WordPress Security in 2026 — What's Changed and What Hasn't

## The Security Landscape WordPress powers 45% of the web, making it the largest target for attackers. But the reality is more nuanced than "WordPress is insecure." WordPress core is well-maintained and quickly patched. The vulnerabilities are almost always in the surrounding ecosystem. ### What's Improved **Automatic security updates** ship within hours of vulnerability disclosure. Critical patches reach sites before most admins even hear about the issue. **The block editor** eliminated many XSS (cross-site scripting) vectors that existed in the classic editor. Block content is parsed and sanitized more strictly. **PHP 8.2+ enforcement** has closed legacy vulnerabilities that existed in older PHP versions. WordPress's minimum PHP requirement has steadily increased. **Application passwords** replace insecure API authentication methods. Third-party services no longer need your actual WordPress password. ### What Hasn't Changed **Weak passwords remain the #1 attack vector.** Brute force attacks against wp-login.php are constant. "password123" is still the most common password on hacked sites. **Outdated plugins cause 90% of WordPress breaches.** A plugin with a known vulnerability that hasn't been updated is an open door. **Shared hosting with no isolation** lets one hacked site compromise its neighbors. If your hosting neighbor gets breached, your site might be next. **File permission misconfigurations** still leave sites exposed. wp-config.php readable by the world is more common than it should be. ### The Fix 1. Use strong, unique passwords with a password manager 2. Enable two-factor authentication on all admin accounts 3. Keep plugins updated — or enable auto-updates 4. Use managed hosting with site isolation (not shared hosting) 5. Remove unused themes and plugins entirely — don't just deactivate 6. Set proper file permissions (644 for files, 755 for directories) 7. Limit login attempts and hide wp-login.php 8. Use a Web Application Firewall (WAF) ### Our Approach At Envosta, security hardening is part of every onboarding. We configure two-factor auth, set file permissions, install a WAF, enable auto-updates, and monitor for vulnerabilities — all before your site goes live. Security isn't an add-on. It's a baseline.