Wordfence 2024: 54 billion malicious requests blocked, ~325-350k sites infected on any given day
Created 2026-05-22
Claims (Wordfence 2024 Annual WordPress Security Report, April 8, 2025):
- "Wordfence blocked and logged over 54 billion malicious requests, and blocked over 55 billion password attacks in 2024"
- "In 2024, 8,223 vulnerabilities were published… roughly a 68% increase from 2023"
- "Plugin vulnerabilities remain the biggest software threat to WordPress, accounting for 96% of all vulnerabilities disclosed" (only 5 affected core)
- "Roughly 35% of the vulnerabilities disclosed in 2024 remain unpatched in 2025"
- "Wordfence saw just under one million distinct sites infected with malware… roughly 325,000 - 350,000 infected sites on any given day"
Source: https://wordfence.com/blog/2025/04/2024-annual-wordpress-security-report-by-wordfence/
Confidence: Verified.
This is the ambient background radiation an unmaintained WordPress site is exposed to. The +68% YoY growth in disclosed vulns means the maintenance burden of any large plugin stack is itself growing. Related: Patchstack 2024: 4,166 new vulnerabilities, 96% in plugins, 4% in themes, only 7 in core, Patchstack 2024: 1,614 plugins and themes removed from .org repo for unpatched security issues.
Related
Referenced by (4)
- reference Sucuri 2023: 39.1% of CMS apps outdated at point of infection (down from 50.58% in 2022) relates-to
- rule RULE: Plugin count is the WordPress security surface. Audit quarterly; one-in, one-out rule. depends-on
- reference Research brief: Built to Last — why most SMB sites rebuild every 3-4 years (piece 5 of 15) relates-to
- reference Bricks CVE-2024-25600: unauthenticated RCE (CVSS 10) — exploited in the wild ~24 hours after patch release relates-to