Wordfence 2020 threat report feature image

The Wordfence 2020 WordPress Threat Report

Over the course of 2020, and in the process of protecting over 4 million WordPress customers, the Wordfence Threat Intelligence team gathered a massive amount of raw data from attacks targeting WordPress and infection trends, in addition to the malware samples gathered by our Site Cleaning team. Attacks on WordPress can be categorized in three major categories, with malicious login attempts and vulnerability exploit attacks predictably leading the way. In a surprising trend, nulled plugin malware also staked its claim as a prominent intrusion vector.

In this report, we provide an overview of the primary threats targeting the WordPress ecosystem as well as recommendations for effective mitigation.

90 Billion Malicious WordPress Login Attempts

Over the course of 2020, Wordfence blocked more than 90 billion malicious login attempts from over 57 million unique IP addresses, at a rate of 2,800 attacks per second targeting WordPress.

Malicious login attempts were by far the most common attack vector targeting WordPress sites. These attempts included credential stuffing attacks using lists of stolen credentials, dictionary attacks, and traditional brute-force attacks.

Key Takeaway: Use Multi-Factor Authentication to Protect WordPress

While the vast majority of malicious login attempts targeting WordPress are destined to be unsuccessful, it only takes a single successful login to compromise a WordPress site. The brute-force mitigation provided by Wordfence is very effective, and using multi-factor authentication adds another layer of protection to WordPress logins.

Multi-factor authentication can completely prevent attackers from gaining access to a site via automated login attempts. This holds true even in unfortunate cases where user accounts on a WordPress site are reusing credentials that have been exposed in a data breach and haven’t yet been updated.

Wordfence offers free login security options within the full featured Wordfence Security plugin. We also offer free login security, including multi-factor authentication, via the standalone Wordfence Login Security plugin.

4.3 Billion Vulnerability Exploit Attempts Targeting WordPress

Wordfence blocked 4.3 billion attempts to exploit vulnerabilities from over 9.7 million unique IP addresses in 2020. Here were the five most common attacks over the course of the year:

Pie Chart showing attacks by type

  1. Directory Traversal attacks, including relative and absolute paths, made up 43% of all vulnerability exploit attempts, at 1.8 billion attacks. While the majority of these were attempts to gain access to sensitive data contained in site wp-config.php files, many were also attempts at local file inclusion (LFI).
  2. SQL Injection was the second most commonly attacked category of vulnerabilities at 21% of all attempts with 909.4 million attacks.
  3. Malicious file uploads intended to achieve Remote Code Execution(RCE) were the third most commonly attacked category of vulnerabilities at 11% of all attempts with 454.8 million attacks.
  4. Cross-Site Scripting(XSS) was the fourth most commonly attacked category of vulnerabilities at 8% of all attempts with 330 million attacks.
  5. Authentication Bypass vulnerabilities were the fifth most commonly attacked category of flaws at 3% of all attempts with 140.8 million attacks.

Key Takeaway: Use a WAF to Protect Your WordPress Site

A Web Application Firewall, such the Wordfence WAF, is absolutely critical to keeping your WordPress site secure. Nearly every one of the 4 million sites in our network experienced at least one of each of these attacks over the course of 2020.

Wordfence is the leading WordPress firewall solution and is continually updated to protect against existing and emerging WordPress attacks. In 2020, we deployed 108 new rules to the Wordfence firewall to protect our customers from unique exploits.

Wordfence Premium customers also benefit from our IP blocklist which is extremely effective at blocking known bad actors. While the Wordfence Premium blocklist generally consists of 15,000 to 40,000 unique IP addresses at any given time, the list is continually updated as new attackers emerge and as infected servers are cleaned. For the entire year, the Wordfence Premium blocklist prevented 2.55 billion attacks from 628,564 unique IP addresses, each of which spent some time on our blocklist in 2020.

Malware From Nulled Plugins and Themes Is the Most Widespread Threat to WordPress Security

The Wordfence scanner detected more than 70 million malicious files on 1.2 million WordPress sites in the past year. The vast majority of these sites were cleaned by the end of the year. Only 132,000 sites infected at the beginning of 2020 were still infected by the end of the year, many of them likely abandoned.

The WP-VCD malware was the single most common malware threat to WordPress, counting for 154,928 or 13% of all infected sites in 2020. Overall, the Wordfence scanner found malware originating from a nulled plugin or theme on 206,000 sites, accounting for over 17% of all infected sites. Nulled plugins and themes are pirated copies of premium plugins and themes with their license checking features disabled or removed, which typically contain backdoor functionality.

Other obfuscated PHP backdoors made up the remainder of the top 5 most widely detected threats.

Key Takeaway: Educate Yourself and Your Organization About WordPress Security

Policy controls are just as important as technical controls, because insider threats capable of bypassing technical controls can cause immense damage to an organization. This applies to a WordPress site just as much as it does to a Fortune 500 company.

While insider threats are often portrayed as malicious, the vast majority of them are accidental, from clicking a phishing link to installing nulled plugins. Much like phishing links, nulled plugins are specifically designed to take advantage of naive insiders.

The best way to avoid making this kind of mistake is to educate yourself and everyone else in your organization. While a plugin like Wordfence can detect malware originating from a nulled plugin or theme after it has been installed, only proper training can prevent a misguided administrator from accidentally installing it in the first place.


In our review, we identified the three most widespread threats faced by WordPress sites in 2020: malicious login attempts, attempts to exploit vulnerabilities, and malware originating from nulled plugins and themes.

We also explored key takeaways from these threats and how to most effectively mitigate them. While technical controls such as Wordfence can dramatically improve your WordPress site security posture, the human element is always the weakest link in any organization. Education is the best way to make sure your site is secure.

As such, Wordfence is committed to educating the WordPress community about security via the official Wordfence blog, our Think Like a Hacker Podcast, and Wordfence Live which is broadcast every Tuesday, in addition to our presence at many WordPress events. Our Threat Intelligence team works hard to protect every one of our users, and it’s all thanks to the support of our Premium Customers, who make it possible for us to help keep WordPress safe.

This article has been updated to provide further information about Nulled plugins and themes
This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!


  • I alwasy feel somewhat reassured, comforted in having Wordfence protection. What are the primary motivations for these concerted efforts to attack our sites? What do these attackers hope to gain?

    • Hi Dan,

      Chloe has actually written an excellent article about the hacker motive: https://www.wordfence.com/blog/2020/09/the-hacker-motive-what-attackers-are-doing-with-your-hacked-site/
      The main takeaway is that it almost always comes down to a profit motive.

  • Over 90 billion malicious login attempts from over 57 million unique IP addresses, at a rate of 2,800 attacks per second in 2020. The numbers are staggering. I got to give it to Wordfence for making the blocks!

  • One of the best protection additions I have used in a long time is to protect the Adsense account