Security Weekly

What Will WordPress Security Look Like in 2025?

Cleanshot 2023 11 30 At 14.14.30

Published:

Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Week 48

I was thinking wether to leave this as the last security weekly, but I recon that by releasing this in the middle of the holidays will most likely not get the attention it deserves.

So, taking into account all of the data and what has happened during 2024, let’s do what never should be done – predict the future. Just keep in mind that this is my personal opinion and an “educated guess”.

Increased volume of cyber attacks

Cyber attacks are mostly motivated by money or politics, so when the global economy is shaky then cyber crime is always at its peak. Past couple of years have been extremely turbulent, and this does not seem to end in 2025.

What makes matters some what worse is the general availability of GenAI tools which are more frequently being used to generate new malware types to avoid signature based scanners and to automate vulnerability scanning and exploitation.

As of writing this post, we already see the number of security vulnerabilities found in WordPress ecosystem increased in 2024 compared to 2023 by 21%. This growth is directly connected to the number of new opportunities hackers get to launch new wide-scale attacks.

Top threats to look out for:

  • New security vulnerabilities found in plugins/components
    • Put extra attention to abandoned software.
    • Hackers can mass-exploit vulnerabilities faster than ever.
  • Info-stealers, session hijacking & leaked passwords
    • Unfortunately relatively difficult issue to resolve and relies a lot on end-user cyber hygiene.
  • Phishing and scams
    • Humans remain the weakest link. AI makes scamming & phishing easier than ever.
  • Malware is becoming harder to detect
    • GenAI is being used to generate new malware for every infection. Signatures and patterns are losing their effectiveness.

Change of wind in security workflows

With the increased number of threats and new regulations pushing more and more to the WordPress ecosystem, many changes need to be applied to the core workflows and development practices.

Something that will start getting wider adoption in 2025 are SBOM reports which are connected to many regulations which touch the software supply chain security issue.

This requires work from both web developers building websites and from developers building plugins. Covering the software supply chain security and vulnerability management are becoming mandatory through many regulations such as Cyber Resilience Act and certifications such as SOC2 and PCI.

This will be taking some time as it will be moving from the top to bottom where enterprise/public sector customers will be asking for those things from their agencies/devs, and agencies will start asking them from plugin developers whose software they use in their projects.

Increased security awareness

With the volume of cyber crime going up and all regulators pushing every stakeholder to adapt more mature security practices – the security awareness within the entire ecosystem will increase.

This is great news, but will also mean that companies who explore to get a WordPress website will be having security concerns early on in the process. Developers and agencies need to address security proactively.

Hosting companies are already well aware of this and if agencies and freelancers don’t put enough attention to this – then a lot of money from the agency economy will move through maintenance services to the hosting segment.

Join the Conversation!

There's a dedicated thread on this post inside of The Admin Bar community. Join in on the conversation, ask questions, and learn more!

Group Thread
Cleanshot 2023 11 30 At 14.14.30

Oliver Sild

Patchstack

Oliver Sild is the CEO and Co-founder of Patchstack. He is an entrepreneur and cyber security expert with a strong focus on community building. He has been organising hacking competitions (& local CTF community) in Estonia since 2016, has kickstarted a startup community in his hometown and has nearly 10 years of experience with WordPress security.

Brought to you by:
Logo

Patchstack auto-mitigates security vulnerabilities found on WordPress core, plugins and themes. Patchstack is the leading vulnerability intelligence provider in the entire WordPress ecosystem and has the largest collection of vulnerability specific vPatch rules that provide precision protection without any performance hit nor false positives. Patchstack is the go-to security provider for many of the leading agencies such as 10up, Valet, SiteCare and others.

Never Miss an Issue!

Subscribe and have Security Weekly delivered to your inbox every week!

Care Plan Toolkit

Save time, boost profits, and confidently manage client websites with proven tools, tips, and resources.

Bento Toolkit

More from Security Weekly

Week 49

Increased Volume of Threats During Holidays

We are just a few days away from Christmas holidays and many people have already gone …

Week 47

Why Use Virtual Patching for WordPress Security?

Virtual patching is a security strategy that involves applying protective measures to the WordPress application without …

Week 46

What Role Does AI Play in WordPress Security?

We can’t ignore the power of LLMs and AI when it comes to security. At Patchstack, …