities that pose the most significant risk to your WordPress site.

Total High Threat Vulnerabilities Published By Month

Total Common and Dangerous Vulnerabilities Published

In Q4, there were 100 common and dangerous vulnerabilities added to the Wordfence Intelligence vulnerability database. Wordfence was responsible for remediating and disclosing 69.0% of these common and dangerous vulnerabilities. These vulnerabilities are some of the most commonly found in WordPress plugins and themes, but are still prime targets for attackers who are looking for low hanging fruit to exploit.

Total C&D Vulnerabilities Published By Month

Patch Status of Reported Vulnerabilities

At the end of Q4, there were 905 vulnerabilities that remained unpatched. This highlights the importance of utilizing a security scanner like Wordfence that will alert you when an unpatched vulnerability is present on your site so you can take remedial action, like removing the software, immediately.

Patch Status

Install Count Distribution of Affected Software

The following highlights the average distribution of install counts for software affected by vulnerabilities reported in this quarter.

Install Count Distribution of Published Vulnerabilities

Authentication Level To Exploit Distribution

Most vulnerabilities disclosed in Q4 required no authentication to exploit. This is different from from Q3 2025 where contributor-level access was required to exploit for the majority of vulnerabilities published.

Authentication Level Distribution of Published Vulnerabilities

Affected Software Type Distribution (Plugins/Themes/Core)

As usual, the majority of the vulnerabilities disclosed in Q4 were plugin related vulnerabilities.

Software Type Distribution of Published Vulnerabilities

Top 10 Vulnerability Classes Published

The following highlights the most commonly published vulnerabilities in Q4 2025.

Vulnerability Type Total Vulns
CWE 79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 658
CWE 862: Missing Authorization 611
CWE 352: Cross-Site Request Forgery (CSRF) 224
CWE 200: Exposure of Sensitive Information to an Unauthorized Actor 116
CWE 98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 109
CWE 89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 107
CWE 434: Unrestricted Upload of File with Dangerous Type 58
CWE 639: Authorization Bypass Through User-Controlled Key 58
CWE 918: Server-Side Request Forgery (SSRF) 36
CWE 22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 27

Vendors Registered for the Vulnerability Management Portal

This quarter, we had 201 vendors sign up to manage their WordPress software’s security through the Vulnerability Management Portal (+2.6% from previous quarter). This covers 1,391 distinct plugins and themes (+14.0% from previous quarter). Vendors who register for the Wordfence Vulnerability Management Portal demonstrate a strong commitment to WordPress security as they are notified in real-time when a new vulnerability has been discovered or reported in their software. If you’re a WordPress vendor and you’d like to sign up for real-time vulnerability alerts and centralized vulnerability management, get started here.

Total Vendors Registered Over Period
Total Plugins/Themes Registered Over Period

Wordfence Threat Intelligence Summary for Q4 2025

This section highlights the past quarter’s trend among vulnerabilities attackers are targeting and password attacks they are initiating.

Threat intelligence is at the heart of Wordfence’s industry-leading security solutions. As the largest security provider for WordPress, we collect and analyze attack telemetry from millions of sites worldwide. This unparalleled visibility gives us real-time insight into what attackers are targeting and when, empowering us to deliver the fastest and most effective protection for WordPress.

Web Application Firewall (WAF) Attack Data Highlights

Did you know? Wordfence leverages attack telemetry from over 5 million protected websites to continuously strengthen the security features of the Wordfence plugin. Sites running Wordfence Premium, Care, or Response automatically block IP addresses actively engaged in malicious activity across WordPress, even when those attacks don’t target a known vulnerability, keeping your site safe from the latest and emerging threats.

WAF Rule Requests Blocked/Logged
9.1B
-6.1% from previous quarter
Blocked From IP Threat Feed
2.4B
-10.7% from previous quarter
Total WAF Rules Released
20
+185.7% from previous quarter
Unique IPs in WAF Attacks
12.5M
+37.2% from previous quarter
Unique IPs From Blocklist
185K
+5.0% from previous quarter
Unique User Agents
21.8M
-13.7% from previous quarter

Total Requests Blocked and Logged by the Wordfence Firewall Over Q4

The following chart highlights how many exploit and probing requests the Wordfence Firewall has blocked over the course of Q4.

WAF Rule Attacks Blocked Over Period

Top 10 User Agents Engaged in Exploiting Vulnerabilities

The following chart highlights the top 10 user agents that have been used in exploit and enumeration attempts across the network of sites we protect.

Total Requests User Agents
1,230,010,914 Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
979,797,161 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
678,132,313 Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36
436,568,579 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
110,592,894 Mozilla/5.0
61,651,173 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 OPR/42.0.2393.94
56,593,276 Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36Team Anon Force
54,811,830 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.3
54,273,865 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36
53,640,437 SiteLockSpider

 

Top 10 Unique Vulnerabilities Targeted by Attackers

The following section highlights the top 10 unique vulnerabilities being targeted by attackers.

Vulnerability Total Blocked Requests
SureTriggers <= 1.0.78 – Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation 22,272,250
LiteSpeed Cache <= 6.3.0.1 – Unauthenticated Privilege Escalation 18,876,656
Frontend File Manager < 4.0 & N-Media Post Front-end Form < 1.1 & – Arbitrary File Upload 11,303,620
WooCommerce Payments 4.8.0 – 5.6.1 Authentication Bypass and Privilege Escalation 9,548,371
Hunk Companion <= 1.8.4 – Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation 8,141,029
Rank Math SEO <= 1.0.40.2 – Privilege Escalation via Unprotected REST API Endpoint 7,396,187
InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.38 – Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation 4,900,149
Discount Rules for WooCommerce <= 2.0.2 – Missing Authorization 4,130,808
GutenKit <= 2.1.0 – Unauthenticated Arbitrary File Upload 3,004,924
POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API 2,816,042

 

Top 10 Attacking Countries

The following section highlights the top 10 countries engaged in initiating attacks against WordPress websites.

Top Attacking Countries

Top 10 Attacking IP Addresses

The following are the top 10 IP Addresses engaged in targeting WordPress website vulnerabilities.

IP Address Total Requests
89.248.172.183 156,094,751
5.188.87.40 92,566,462
172.207.123.72 57,931,778
4.241.208.113 45,788,697
213.209.143.137 35,443,226
121.127.34.120 32,976,689
179.60.150.123 31,428,873
195.24.236.121 29,041,718
195.24.236.120 24,919,507
66.42.97.37 24,686,965

 

Top 5 “Generic” Vulnerability Types Targeted By Attackers

This section highlights the most attacked common vulnerability types.

Top 5 Blocked Generic WAF Rules

Password Attacks Data Highlights

Did you know? Wordfence includes a robust suite of password protection features, all available in the free version of the plugin. Features like Two-Factor Authentication (2FA), blocking logins using known compromised passwords, and preventing brute-force login attempts help safeguard your WordPress users and administrators from unauthorized access.

Brute Force Attacks Blocked
13.8B
-28.0% from previous quarter
Unique IPs in Brute Force
40.9M
+59.3% from previous quarter
Avg Requests Per IP
338
-54.8% from previous quarter

Total Password Attacks Blocked by the Wordfence Firewall Over Q4

The following chart highlights how many password attacks the Wordfence Firewall has blocked over the course of Q4.

Password Attacks Blocked Over Period

Top 10 Countries with the Most Distinctly Unique IP Addresses Engaged in Password Attacks

The following chart highlights countries with the most unique IP addresses originating from them engaged in password attacks.

Top 10 Countries with Distinctly Unique IP Addresses Engaged in Password Attacks

Top 10 Countries with the Highest Volume of Password Attacks Blocked

While the above chart highlights countries with the most unique IP Addresses targeting them. The following chart highlights countries with the most password attack activity based on number of requests, rather than distinctly unique IP Addresses.

Top 10 Countries by Total Password Attacks

Password Attacks Blocked by Type

This section highlights what password attack techniques are the most common.

Password Attacks Blocked by Type

Wordfence Malware Intelligence Report for Q4 2025

This section highlights common trends and patterns in malware attack data across the sites Wordfence protects.

No security solution would be complete without malware detection or scanning. It’s a critical element to website security that if your site gets hacked, it gets detected so that you can take swift remedial action to protect your business and brand reputation.

Did you know? Wordfence’s Malware Signatures are used to provide protection on your site. They are not just used for detecting a compromise, they are also used for blocking uploads of malicious files that match our malware signatures through the Wordfence Firewall.

Malware Attack Data Highlights

Unique Malware Files
28.8M
-14.4% from previous quarter
Malware Signatures Released
110
-52.2% from previous quarter
Sites with Malware
467K
-5.7% from previous quarter
Avg Infected Files Per Site
55.0
-11.3% from previous quarter
Avg Malware Variations Per Site
2.6
+0.0% from previous quarter

Number of Distinct Sites With Malware Detected Over Q4

The following chart highlights the average amount of sites with at least once piece of malware detected over the course of Q4.

Total Number of Distinct Sites With Malware Each Day

Malware Detected by File Type

The following chart highlights the most commonly detected malware based on file type. PHP files are often associated with webshells, backdoors, infostealers, and skimmers while files like JavaScript and HTML are often associated with spam.

Malware Detected by File Type

Malware Detected Based on Uploaded Location

The following chart highlights where malware is most commonly uploaded.

Most Common Directory Malware Detected In

Report Archives for Q4 2025

Access the complete collection of detailed vulnerability and bug bounty reports published during Q4 2025. These archives provide comprehensive documentation of all security issues identified and addressed throughout the quarter.

Weekly Vulnerability Report Archive

In case you missed any of the weekly vulnerability reports from Q4, you can find the complete list of them here:

Monthly Bug Bounty Report Archive

If you missed any of the monthly Bug Bounty Program Reports from Q4, you can find those all here:

Conclusion: Key Takeaways For Site Owners

When it comes to securing your WordPress site, a defense-in-depth strategy is essential. No single solution can stop every attack, but by layering protection, detection, and active monitoring, you dramatically reduce your risk and increase your ability to respond quickly when threats emerge.

Protection

The first line of defense is preventing attacks from succeeding in the first place. A strong firewall, timely vulnerability patches, and hardened configurations help block malicious traffic before it ever reaches your site. By leveraging Wordfence’s threat intelligence, you’re protected against the latest exploits that attackers are actively using in the wild. This proactive protection ensures your site is guarded not just against known threats, but against emerging attack patterns.

Detection

Even the best defenses can be tested, which is why detection is critical. Comprehensive scanning helps identify vulnerabilities, malware, or suspicious changes on your site that could signal an attempted compromise. With Wordfence’s real-time scanning powered by global attack data, you gain visibility into threats that may have slipped past other layers of defense, allowing you to act before they cause serious damage.

Active Monitoring

Continuous monitoring serves as your early warning system. Real-time alerts about critical events, login attempts, and file changes help you stay ahead of threats. Wordfence’s comprehensive monitoring doesn’t just tell you something happened, it provides the context and intelligence you need to understand the severity and respond appropriately. This constant vigilance means you’re never flying blind when it comes to your site’s security posture.

Security isn’t a “set it and forget it” task. Active monitoring ensures your site is continuously observed for suspicious behavior, login attempts, and traffic anomalies. Attackers often probe sites for weaknesses over time; having real-time monitoring means you’ll know immediately if your site is being targeted. Wordfence’s monitoring tools provide alerts and insights so you can take swift action, whether that’s blocking an attacker, tightening access, or responding to a detected vulnerability.

By combining protection, detection, and monitoring, you create a strong defense-in-depth strategy for your WordPress site. Wordfence brings all three layers together in one solution, making it simple to secure your site and stay ahead of attackers. Install Wordfence today and put industry-leading security to work for you.

The post Quarterly WordPress Threat Intelligence Report – Q4 2025 appeared first on Wordfence.

Leave a Comment