WordPress Security Trends and Predictions for 2025

This article explores the security landscape for the year 2025. Three WordPress community-recognized web security experts will share their insights and predictions to help us anticipate and address upcoming security challenges.

Our team of experts include Rob Cairns of Stunning Digital Marketing, Oliver Sild of Patchstack, and Kathy Zant, experienced security consultant. 

Kathy wrote and published her own article about cyber security trends on her website – see here, while Oliver Sild wrote and published his predictions at The Admin Bar. Rob answered me directly in an email. 

Let’s get started, shall we?

Increased security issues in 2025

Two of our experts can see more attacks coming in 2025.

According to Oliver Sild, vulnerabilities increased in 2024 over 2023 by 21%. Cyber attacks, he explains, are often motivated by money or politics. The past couple of years, he explains, has been turbulent and doesn’t look to slow down in 2025.

And AI will help the hackers. Rob Cairns says,

“2025 will be an interesting year. Security is going to be more of a concern thanks to AI. Hackers are using AI to find exploits in software and that means your website.” Rob Cairns, Stunning Digital Marketing.

Sild agrees. He writes,

“What makes matters somewhat worse (increased vulnerability) is the general availability of GenAI tools which are more frequently being used to generate new malware types to avoid signature based scanners and to automate vulnerability scanning and exploitation.” Source.

Kathy Zant also thinks AI will create more security havoc.

“The emergence of AI and machine learning means that these technologies will be used in attacks, and likely already are. I already have an AI clone of myself, and I’ve pranked quite a few family members with my husband’s AI clone that sounds just like his old voice before his stroke. Attackers will clone voices and even videos to attempt to socially engineer you to believe that the content you’re viewing or the phone call you are receiving is real.” Source.

We have to be vigilant and not take anything for granted in our WordPress security. There are three ways to help stay on top of security which we will look at next.

More important to stay on top of your security!

Cairns offers three ways to stay on top of your WordPress security. These three will be more important in 2025 as attacks ramp up.

The first way is abandoned plugins which are increasingly happening.

“We are already starting to see an increase in plugins that are abandoned. In order to secure your website, I would find an alternative and get rid of the plugin that has been abandoned.”

The second way to stay on top of WordPress security is to update more frequently. 

“It is now not good enough to do plugin updates once a week. You should be doing them more frequently. The time a security bug is found to be exploited is getting to be less and less.”

WordPress care experts can quickly update several times a week using a tool such as MainWP.

Finally, Rob Cairns counsels us to use 2FA to protect websites. He also mentions the use of Passkeys.

“Last but not least you should be using at least 2FA to protect your website in today’s environment. If possible, use Passkeys.”

Kathy Zant agrees saying until it’s in WordPress core, it is still important to employ 2FA.

“There are still some application-level functions that will remain plugin-based, such as two-factor authentication, until 2FA is brought into WordPress core.” Source.

While these are very vital ways to stay on top of security, the year 2025 means there is a need for greater security awareness.

Greater Security Awareness.

Oliver Sild highlights critical shifts in security and development practices within the ecosystem. With rising threats and an influx of new regulations, WordPress workflows and development standards will need significant updates.

He says,

“With the increased number of threats and new regulations pushing more and more to the WordPress ecosystem, many changes need to be applied to the core workflows and development practices.” Source.

One key development anticipated for 2025 is the broader adoption of SBOM (Software Bill of Materials) reports. These reports address software supply chain security, a growing focus of regulatory frameworks.

“Something that will start getting wider adoption in 2025 are SBOM reports which are connected to many regulations which touch the software supply chain security issue. Source.

Sild underscores that these changes will reshape security workflows, necessitating proactive adjustments by developers and organizations to align with evolving standards and regulations.

Security Workflow updates.

Sild believes the greater awareness will lead to a better workflow for web security. 

“This is great news, but will also mean that companies who explore to get a WordPress website will be having security concerns early on in the process. Developers and agencies need to address security proactively.” Source.

The security emphasis is already shifting to hosting companies who may manage more of the security in the future.

“Hosting companies are already well aware of this and if agencies and freelancers don’t put enough attention to this – then a lot of money from the agency economy will move through maintenance services to the hosting segment.” Source.

We may see more security emphasis shift to the hosting company and that means server side security may become the norm.

Kath Zant sees the migration towards server side security as well. In a recent article she says,

“WordPress’s security landscape is poised for a significant shift away from the traditional plugin-first approach that has dominated for years. As site performance becomes increasingly crucial for SEO and user experience, website owners are recognizing that some security functionality is better suited for server—or network-based implementation. 

“This realization is driving a migration toward hosting providers that offer robust perimeter security solutions built directly into their infrastructure. These hosting companies will likely provide enterprise-grade WAFs (Web Application Firewalls), DDoS protection, and real-time threat monitoring as standard features, eliminating the need for resource-intensive plugins.”

She explains that the shift is something happening in the broader web industry that moves the website infrastructure towards an “edge computing and serverless architectures.” This allows the security to be handled on the server and less within the application. She thinks specialized hosting environments will be able handle this change.

What that means is a shift aways from the plugin-first approach we have used for many years. 

“WordPress’s security landscape is poised for a significant shift away from the traditional plugin-first approach that has dominated for years. As site performance becomes increasingly crucial for SEO and user experience, website owners are recognizing that quite a bit of security functionality is better suited for server or network-based implementation.”

Thus, we will see certain hosting environments do more for web security rather than leaving it up to applications and website owners. How will this affect how web care consultants work with websites?

Wrapping it up

Our WordPress security experts predict that AI-powered threats will pose significant challenges to WordPress security in 2025.  Vulnerabilities have already increased 21% in 2024, and hackers are expected to leverage AI to develop more sophisticated attacks. We have to stay on top of security.

Remove outdated plugins, update more frequently, and use two-factor authentication to maintain website security. We will see an update in the web security workflow as security moves toward the server level. Hosting providers will begin to incorporate more built-in security features, thus assuming a greater responsibility for website protection.

How can we adjust as web care consultants? How can we ensure the security of our customers in 2025?