I’ve read through Wordfence’s 2024 Annual WordPress Security Report.
It seems we need to keep the following points in mind.
・The number of disclosed vulnerabilities increased significantly in 2024. Some remain unpatched as of 2025.
・Plugin vulnerabilities accounted for 96% of all disclosed vulnerabilities.
・Many vulnerabilities existed in plugins/themes with low active installations.
・There was a high volume of malicious requests, particularly XSS and SQLI.
・Password attacks showed an overall downward trend as an attack method, while attacks targeting software vulnerabilities increased.
Translated with DeepL.com (free version)
WordPress site administrators must utilise security tools such as firewalls, malware scanners, vulnerability scanners, and two-factor authentication to protect their sites.
While the sheer number may seem overwhelming, the majority remain low-risk provided appropriate defences are in place (WAF, continuous monitoring, prompt patching, etc.).
Official information is available here.
https://www.wordfence.com/blog/2025/04/2024-annual-wordpress-security-report-by-wordfence
