I want to share some numbers that made me put down my coffee this morning.
661 new WordPress vulnerabilities were disclosed in a single week. That’s according to SolidWP’s report from February 4th, 2026. Of those, 164 have no patch available at all.
Let that sink in. That’s not 661 vulnerabilities discovered over a year, or a quarter. That’s one week. Seven days.
Wait, Is WordPress Broken?
Here’s what’s interesting: WordPress core isn’t the problem. The same week, WordPress 6.9.1 shipped with 49 bug fixes. The core team is doing their job.
The vulnerabilities? 638 were in plugins. 23 in themes. That’s 96.5% of the problem sitting in third-party code.
This is the trade-off we’ve all accepted: WordPress’s greatest strength—its massive ecosystem of plugins that let you do almost anything—is also its biggest security risk.
Why Is This Happening Now?
Two words: artificial intelligence.
Security researchers now have AI tools that can scan code for vulnerabilities at speeds that were impossible a few years ago. What used to take weeks of manual review can happen in hours.
That’s good news and bad news wrapped together:
- Good: Vulnerabilities are being found and disclosed faster, giving plugin developers a chance to fix them.
- Bad: The same AI tools are available to attackers. If there’s any kind of vulnerability, you want to patch it before someone exploits it.
Kathy Zant, a respected voice in WordPress security, put it bluntly: “AI is being used both by attackers to create advanced malware, exploit vulnerabilities, and launch sophisticated scams. If there is any kind of vulnerability, you want to be the first to patch it, not the last.”
The Math That Should Worry You
A typical small business WordPress site runs 15-30 plugins. If 638 plugin vulnerabilities were disclosed in one week, and your site has 25 plugins, there’s roughly a one in four chance you’re running something with a known flaw right now.
Not “might eventually be at risk.” Right now.
And that 164 unpatched number? Those are vulnerabilities where there’s no fix available. The plugin developer might not even know about it yet. Or worse—they know, and they’re not responding.
What Can You Actually Do?
I’m not here to panic you and run. Here’s what practical site security looks like in 2026:
1. Update everything. Today.
Go to your WordPress dashboard. Updates > Update All. Do it now. Automatic updates are your friend—turn them on if you haven’t. Use a website manager to update plugins remotely.
2. Audit your plugins ruthlessly.
How many plugins do you actually use? If you installed something two years ago “just to try it” and it’s still sitting there inactive—delete it. Every plugin is a potential door, even if it’s not activated. Fewer doors = fewer ways in.
3. Check when plugins were last updated.
If a plugin hasn’t been updated in over a year, that’s a red flag. The developer may have abandoned it, which means security issues won’t get fixed. Find an alternative or remove it.
4. Use a security plugin (and actually pay attention to it).
Wordfence, Solid Security (formerly iThemes Security), Sucuri—pick one. They’ll alert you when plugins have known vulnerabilities. The hard part is actually acting on those alerts.
5. Backups are your insurance policy.
If something goes wrong, a clean backup from yesterday is worth its weight in gold. Make sure your hosting provider’s backups actually work, or use a dedicated backup solution.
The Uncomfortable Truth
Here’s what I keep coming back to: this is the new normal.
The disclosure rate has outpaced the patching rate. Most plugin developers are small teams or solo developers who simply can’t keep up with AI-powered security scanning finding bugs faster than they can fix them.
That doesn’t mean WordPress is doomed. It means site owners need to be more active participants in their own security. You can’t just set up a site and forget about it anymore.
One More Thing
If you’re reading this and thinking “this doesn’t apply to me, I’m just a small site”—that’s exactly what attackers are counting on. Automated attacks don’t care how big you are. They scan everything, exploit everything, and use compromised sites to attack other targets.
Your little blog could be someone else’s launchpad.
661 vulnerabilities in one week. 164 with no fix. Now would be a good time to check your plugins.