A Brief History of WP Vulnerabilities: the Biggest Attacks

A Brief History of WP Vulnerabilities_ the Biggest Attacks 2

Let’s be honest here: Being the world’s biggest and most famous open source CMS comes with lots of issues. In fact, WordPress, with its 16 years of lifetime, has a longer record of vulnerability issues and attacks than an average American teenager.

There’s no need to panic though. Considering WordPress’s huge user base and that it’s the biggest open source CMS, attacks are sure to be a part of the equation.

But there are dozens of tools for webmasters to ensure their websites’ security; For example, we offer a premium security service absolutely for free.

Now, let’s go back to the start — to the very origins of WordPress.

Let’s have a marathon of remembering the biggest and most important vulnerabilities and attacks throughout the history of WP!


This is when the tale starts. WordPress had hardly turned 5. Gaining popularity among users and slowly but steadily becoming one of the most popular CMS in the world. This is exactly when it started attracting the attention of attackers as well.

You know how crazy hackers can get, right? That’s exactly what happened in 2008. With WordPress getting more and more popular, and yet earning a reputation of having lots of “childish insecurities,” nasty hackers started a series of massive attacks targeting unprotected Adsense blogs and SEO.

As it turned out later the not-updated WordPress 2.1.1 version played a big part in CMS’s vulnerabilities. This was kind of fixed in the coming 2.1.2 WP version.

The hacker marathon that resulted in numerous blogs being hacked was coined the big hacking fiasco.


Little WordPress was growing bigger and bigger, gaining popularity despite the attempted attacks on its reputation. Then 2009 arrived — and stayed in history as the year of vulnerabilities.

2009 is exactly when WordPress changed a lot — from versions 2.8.1 to 2.8.6. The changes were made to avoid the past experience of the former versions having lots of vulnerabilities and allowing hackers to attack innocent websites.

All those security updates naturally meant that website owners had to constantly upgrade WP. But hackers did not give up. They kept finding new weaknesses and vulnerabilities after each upgrade and so carried on with their attacks.

WordPress, it turns out, had strong vulnerabilities associated with open redirects as well as with lack of authentication checks and other issues that caused users a lot of trouble.

Overall, 2009 saw quite a few additions to the big list of WordPress vulnerabilities and wasn’t the best year in the life of WordPress, the precious kiddo.


After all the drama of 2009, one’d expect a chill year. Because isn’t that how things work according to the “calm after the storm” idiom?

Well, sadly enough, not for an open CMS like WordPress.

2010 brought another list of upgrades and updates and vulnerabilities and so resulted in a series of new hacker attacks. But the one big vulnerability that made 2010 so “special” was… (drum rolls)… TimThumb, the villain himself.

You might be wondering who Mr. Thumb is.

TimThumb is the WordPress .php file responsible for altering the websites’ image sizes. This basically meant that themes, plugins, etc. were using scripts that allowed to mess with the image sizes and dimensions from within TimThumb all along.

For 7 years!

Yeah, you got it right — TimThumb lived within out little WordPress baby itself, being the result of hacked websites all those years and only came out as “dark” in 2010.

What a plot twist, huh?

Spoiler Alert: Just so you don’t get all optimistic about the whole thing, assuming this major core vulnerability was fixed right away. It wasn’t. Not right away. Not even in a year or two. TimThumb kept on living free till 2014.

Oh. My. God.

But seriously. September 27th, 2014 is when it actually stopped being supported and maintained.


Having gotten away with a list of wrongdoings, TimThumb felt like it could get away with anything and turned into this “tool of image resizing.” 2011 was about a super long list of TimThumb feats.

Meanwhile, another list of 50 pretty bad vulnerabilities came to the surface. Studies showed that 73.2% of WordPress websites back then were seriously vulnerable to attacks.

Consequentially, hackers got fed up with the fruity cocktails and went for big-time shots, organizing serious attacks against pretty big websites. Even the websites of political organizations.

The whole cynicism reached a point where people started posting actual videos showing themselves taking down WordPress websites in literally 5 minutes or so.


To make up for 2014 being a comparatively quiet year, notable just for the abolishment of TimThumb, 2015 made sure to bring new WordPress gossip to the table.

Plugins, obviously felt like they were missing out by functioning properly, so this was the year to rebel.

Ladies and gentlemen, let me introduce Sir XSS to you — the one vulnerability responsible for causing so much trouble to the elite of WordPress plugins at the time. The very one that messed up such plugins as Jetpack, Yoast, and Gravity Forms.


Experience is the best teacher, they say. As time passed and WP grew, its list of past opponents and their attacks taught it a lot and most websites gradually started coming to terms with the need for security measures and constant updates.

But there’s always the “but,” like in almost every story.

While neither 2016 nor 2017 had incidents as distinctive as the preceding years, they were still important for WordPress.

A series of both Brute force attacks and Complex attacks went on happening all around the WordPress world. While brute force attacks are all about gaining login credentials of websites and so are more unpredictable, the Complex attacks are the ones were the hacker considers the vulnerability of the CMS and attacks its “Achilles heel.”

One of the major violent brute force attacks that took place in 2017 targeted 190.000 WordPress websites.

Studies of the IPs most vulnerable to attacks and most attacked at the time show that Ukraine IPs topped the list. Later in 2017 Turkey and USA follow Ukraine in the list of most attacked IP addresses.


Coming closer to these days. You may assume things are slowly settling down, right?

Hmm, well…

Do you really think that hackers would leave alone the one CMS that currently supports 34% of websites worldwide?

In fact, 2018 saw a 30% raise of WordPress vulnerabilities compared to 2017. Sad but true: WordPress is still an extremely popular target of attacks.

Brute force attacks, particularly against websites with trivial login credentials, still happen. There’s a list of plugins that have lots of vulnerabilities as well. One of those, Display Widgets, which had 200.000 active installs at the time, was removed from WordPress 4 times because of its malware and vulnerabilities.

As for 2021, there is still a lengthy list of plugins you’d rather beware of. You can check out the list here.

What should we do now?

Setting and background: Drum rolls. Panic. Screams. People fainting behind their computer screens. Some people running crazy directionless and desperate.

I mean, what do we all do now that the one thing we so blindly trusted — WP — turns out to have so many skeletons in the closet? What do we do with all these dark secrets of the past, where do we fit them?

It doesn’t even seem like things are going to drastically change for the better anytime soon. Those attacks and issues don’t really seem to be going away.

The good news is that everything is still in your hands and there is no need to panic at all as long as you take matters into your own hands and take the necessary measures.

Protection is key.

This is what you can do to safeguard your WP website:

  • Make sure to keep your website updated and fresh,
  • Pay closer attention to the plugins and PHP versions you’re using,
  • Choose your hosting providers and security services more carefully.

To learn more about WP security, check out our VP’s article on most common WordPress security issues: part 1 and part 2.

Other than this, I highly recommend you go through the Security section of WordPress.org. It provides very detailed information on the version and security releases, internal security management, the crucial role hosting plays as well as the importance of plugins and services in terms of security.

Of course, you can never underestimate the importance of backup as well, just in case something goes wrong.

That’s about it and you should be good to do.

Before you go, don’t forget to share any WordPress catastrophes that happened to you in the past and how you managed to fix things.

You like this article? Spread the word!

Leave a comment

Your email address will not be published. Required fields are marked *

Your email address will never be published or shared. Required fields are marked *