While most cybersecurity headlines these days tend to emphasize, quite rightly, critical updates for Windows users as attacks get underway, or emergency updates for the Chrome web browser, even hacking attempts against PayPal and LastPass users, the humble website is often overlooked. Not, however, by hackers themselves, though, as this latest warning from the threat intelligence team at Wordfence demonstrates. In just 48 hours, a total of 8.7 million attacks targeting WordPress website users have been reported. Here’s what you need to know, and do, to keep your site and its visitors safe.
Update Your WordPress Website Now, Security Experts Warn, As Hack Attacks Surge
WordPress remains one of the most popular ways to create a website, with the latest statistics suggesting it has a 43.5% market share amongst all websites and a 61.4% share when it comes to those with a content management system. Indeed, the same source reports that “over 70% of new CMS-built websites are created with WordPress, and about 1.2 million new WordPress sites are added globally each year.” No wonder, then, that these sites are a target for hackers.
Unfortunately, WordPress website owners make it easy for attackers by using outdated plugins. That’s the basis of a new warning from the threat experts at WordPress security specialists Wordfence.
Across the space of just 48 hours in October, Wordfence reports it blocked an incredible 8.7 million attacks targeting just such vulnerabilities. Three critical WordPress website plugin vulnerabilities have been highlighted by Wordfence, namely CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972. The first impacting the GutenKit plugin which could result in the installation of arbitrary other plugins without any user authentication. The second and third impact the Hunk Companion plugin with the same end result if a hacker were to successfully exploit either of them.
Update Your WordPress Website Plugins Now
Want the really bad news? The plugin vendors, in both cases, fixed these security vulnerabilities in 2024. Yes, you read that right, a year ago. “Our records indicate that attackers most recently started mass exploiting the issues again on October 8th, 2025, approximately one year later,” Wordfence confirmed.
What do you need to do if you use either of these plugins? Well, if you really still need telling, Wordfence urged users “to update their sites to at least GutenKit version 2.1.1 and Hunk Companion version 1.9.0 as soon as possible, if they have not already done so.” I would further advise that all WordPress users check all their plugins to ensure they are up to date and do so regularly.