{"id":220,"slug":"wordfence-2024-attack-volume-54b-requests","title":"Wordfence 2024: 54 billion malicious requests blocked, ~325-350k sites infected on any given day","kind":"reference","scope":"business","status":"current","audiences":["kevin","claude-code","candid-team"],"topics":["wordpress","security-vulnerabilities"],"reference_body":"**Claims (Wordfence 2024 Annual WordPress Security Report, April 8, 2025):**\n\n- \"Wordfence blocked and logged **over 54 billion malicious requests**, and blocked over 55 billion password attacks in 2024\"\n- \"In 2024, **8,223 vulnerabilities were published**… roughly a **68% increase** from 2023\"\n- \"Plugin vulnerabilities remain the biggest software threat to WordPress, accounting for **96% of all vulnerabilities** disclosed\" (only 5 affected core)\n- \"Roughly **35% of the vulnerabilities disclosed in 2024 remain unpatched** in 2025\"\n- \"Wordfence saw just under **one million distinct sites infected** with malware… roughly **325,000 - 350,000 infected sites on any given day**\"\n\n**Source:** <https://wordfence.com/blog/2025/04/2024-annual-wordpress-security-report-by-wordfence/>\n\n**Confidence:** Verified.\n\n**This is the ambient background radiation an unmaintained WordPress site is exposed to.** The +68% YoY growth in disclosed vulns means the maintenance burden of any large plugin stack is itself growing. Related: [[patchstack-2024-vuln-disclosure-4166-96pct-plugins]], [[patchstack-1614-plugins-removed-2024]].","rationale_body":null,"metadata":null,"links":{"outgoing":[{"slug":"patchstack-2024-vuln-disclosure-4166-96pct-plugins","title":"Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"patchstack-91pct-vulns-in-plugins-2026","title":"Patchstack 2026: 91% of new WordPress vulnerabilities are in plugins; only 6 CVEs in core","kind":"reference","scope":"business","link_type":"relates-to"}],"incoming":[{"slug":"sucuri-2023-39pct-cms-outdated-at-infection","title":"Sucuri 2023: 39.1% of CMS apps outdated at point of infection (down from 50.58% in 2022)","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"rule-reduce-plugin-count-as-security-discipline","title":"RULE: Plugin count is the WordPress security surface. Audit quarterly; one-in, one-out rule.","kind":"rule","scope":"business","link_type":"depends-on"},{"slug":"research-brief-built-to-last","title":"Research brief: Built to Last — why most SMB sites rebuild every 3-4 years (piece 5 of 15)","kind":"reference","scope":"business","link_type":"relates-to"},{"slug":"bricks-cve-2024-25600-exploited-24h","title":"Bricks CVE-2024-25600: unauthenticated RCE (CVSS 10) — exploited in the wild ~24 hours after patch release","kind":"reference","scope":"business","link_type":"relates-to"}]},"created_at":"2026-05-22T19:58:12.812Z","updated_at":"2026-05-22T19:58:12.812Z"}