I checked the WordPress sites I built years ago. Here's what I found.
Source: Dev.to
“Oh, that site still works.”
If you’ve ever built WordPress sites for clients, you know the feeling. You think about a site you delivered three years ago and wonder: are they keeping it updated?
You check. WordPress 5.x. Plugins untouched since delivery. PHP 8.1 — which reached end‑of‑security‑support in December 2025. No security headers configured at all.
It works. But “working” is not the same as “safe.”
This article is about the uncomfortable reality of what happens to WordPress sites after we hand them over.
WordPress Is a Monoculture
The numbers
WordPress dominates the CMS market globally, holding about 61.7 % of market share among CMS‑powered sites. In some markets the concentration is extreme.
- Japan: 82.9 % of the CMS market. “Small‑business website” and “WordPress site” are essentially synonyms.
- While Japan is an outlier, the pattern holds across most markets — WordPress is the default choice for agencies and freelancers everywhere.
Why monocultures are dangerous
In agriculture, monoculture — growing a single crop across vast areas — creates systemic risk. One disease can wipe out an entire harvest.
The CMS market has the same problem. When WordPress is this dominant, a single exploit can target millions of sites simultaneously. Find a vulnerability in Plugin A, and every site running that plugin is exposed. It’s an attacker’s dream: maximum impact, minimum effort.
And those vulnerabilities? They’re discovered every single day.
Vulnerabilities Don’t Trickle — They Pour
The scale
| Period | New vulnerabilities reported | Breakdown |
|---|---|---|
| June 2025 | 337 | 298 plugins, 39 themes |
| Jan 12‑18 2026 (1 week) | 180 | — |
| Overall | — | 96 % come from plugins |
That’s roughly 25 new vulnerabilities per day. No individual developer or small team can keep up with this manually.
The scary part: no authentication required
About half of the vulnerabilities reported in late 2025 were exploitable without authentication. No login needed, no special permissions. Just hit a URL:
GET /wp-json/vulnerable-plugin/v1/sensitive-data HTTP/1.1
Host: target-site.example.comThat’s all it takes to leak data in some real‑world vulnerabilities.
The Maintenance Gap
What happens after delivery
Year 0: Agency builds WordPress site with 10 plugins.
Client declines maintenance contract — “too expensive.”
Year 1: Agency says “please keep it updated.”
Client says “sure” (they don’t).
Year 2: Maintenance contract ends. Relationship fades.
Year 3: Nobody remembers the wp‑login password.
The site becomes untouchable — “don’t break it.”
Year 4: PHP 8.1 reaches EOL. Hosting provider sends warnings. Ignored.
Year 5: Three plugins are abandoned by their developers.
Known vulnerabilities, zero patches.
Year 6: ← We are here. The site loads fine.
It’s a vulnerability goldmine.According to Japan’s IPA (Information‑technology Promotion Agency) 2024 SME Cybersecurity Survey:
| Finding | Number |
|---|---|
| Most common cause of unauthorized access | Unpatched vulnerabilities (48 %) |
| Average incident cost | ~ $5,000 (¥730,000) |
| Average recovery time | 5.8 days |
| Incidents impacting business partners | ~ 70 % |
These numbers are from Japanese SMEs, but the pattern is universal. Small businesses everywhere run outdated WordPress installations and lack the resources to maintain them.
Is this really someone else’s problem?
Hard truth: the client chose not to pay for maintenance. But we designed the site. Did we build it to be as low‑maintenance as possible? Did we adequately communicate what happens without updates?
Realistically, not every client will sign a maintenance contract. Still, if we could at least make the current state visible, it would open the conversation.
Checking a WordPress Site’s Health From the Outside
Detect WordPress version
# From meta tags
curl -s https://example.com | grep -oP 'content="WordPress \K[0-9.]+'
# From RSS feed
curl -s https://example.com/feed/ | grep -oP '\?v=\K[0-9.]+'
# Check if readme.html is exposed
curl -sI https://example.com/readme.html | head -1Check security headers
curl -sI https://example.com | grep -iE \
'(strict-transport-security|content-security-policy|x-frame-options|x-content-type-options|referrer-policy|permissions-policy)'Try this on a small‑business site. Chances are nothing comes back, meaning zero security headers are configured.
Check email authentication
# SPF
dig +short TXT example.com | grep spf
# DMARC
dig +short TXT _dmarc.example.comA DMARC policy of p=none means phishing emails spoofing the domain aren’t being blocked.
Running these commands once is easy, but scaling requires:
- Periodic checks for dozens of client domains
- Cross‑referencing plugin versions against new CVEs
- Automated notifications and client‑facing reports
Terminal commands alone don’t scale.
Nyambush — Passive ASM for the Rest of Us
This is why I built Nyambush.
Nyambush is an ASM (Attack Surface Management) SaaS. Enter a domain, get an instant security assessment of its external attack surface. ASM tools are typically enterprise‑only; Nyambush brings that capability to agencies, freelancers, and anyone who maintains WordPress sites for clients.
Nyambush – Free Website Security & Monitoring
Software‑as‑a‑Service (SaaS) – $30,000+/year for enterprise solutions. Nyambush starts at free — no account required.
What it checks
| Category | What you learn |
|---|---|
| DNS | Subdomain enumeration, dangling CNAMEs (sub‑domain takeover risk), WHOIS |
| Email Auth | SPF/DKIM/DMARC configuration, spoofing risk assessment |
| HTTP Headers | Security‑header coverage, HTTPS configuration issues |
| WordPress | Core version, detected plugins/themes, known CVEs |
| AI Patrol | Headless‑browser crawling + Claude Vision AI for defacement & anomaly detection |
AI Patrol – Catching Defacements That Humans Miss
Many compromised sites look perfectly normal to a casual visitor. The defacement might be subtle — injected spam links, hidden redirects, or a modified footer that only search engines see.
AI Patrol solves this with a two‑layer approach:
-
Layer 1: Technical checks (automated during crawl)
- HTTP status codes (5xx/4xx detection)
- JavaScript errors
- Console errors
- Broken images
- Mixed content (HTTPS → HTTP)
- Broken links (sub‑resource 404/5xx)
-
Layer 2: AI visual analysis (Claude Vision API)
- Defacement detection (injected text, hacker signatures)
- Debug‑info leaks (stack traces, SQL queries, internal paths)
- Phishing redirects
- Layout breakage (overlapping elements, overflow)
- Character‑encoding issues
- Suspicious ads/pop‑ups
- SEO spam (hidden text, keyword stuffing)
Visual diff detection
Playwright captures full‑page screenshots and compares them pixel‑by‑pixel against the previous crawl using pixelmatch. When the change rate exceeds 5 %, Claude Vision AI analyzes what changed — distinguishing legitimate content updates from unauthorized modifications.
Passive scanning only
Nyambush performs passive scanning exclusively:
- DNS queries
- Standard HTTP/HTTPS requests (identical to normal browser visits)
- Certificate Transparency log lookups
- Public vulnerability‑database correlation
No port scanning. No exploit attempts. No PoC execution. This means you can safely scan any domain — your own sites, client sites, or prospective clients — without legal concerns.
How agencies and freelancers use it
-
Health‑check past clients
Enter a former client’s domain. See its current security posture. If issues are found, you have concrete data to re‑engage:“Your site is running WordPress 5.8 with X known vulnerabilities. Want to discuss a fix?”
-
Scope new projects
For redesign or migration projects, scan the existing site first. “Here’s the current security risk profile” makes a compelling case for modernization. -
Automated post‑delivery monitoring with AI
Set up AI Patrol; Nyambush continuously monitors delivered sites. When defacement, layout breakage, or JavaScript failures are detected, you receive screenshots and specific findings. Present before/after screenshots with diff images to clients as evidence of your maintenance value. -
Quality assurance at delivery
Scan your own work before hand‑off. Prove that security headers and email authentication are properly configured. “Security‑conscious development” becomes a documented differentiator.
WordPress plugin for deeper insight
External scanning can’t see everything. Install the Nyambush WordPress plugin to report:
- Complete plugin inventory (including deactivated plugins)
- Exact PHP version
wp‑config.phpsecurity settings (debug mode, SSL enforcement)- Login‑security configuration
Those “deactivated but not deleted” plugins with known vulnerabilities? Now you can find them.
Pricing
| Plan | Monthly price | Domains | Scan frequency | AI Patrol | Patrol scope | Notifications | AI Report |
|---|---|---|---|---|---|---|---|
| Free | $0 | 1 | Monthly | — | — | — | |
| Pro | $13 | 5 | Weekly | 5 pages (Haiku 4.5) | Tech checks + AI analysis + visual diff | Slack + LINE | ✓ |
| Business | $65 | 30 | Daily | 50 pages (Sonnet 4.5) | Same (higher‑accuracy model) | Slack + LINE | ✓ |
Free works for personal checks. Pro fits agencies managing multiple client sites. Business adds daily AI patrol for automated defacement and incident detection.
Beyond “Build and Forget”
WordPress vulnerability disclosure has reached a scale that no individual can track manually. But “stop using WordPress” isn’t realistic — it powers the majority of the web, and that won’t change anytime soon.
What we can do
- Make the invisible visible – know the current state of sites we’ve built
- Communicate risk with data – show clients specific numbers, not vague warnings
- Automate monitoring – catch changes before they become incidents
- Let AI watch what humans can’t – visual monitoring at a scale no team can match
Try it: enter a domain, wait a minute, no signup required, and you’ll see what’s really going on.