My take on it is fairly simple: WordPress getting hacked is hardly shocking.
The core problem, in my view, is that WordPress was never built with security as the first priority. It was built to be easy to use, easy to extend, and easy for anyone to throw up a website quickly. That is exactly why it became so popular, but it is also why it creates so many security headaches.
If you compare it to something like Drupal, the mindset is very different. Drupal was built with more of an enterprise, governance, and security-led approach from the start. I am not saying Drupal is perfect, because nothing is, but the foundations are very different. WordPress, by contrast, often feels like a system where convenience came first and security was expected to catch up later.
Then you add the plugin ecosystem into the mix, and that is where it starts to look a bit like the Wild West. You can install almost anything, from almost anyone, and hope it all behaves. From a security perspective, that is madness. Even the best security tools for WordPress can only do so much when the underlying model is basically: “let’s bolt on another plugin and see what happens.”
So when people say a WordPress site has been hacked, my reaction is usually: yes, that sounds about right. It is not because every WordPress site is doomed, but because the framework was never really designed from the ground up to be security-first. Once you build a system that way, trying to retrofit proper security years later, while carrying all the old legacy baggage, becomes extremely difficult.
I also think this will get worse before it gets better. With AI advancing so quickly, attackers will have better tools to scan code, spot weaknesses, automate exploitation, and scale attacks far faster than before. We are likely going to see more compromises, not fewer ( all types of attacks on different platforms ). On the other side, defenders are also using AI, so it is becoming a case of needing AI to protect yourself from AI.
To me, WordPress is a bit like the smartphone world. Mobile operating systems were not originally designed for the level of security we now expect from them. ( Mobile phone security on IOS and Android is piss poor done ) Over time, banking, identity, payments, and sensitive business functions all moved onto phones, and now the platforms are stuck trying to harden systems that were not originally designed for that level of trust. WordPress feels very similar. Security was not the original obsession, and once that ship has sailed, catching up later is messy, expensive, and never quite complete.
So yes, when a WordPress site gets hacked, it is unfortunate, but it is not surprising. In many ways, the platform was built for flexibility and growth first, and security has been playing catch-up ever since.
