Secure your WordPress site today, 8.7 million attacks in 48 hours is your wake up call

WordPress powers a huge slice of the internet. That reach makes it a magnet for criminals. In early October, Wordfence reported a burst of 8.7 million blocked attacks in 48 hours, most of them probing known plugin flaws. The pattern is familiar. Old bugs are rediscovered, automated botnets spray the web, and any site running an unpatched plugin becomes an easy target.

This latest surge centers on three critical plugin vulnerabilities disclosed and fixed in 2024, yet still ripe for exploitation in 2025. Two are in Hunk Companion, tracked as CVE-2024-9707 and CVE-2024-11972. One is in GutenKit, tracked as CVE-2024-9234. In each case, a successful exploit can allow attackers to install arbitrary plugins without authentication, then pivot to full site takeover, data theft, SEO spam, or malware delivery.

Why this keeps happening

• WordPress’s plugin ecosystem is vast, which is a strength for features and a risk for security.

• Site owners often postpone updates, or forget about plugins they no longer use.

• Attackers automate scans, so even small sites are hit as frequently as large ones.

• Patches exist, but unpatched sites linger for months, sometimes years.

The two minute triage

1. Log in to your WordPress dashboard, go to Plugins, then update all available plugins and themes.

2. Specifically confirm versions. GutenKit 2.1.1 or later. Hunk Companion 1.9.0 or later.

3. Remove any plugin or theme you do not use. Deactivate is not enough, delete it.

4. Update WordPress core to the latest stable release.

5. Make a fresh off site backup once updates complete.

Level up your defenses today

• Enable automatic updates for core, themes, and plugins. At minimum, auto update security releases.

• Harden accounts. Enforce strong unique passwords. Enable two factor authentication for all admins. Remove unused admin accounts.

• Least privilege. Change day to day users from Administrator to Editor or Author where possible.

• Lock down wp admin. Limit login attempts. Add a CAPTCHA. Consider IP allowlisting for admin if feasible.

• File integrity and malware scanning. Use a reputable security plugin to monitor changes and scan daily.

• Turn off file editing in wp admin by setting DISALLOW_FILE_EDIT to true in wp config.

• Security headers and HTTPS. Force HTTPS, add HSTS, and set CSP, X Frame Options, and Referrer Policy. Many hosts provide toggles.

• Web Application Firewall. A WAF at your host or CDN can block exploit traffic before it reaches PHP.

• Backups. Automate daily backups, store off site, and test restores monthly.

• Inventory. Keep a list of every plugin and theme, including version, source, and maintainer status. Replace abandoned items.

Red flags that suggest compromise

• Unknown admin users appear, or roles silently escalate.

• New plugins show up that you did not install.

• Search results for your domain show pharma or casino spam.

• Sudden CPU spikes, bandwidth surges, or email blacklisting.

• Files modified in wp content/uploads or wp includes at odd hours.

If you suspect a breach, move quickly. Put the site in maintenance mode. Snapshot the server or take a backup for forensics. Rotate all passwords, including SFTP, database, and hosting control panel. Reinstall a clean copy of WordPress core. Replace themes and plugins with fresh downloads. Remove unknown cron jobs and backdoors. Then force logout for all users and invalidate sessions.

The bigger lesson

These CVEs were fixed in 2024. The mass exploits resumed in October 2025 because unpatched sites remain. That is the cycle to break. Updates are protection you already own. Turn them on, keep them on, and trim everything you do not need. WordPress can be both powerful and secure, but only if you treat maintenance as a weekly habit, not a yearly chore.

Photo Credit: DepositPhotos.com