11,334 Vulnerabilities Last Year. Zero of Them Were Yours.

It's Tuesday evening. You are not writing. You are staring at a red badge in wp-admin that says nine updates are available, trying to guess which one breaks the checkout and which one, if you skip it, gets you hacked by Thursday. That ritual has a price. Let's put numbers on it.
The Tuesday-evening ritual
Every WordPress owner knows the choreography. Back up first, because updates sometimes eat sites. Update the plugins one at a time, because updating them together makes the failure impossible to trace. Click through the contact form, the checkout, the gallery. Hold your breath on the PHP version bump. Repeat next week.
Nobody invoices you for that hour. It never shows up in a hosting bill or a line item, which is exactly why it survives: unpriced costs feel free. They are not.
Let’s be clear about one thing up front: WordPress is not dying, and we won’t pretend otherwise. It runs 41.5% of all websites as of July 2026 — more than every other CMS combined. It has slipped, though: six consecutive months of decline, from 43.2% in December 2025 to 41.9% by late May, and 41.5% now. The interesting question isn’t whether WordPress is dominant. It’s whether you should be its unpaid system administrator.
You didn’t sign up for this job. You signed up for a website — a place to publish, sell, and be found. Somewhere along the way the deal quietly changed, and now you own a small stack of PHP software with a public login page, a database, and a supply chain of independently maintained plugins, each of which can take the whole thing down. The website was the product. The maintenance is the subscription you never agreed to.
What the numbers say
Patchstack’s State of WordPress Security in 2026 — the yearly census of the ecosystem’s flaws — counted 11,334 new vulnerabilities across WordPress plugins, themes, and core in 2025. That’s a 42% jump over 2024’s 7,966, and the report notes more high-severity flaws were found in 2025 than in the previous two years combined.
Two details in that report matter more than the headline number.
First: 91% of those vulnerabilities were in plugins, not in WordPress core. Core is well-audited software maintained by professionals. The plugin layer — the thing you bolted on for SEO, forms, caching, cookie banners, and analytics — is where nearly all the risk lives.
Second: speed. Per The Repository’s coverage of the same report, the weighted median time from disclosure to first exploitation attempt was five hours. A fifth of heavily exploited vulnerabilities saw attacks within six hours; 45% within a day. And 46% of 2025’s vulnerabilities were disclosed before a patch existed at all. “Just patch promptly” assumes a patch to apply and a you who is awake.
This is not theoretical. Melapress surveyed 264 WordPress professionals in September 2025: 96% had dealt with at least one security incident, and 64% had suffered a full breach. Only 27% had a recovery plan. These are the professionals — the people other people pay to worry about this.
The math compounds with every plugin you add. Each one is a separate codebase with its own author, its own release schedule, and its own odds of being abandoned. Your site’s attack surface isn’t “WordPress” — it’s the union of every plugin you’ve ever activated. The badge in wp-admin is that union, ticking.
The bill, itemized
So what does staying on the treadmill cost? Codeable’s 2026 maintenance pricing guide — written by people who sell WordPress maintenance, so if anything biased toward making it sound reasonable — puts baseline infrastructure at $370–$1,220 a year before anyone touches maintenance. Its own retainers run $240 a month for basic coverage, $590 for advanced, and $1,000+ for enterprise. Freelancers average $50–$150 an hour; agencies $100–$250.
Yes, $30–$50/month plans exist. Codeable’s own guide describes what they typically buy: automated updates with no staging environment, backups stored on the same server, and zero human hours. That’s not maintenance; that’s a cron job with a logo.
And security patching is only half the treadmill. The other half is compatibility churn: the update that’s perfectly safe but breaks your theme, the major PHP version your host schedules whether you’re ready or not, the two plugins that each work fine until they meet. None of that shows up in a vulnerability database. All of it shows up on a Tuesday evening.
The DIY route isn’t free either — you pay in those evenings, at whatever your evenings are worth. If your time bills at even $50 an hour, a few hours of monthly upkeep quietly clears what many small businesses pay for their entire web presence. It’s the biggest line item on the bill, and it’s the only one that never gets printed.
“Zero maintenance” is a structure, not a promise
Here is the part most “managed WordPress” marketing gets wrong. Managed hosts promise to patch fast. That’s a better version of the same race — someone still has to notice the CVE, test the update, and ship it before the five-hour window closes. The runner changed; the treadmill didn’t.
The structural fix follows directly from Patchstack’s 91% figure. If nearly all vulnerabilities live in the plugin layer, the decisive move is not patching plugins faster. It’s not having a plugin layer.
That’s how StoryPress is built. The things a WordPress site does with eight or nine plugins — SEO metadata, JSON-LD, sitemaps, Open Graph tags, llms.txt, cookie consent, Google Tag Manager wiring — are platform features. One codebase, maintained by us, deployed across Cloudflare’s edge. There is no wp-admin login page for bots to hammer, no PHP runtime to inject into, no third-party plugin author whose abandoned side project becomes your incident.
When we patch our platform, every site gets it at once, and you never see it happen. Not because we’re heroically fast — because on your site, there is nothing for you to patch. Zero of last year’s 11,334 were yours. Zero of next year’s will be, too.
“But my managed host handles this”
Partly. A good managed WordPress host hardens the server, isolates accounts, and auto-updates core. But Patchstack’s numbers say 91% of the risk sits in your plugins — and your plugin choices are, by definition, yours. The host can’t remove a vulnerable page-builder you depend on, and auto-updating it is exactly the kind of change that breaks layouts at 3 a.m. That’s why the same report found conventional defences blocked only a minority of real-world attacks. Managed hosting shrinks the treadmill. It cannot shrink it to zero while the plugin layer exists.
And because “no plugins” can sound like “locked in,” the exit is built in as well: full content export, any time. A platform that does the maintenance shouldn’t also hold the keys.
What we meter instead
StoryPress is $5 a month, billed $60 yearly. We meter the things that actually cost something — bandwidth and storage — with plainly labeled, sensible caps. We refuse to meter artificial units: languages, seats, locales. Our native CMS, arriving imminently, ships with first-class language support and no cap on language variants, because a language is not a resource — it’s a decision you already made about your audience.
Note what we’re not saying. Not “unlimited everything” — that’s how you end up with an asterisk the size of a terms-of-service page. Honest caps on real resources, zero meters on fake ones. The maintenance treadmill is just the same trick in a different costume: a cost that’s real but never printed on the price tag. We’d rather print everything.
The facts, atomized
11,334 new WordPress-ecosystem vulnerabilities in 2025, up 42% from 7,966 in 2024 (Patchstack, State of WordPress Security in 2026).
91% of those vulnerabilities were in plugins, not WordPress core (Patchstack, same report).
Weighted median time from disclosure to first exploitation: 5 hours; 45% of heavily exploited flaws attacked within 24 hours; 46% disclosed with no patch available (The Repository, 2026).
64% of 264 surveyed WordPress professionals experienced a full breach; only 27% had a recovery plan (Melapress security survey, September 2025).
WordPress market share: 43.2% (Dec 2025) → 41.5% (Jul 2026), six consecutive monthly declines — still the dominant CMS (W3Techs; Search Engine Journal).
WordPress upkeep, attributed: $370–$1,220/yr infrastructure plus $240–$1,000+/mo maintenance retainers (Codeable, 2026).
StoryPress: $5/month billed $60/yearly, no plugin layer, real-resource meters only. Zero site-side patching.
If you want the full cost picture beyond security — builds, redesigns, the works — we itemized it in what a website costs in 2026. And if the “honest meters” idea sounds like a manifesto, it is: the meter is dying.
Or skip the reading and skip the ritual: get started with StoryPress and spend your next Tuesday evening on literally anything else. The updates badge sends its regards. It’ll have to find someone else to bother.

Leaving Squarespace in 2026: What Your Renewal Actually Costs Now
The renewal email always arrives politely. Careful subject line, soft gradient header, and a number that is not the number you signed up with. If you own a Squarespace site in the US, July 2026 is the season you find out what your website costs now — prices went up on July 6, and renewal notices are how most owners heard.