A survey of 264 professionals that maintain websites based on the WordPress content management system (CMS) finds 96% have been impacted by at least one security incident/event, with just under two-thirds of those respondents (64%) having suffered a full breach.

Conducted by Melapress, a provider of cybersecurity plug-ins for WordPress sites, the survey also finds that, despite the number of incidents and breaches experienced, only 27% said they have a breach recovery plan, with an equal percentage claiming to have implemented team training to improve security.

Melapress CEO Robert Abela said that while WordPress site security has generally improved in recent years, the survey makes it clear there is much work to be done in terms of adopting best cybersecurity practices. For example, among respondents who had experienced hacked or cracked user accounts, 30% still hadn’t implemented any form of user account security controls, and only 59% use a WordPress activity log to detect compromised accounts.

On average, WordPress professionals rate their concern about cybersecurity at roughly 7.5 on a scale of one to ten, with respondents managing e-commerce sites understandably more concerned (8.2) than other survey participants.

Overall, the survey finds that the biggest concern survey respondents have is ensuring website availability (60%), followed by data theft (53%), website defacement (50%) and compliance (26%). However, 32% of those concerned about website defacement and data theft don’t implement any form of user account security controls, such as two-factor authentication. Well over a third of respondents concerned about website defacement also don’t make use of activity logs on their WordPress sites (37%), the survey finds.

The level of WordPress security expertise available will naturally vary from one organization to the next. Many of the websites are often maintained by individuals with little to no formal IT training. Unfortunately, WordPress sites are being increasingly targeted by cybercriminals that have learned how to exploit insecure software plugins that are often not formally supported by any commercial vendor, noted Abela.

Additionally, many of those plug-ins are now being created using artificial intelligence (AI) coding tools that create additional vulnerabilities that cybercriminals might exploit, he added.

As a general rule, most organizations that are managing WordPress sites would be better off relying on a third-party to help secure them, noted Abela.

It’s not clear to what degree cybercriminals are specifically targeting WordPress sites, but defacement has become a common tactic employed by various advocacy groups seeking to embarrass an organization. The challenge is that many of these advocacy groups have, over the years, enjoyed considerable success defacing websites—suggesting WordPress weaknesses are widely known. More troubling still, in the age of artificial intelligence (AI), that knowledge—along with AI automation tools for launching attacks—has become much more accessible, making it all but certain that attacks will increase in both volume and sophistication.

The issue then becomes not so much whether an attack can be prevented so much as it is how quickly can an organization recover in a way that minimizes as much as possible the amount of damage inflicted.