As the leader in WordPress security, Wordfence provides unparalleled security coverage that fully encompasses protection, active monitoring, detection, and response all built around our threat intelligence, demonstrating a strong commitment to security. Our mission is to ensure comprehensive defense-in-depth for every layer of a WordPress website’s security. It’s important to understand that a complete security solution requires both protection and detection; while protection is crucial for preventing initial compromises, detection is equally vital for a wholesome WordPress site security strategy. There’s a Wordfence Option for Every Site Owner Whether you run a personal blog or manage hundreds of client websites, Wordfence has a plan tailored to your needs: Wordfence Free – Industry-leading Web Application Firewall (WAF) blocking 95% of known threats out of the box, malware scanning, Two-Factor Authentication (2FA), and more. 30-day delay on malware signatures and new firewall rules. Wordfence Premium – Real-time firewall and malware signature updates, plus powerful tools like an audit log for deeper insight and monitoring. Wordfence Care – Around-the-clock monitoring by our team, hands-on remediation if something goes wrong, and priority support for true peace of mind. Wordfence Response – All the benefits of Wordfence Premium and Care with one hour response times for immediate remediation of security breaches. Compare Plans This regular report highlights trends and changes in the WordPress security landscape, empowering you as a site owner to proactively protect your website against current vulnerabilities and threats, and to better understand the protections Wordfence provides through it’s robust threat intelligence. Table of Contents Threat Intelligence Key Highlights Q4 2025 Wordfence Vulnerability Summary for Q4 2025 Wordfence Threat Summary for Q4 2025 Wordfence Malware Report for Q4 2025 Report Archives for Q4 2025 Key Takeaways For Site Owners Threat Intelligence Key Highlights Q4 2025 As the industry leader in WordPress security we have access to attack telemetry and vulnerability intelligence that no other security provider can compare to. We know exactly what vulnerabilities will become a target for threats, what the biggest threats to WordPress are, and how to prioritize remediation and protection against WordPress. The following presents some key highlights of WordPress threats and vulnerabilities in Q4 2025. Total Vulnerabilities Published 2,213 +19.2% from previous quarter High Threat Vulnerabilities 131 -4.4% from previous quarter Common & Dangerous Vulnerabilities 100 +28.2% from previous quarter WAF Attacks Blocked 9.1B -6.1% from previous quarter Brute Force Attacks Blocked 13.8B -28.0% from previous quarter Sites Infected 467K -5.7% from previous quarter What this means for site owners: Keep plugins and themes updated regularly, enable 2FA, run regular security scans, follow strong password security, and rely on a WAF like Wordfence for protection before vulnerabilities are patched and continuous monitoring. Wordfence Vulnerability Intelligence Highlights for Q4 2025 This section breaks down the vulnerabilities disclosed in Q4 2025 along with highlighting any trends or changes from the previous quarter. The Wordfence Bug Bounty Program’s primary mission is to attract the highest quality vulnerability research in the WordPress space based on high impact and high severity vulnerabilities that are the most likely to be exploited. Due to this, you can rest assured knowing that you have the best protection available for vulnerabilities that pose the most significant risk to your site before they are even disclosed to the vendor. Did you know? Wordfence provides the most comprehensive vulnerability intelligence for WordPress, with over 29,000 known vulnerabilities cataloged in our database. Our team adds dozens to hundreds of new vulnerabilities every week, ensuring the Wordfence plugin’s vulnerability scanner, and our free Vulnerability Intelligence API, alert you the moment a new vulnerability is detected. Total Vulnerabilities Published 2,213 +19.2% from previous quarter Total WAF Rules Released 20 +185.7% from previous quarter Total Vulnerabilities Published In Q4, there were 2,213 vulnerabilities added to the Wordfence Intelligence vulnerability database. Wordfence was responsible for remediating and disclosing 49.7% of the total. The following chart highlights the trend in new vulnerabilities disclosed over this period. Total High Threat Vulnerabilities Published In Q4, there were 131 high threat vulnerabilities added to the Wordfence Intelligence vulnerability database. These vulnerabilities pose the most significant threat to WordPress websites as attackers are very likely to target them in the real-world, and they can generally lead to full site compromise with minimal requirements. Often generic, or non-WordPress specific firewalls do not provide adequate protection against these vulnerabilities. Wordfence was the source of disclosure for 74.8% of those vulnerabilities, highlighting how the Wordfence firewall can provide you with the fastest protection for WordPress vulnerabilities that pose the most significant risk to your WordPress site. Total Common and Dangerous Vulnerabilities Published In Q4, there were 100 common and dangerous vulnerabilities added to the Wordfence Intelligence vulnerability database. Wordfence was responsible for remediating and disclosing 69.0% of these common and dangerous vulnerabilities. These vulnerabilities are some of the most commonly found in WordPress plugins and themes, but are still prime targets for attackers who are looking for low hanging fruit to exploit. Patch Status of Reported Vulnerabilities At the end of Q4, there were 905 vulnerabilities that remained unpatched. This highlights the importance of utilizing a security scanner like Wordfence that will alert you when an unpatched vulnerability is present on your site so you can take remedial action, like removing the software, immediately. Install Count Distribution of Affected Software The following highlights the average distribution of install counts for software affected by vulnerabilities reported in this quarter. Authentication Level To Exploit Distribution Most vulnerabilities disclosed in Q4 required no authentication to exploit. This is different from from Q3 2025 where contributor-level access was required to exploit for the majority of vulnerabilities published. Affected Software Type Distribution (Plugins/Themes/Core) As usual, the majority of the vulnerabilities disclosed in Q4 were plugin related vulnerabilities. Top 10 Vulnerability Classes Published The following highlights the most commonly published vulnerabilities in Q4 2025. Vulnerability Type Total Vulns CWE 79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 658 CWE 862: Missing Authorization 611 CWE 352: Cross-Site Request Forgery (CSRF) 224 CWE 200: Exposure of Sensitive Information to an Unauthorized Actor 116 CWE 98: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 109 CWE 89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 107 CWE 434: Unrestricted Upload of File with Dangerous Type 58 CWE 639: Authorization Bypass Through User-Controlled Key 58 CWE 918: Server-Side Request Forgery (SSRF) 36 CWE 22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 27 Vendors Registered for the Vulnerability Management Portal This quarter, we had 201 vendors sign up to manage their WordPress software’s security through the Vulnerability Management Portal (+2.6% from previous quarter). This covers 1,391 distinct plugins and themes (+14.0% from previous quarter). Vendors who register for the Wordfence Vulnerability Management Portal demonstrate a strong commitment to WordPress security as they are notified in real-time when a new vulnerability has been discovered or reported in their software. If you’re a WordPress vendor and you’d like to sign up for real-time vulnerability alerts and centralized vulnerability management, get started here. Wordfence Threat Intelligence Summary for Q4 2025 This section highlights the past quarter’s trend among vulnerabilities attackers are targeting and password attacks they are initiating. Threat intelligence is at the heart of Wordfence’s industry-leading security solutions. As the largest security provider for WordPress, we collect and analyze attack telemetry from millions of sites worldwide. This unparalleled visibility gives us real-time insight into what attackers are targeting and when, empowering us to deliver the fastest and most effective protection for WordPress. Web Application Firewall (WAF) Attack Data Highlights Did you know? Wordfence leverages attack telemetry from over 5 million protected websites to continuously strengthen the security features of the Wordfence plugin. Sites running Wordfence Premium, Care, or Response automatically block IP addresses actively engaged in malicious activity across WordPress, even when those attacks don’t target a known vulnerability, keeping your site safe from the latest and emerging threats. WAF Rule Requests Blocked/Logged 9.1B -6.1% from previous quarter Blocked From IP Threat Feed 2.4B -10.7% from previous quarter Total WAF Rules Released 20 +185.7% from previous quarter Unique IPs in WAF Attacks 12.5M +37.2% from previous quarter Unique IPs From Blocklist 185K +5.0% from previous quarter Unique User Agents 21.8M -13.7% from previous quarter Total Requests Blocked and Logged by the Wordfence Firewall Over Q4 The following chart highlights how many exploit and probing requests the Wordfence Firewall has blocked over the course of Q4. Top 10 User Agents Engaged in Exploiting Vulnerabilities The following chart highlights the top 10 user agents that have been used in exploit and enumeration attempts across the network of sites we protect. Total Requests User Agents 1,230,010,914 Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36 979,797,161 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 678,132,313 Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36 436,568,579 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 110,592,894 Mozilla/5.0 61,651,173 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 OPR/42.0.2393.94 56,593,276 Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36Team Anon Force 54,811,830 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/114.3 54,273,865 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 53,640,437 SiteLockSpider   Top 10 Unique Vulnerabilities Targeted by Attackers The following section highlights the top 10 unique vulnerabilities being targeted by attackers. Vulnerability Total Blocked Requests SureTriggers <= 1.0.78 – Authorization Bypass due to Missing Empty Value Check to Unauthenticated Administrative User Creation 22,272,250 LiteSpeed Cache <= 6.3.0.1 – Unauthenticated Privilege Escalation 18,876,656 Frontend File Manager < 4.0 & N-Media Post Front-end Form < 1.1 & – Arbitrary File Upload 11,303,620 WooCommerce Payments 4.8.0 – 5.6.1 Authentication Bypass and Privilege Escalation 9,548,371 Hunk Companion <= 1.8.4 – Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation 8,141,029 Rank Math SEO <= 1.0.40.2 – Privilege Escalation via Unprotected REST API Endpoint 7,396,187 InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.38 – Missing Authorization to Unauthenticated API setup/Arbitrary Options Update/Administrative User Creation 4,900,149 Discount Rules for WooCommerce <= 2.0.2 – Missing Authorization 4,130,808 GutenKit <= 2.1.0 – Unauthenticated Arbitrary File Upload 3,004,924 POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API 2,816,042   Top 10 Attacking Countries The following section highlights the top 10 countries engaged in initiating attacks against WordPress websites. Top 10 Attacking IP Addresses The following are the top 10 IP Addresses engaged in targeting WordPress website vulnerabilities. IP Address Total Requests 89.248.172.183 156,094,751 5.188.87.40 92,566,462 172.207.123.72 57,931,778 4.241.208.113 45,788,697 213.209.143.137 35,443,226 121.127.34.120 32,976,689 179.60.150.123 31,428,873 195.24.236.121 29,041,718 195.24.236.120 24,919,507 66.42.97.37 24,686,965   Top 5 “Generic” Vulnerability Types Targeted By Attackers This section highlights the most attacked common vulnerability types. Password Attacks Data Highlights Did you know? Wordfence includes a robust suite of password protection features, all available in the free version of the plugin. Features like Two-Factor Authentication (2FA), blocking logins using known compromised passwords, and preventing brute-force login attempts help safeguard your WordPress users and administrators from unauthorized access. Brute Force Attacks Blocked 13.8B -28.0% from previous quarter Unique IPs in Brute Force 40.9M +59.3% from previous quarter Avg Requests Per IP 338 -54.8% from previous quarter Total Password Attacks Blocked by the Wordfence Firewall Over Q4 The following chart highlights how many password attacks the Wordfence Firewall has blocked over the course of Q4. Top 10 Countries with the Most Distinctly Unique IP Addresses Engaged in Password Attacks The following chart highlights countries with the most unique IP addresses originating from them engaged in password attacks. Top 10 Countries with the Highest Volume of Password Attacks Blocked While the above chart highlights countries with the most unique IP Addresses targeting them. The following chart highlights countries with the most password attack activity based on number of requests, rather than distinctly unique IP Addresses. Password Attacks Blocked by Type This section highlights what password attack techniques are the most common. Wordfence Malware Intelligence Report for Q4 2025 This section highlights common trends and patterns in malware attack data across the sites Wordfence protects. No security solution would be complete without malware detection or scanning. It’s a critical element to website security that if your site gets hacked, it gets detected so that you can take swift remedial action to protect your business and brand reputation. Did you know? Wordfence’s Malware Signatures are used to provide protection on your site. They are not just used for detecting a compromise, they are also used for blocking uploads of malicious files that match our malware signatures through the Wordfence Firewall. Malware Attack Data Highlights Unique Malware Files 28.8M -14.4% from previous quarter Malware Signatures Released 110 -52.2% from previous quarter Sites with Malware 467K -5.7% from previous quarter Avg Infected Files Per Site 55.0 -11.3% from previous quarter Avg Malware Variations Per Site 2.6 +0.0% from previous quarter Number of Distinct Sites With Malware Detected Over Q4 The following chart highlights the average amount of sites with at least once piece of malware detected over the course of Q4. Malware Detected by File Type The following chart highlights the most commonly detected malware based on file type. PHP files are often associated with webshells, backdoors, infostealers, and skimmers while files like JavaScript and HTML are often associated with spam. Malware Detected Based on Uploaded Location The following chart highlights where malware is most commonly uploaded. Report Archives for Q4 2025 Access the complete collection of detailed vulnerability and bug bounty reports published during Q4 2025. These archives provide comprehensive documentation of all security issues identified and addressed throughout the quarter. Weekly Vulnerability Report Archive In case you missed any of the weekly vulnerability reports from Q4, you can find the complete list of them here: Wordfence Intelligence Weekly WordPress Vulnerability Report (September 29, 2025 to October 5, 2025): https://www.wordfence.com/blog/2025/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-september-29-2025-to-october-5-2025/ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 6, 2025 to October 12, 2025): https://www.wordfence.com/blog/2025/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-october-6-2025-to-october-12-2025/ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 13, 2025 to October 19, 2025): https://www.wordfence.com/blog/2025/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-october-13-2025-to-october-19-2025/ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 20, 2025 to October 26, 2025): https://www.wordfence.com/blog/2025/10/wordfence-intelligence-weekly-wordpress-vulnerability-report-october-20-2025-to-october-26-2025/ Wordfence Intelligence Weekly WordPress Vulnerability Report (October 27, 2025 to November 2, 2025): https://www.wordfence.com/blog/2025/11/wordfence-intelligence-weekly-wordpress-vulnerability-report-october-27-2025-to-november-2-2025/ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 3, 2025 to November 9, 2025): https://www.wordfence.com/blog/2025/11/wordfence-intelligence-weekly-wordpress-vulnerability-report-november-3-2025-to-november-9-2025/ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 10, 2025 to November 16, 2025): https://www.wordfence.com/blog/2025/11/wordfence-intelligence-weekly-wordpress-vulnerability-report-november-10-2025-to-november-16-2025/ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 17, 2025 to November 23, 2025): https://www.wordfence.com/blog/2025/11/wordfence-intelligence-weekly-wordpress-vulnerability-report-november-17-2025-to-november-23-2025/ Wordfence Intelligence Weekly WordPress Vulnerability Report (November 24, 2025 to November 30, 2025): https://www.wordfence.com/blog/2025/12/wordfence-intelligence-weekly-wordpress-vulnerability-report-november-24-2025-to-november-30-2025/ Wordfence Intelligence Weekly WordPress Vulnerability Report (December 1, 2025 to December 7, 2025): https://www.wordfence.com/blog/2025/12/wordfence-intelligence-weekly-wordpress-vulnerability-report-december-1-2025-to-december-7-2025/ Wordfence Intelligence Weekly WordPress Vulnerability Report (December 8, 2025 to December 14, 2025): https://www.wordfence.com/blog/2025/12/wordfence-intelligence-weekly-wordpress-vulnerability-report-december-8-2025-to-december-14-2025/ Wordfence Intelligence Weekly WordPress Vulnerability Report (December 15, 2025 to January 4, 2026): https://www.wordfence.com/blog/2026/01/wordfence-intelligence-weekly-wordpress-vulnerability-report-december-15-2025-to-january-4-2026/ Monthly Bug Bounty Report Archive If you missed any of the monthly Bug Bounty Program Reports from Q4, you can find those all here: October: https://www.wordfence.com/blog/2025/11/wordfence-bug-bounty-program-monthly-report-october-2025/ November: https://www.wordfence.com/blog/2025/12/wordfence-bug-bounty-program-monthly-report-november-2025/ December: https://www.wordfence.com/blog/2026/01/wordfence-bug-bounty-program-monthly-report-december-2025/ Conclusion: Key Takeaways For Site Owners When it comes to securing your WordPress site, a defense-in-depth strategy is essential. No single solution can stop every attack, but by layering protection, detection, and active monitoring, you dramatically reduce your risk and increase your ability to respond quickly when threats emerge. Protection The first line of defense is preventing attacks from succeeding in the first place. A strong firewall, timely vulnerability patches, and hardened configurations help block malicious traffic before it ever reaches your site. By leveraging Wordfence’s threat intelligence, you’re protected against the latest exploits that attackers are actively using in the wild. This proactive protection ensures your site is guarded not just against known threats, but against emerging attack patterns. Detection Even the best defenses can be tested, which is why detection is critical. Comprehensive scanning helps identify vulnerabilities, malware, or suspicious changes on your site that could signal an attempted compromise. With Wordfence’s real-time scanning powered by global attack data, you gain visibility into threats that may have slipped past other layers of defense, allowing you to act before they cause serious damage. Active Monitoring Continuous monitoring serves as your early warning system. Real-time alerts about critical events, login attempts, and file changes help you stay ahead of threats. Wordfence’s comprehensive monitoring doesn’t just tell you something happened, it provides the context and intelligence you need to understand the severity and respond appropriately. This constant vigilance means you’re never flying blind when it comes to your site’s security posture. Security isn’t a “set it and forget it” task. Active monitoring ensures your site is continuously observed for suspicious behavior, login attempts, and traffic anomalies. Attackers often probe sites for weaknesses over time; having real-time monitoring means you’ll know immediately if your site is being targeted. Wordfence’s monitoring tools provide alerts and insights so you can take swift action, whether that’s blocking an attacker, tightening access, or responding to a detected vulnerability. By combining protection, detection, and monitoring, you create a strong defense-in-depth strategy for your WordPress site. Wordfence brings all three layers together in one solution, making it simple to secure your site and stay ahead of attackers. Install Wordfence today and put industry-leading security to work for you. The post Quarterly WordPress Threat Intelligence Report – Q4 2025 appeared first on Wordfence.