At Sherdore, we monitor hundreds of websites across different industries every single day. Our security team runs continuous vulnerability scans, patches systems, and proactively identifies threats before they become breaches. This month, we’ve documented 20 critical vulnerabilities that appeared across our client base. While the specific details are confidential, we’re sharing these findings to help other business owners understand the security landscape and the kinds of threats their websites face.
Here are the top 20 website vulnerabilities we encountered this month, along with what they mean and why they matter.
Table of Contents
ToggleUNPATCHED WORDPRESS PLUGINS (40% of our clients affected)
The most common vulnerability we see is outdated WordPress plugins. Developers release patches to fix security flaws, but website owners don’t apply them. Hackers know about these vulnerabilities—they’re publicly documented—so they target unpatched sites systematically.
What we fixed: We updated 47 WordPress installations with critical plugin patches this month. Some sites had plugins that were three major versions out of date.
Why it matters: Unpatched plugins are like leaving your front door unlocked. Attackers use automated tools to scan for known vulnerabilities, and outdated plugins are easy targets.
WEAK DATABASE CREDENTIALS
Several sites were using default or weak database passwords—things like “admin123” or “password.” Anyone with basic hacking knowledge can crack these in minutes.
What we fixed: We reset database credentials to strong, randomly generated passwords on 12 client sites.
Why it matters: Your database contains all your customer data, payment information, and business records. Weak credentials mean a hacker can access everything.
OUTDATED WORDPRESS CORE
While plugins get attention, the core WordPress installation is often neglected. WordPress releases security updates regularly, but many sites run versions that are 6-12 months out of date.
What we fixed: We updated 34 WordPress core installations to the latest stable version.
Why it matters: WordPress vulnerabilities are publicly known. Staying current is essential. Outdated versions are prioritized by attackers.
MISSING SSL CERTIFICATES OR EXPIRED CERTIFICATES
SSL certificates encrypt data in transit. Some sites had no SSL at all—meaning customer data, login information, and payment details transmitted in plain text. Others had expired certificates that visitors would see security warnings about.
What we fixed: We provisioned new SSL certificates for 8 sites and renewed expired certificates on 23 sites.
Why it matters: Modern browsers warn users about unencrypted connections. Visitors will leave your site. Google penalizes non-HTTPS sites in search rankings. It also signals to hackers that security isn’t a priority.
SQL INJECTION VULNERABILITIES IN CUSTOM CODE
Several sites had custom-built contact forms, login pages, or database queries with SQL injection vulnerabilities. This happens when user input isn’t properly sanitized before being used in database queries.
What we fixed: We identified and patched SQL injection vulnerabilities in custom code on 6 sites.
Why it matters: SQL injection allows hackers to manipulate database queries, accessing or modifying data without authorization.
MISSING SECURITY HEADERS
Security headers (like Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options) tell browsers how to handle content. Many sites don’t implement these headers, leaving them vulnerable to certain attacks.
What we fixed: We configured proper security headers on 29 sites.
Why it matters: These headers prevent clickjacking, MIME type sniffing, and cross-site scripting attacks. They’re a foundational part of web security.
DIRECTORY LISTING ENABLED
Some servers were configured to display directory listings—meaning if someone navigated to a folder without an index file, they’d see all the files in that folder. This reveals your site structure and can expose sensitive files.
What we fixed: We disabled directory listing on 17 sites.
Why it matters: Exposing your directory structure helps attackers understand your site’s architecture and find potential vulnerabilities.
EXPOSED CONFIGURATION FILES
Configuration files containing database credentials, API keys, and other sensitive information were accessible via the web. These are sometimes left in the root directory or uploaded by mistake.
What we fixed: We removed 11 exposed .env, config.php, and similar files from public directories.
Why it matters: These files often contain the keys to your kingdom—database credentials, payment processor keys, email credentials, etc.
UNPATCHED OUTDATED THEMES
Like plugins, WordPress themes receive security updates. Old themes with known vulnerabilities were running on 28 sites.
What we fixed: We updated outdated themes and removed unused themes from 28 sites.
Why it matters: Themes have access to your entire WordPress installation. Vulnerable themes are a direct path to compromise.
MISSING OR WEAK AUTHENTICATION
Some admin areas had no password protection, or weak passwords that could be brute-forced easily. One site had the admin panel at the default /wp-admin without any WAF protection.
What we fixed: We implemented strong authentication, changed default admin URLs, and added rate limiting to prevent brute force attacks on 19 sites.
Why it matters: Your admin panel is the control center of your website. Weak access controls mean complete site compromise is just a brute force attack away.
NO BACKUP SYSTEM
22 sites had no backup system in place at all. If they were hacked, corrupted, or suffered data loss, they had no way to recover.
What we fixed: We implemented automated daily backup systems with off-site storage for all 22 sites.
Why it matters: You can’t recover from a disaster without backups. No backups means total loss if something goes wrong.
UNENCRYPTED SENSITIVE DATA STORAGE
Several sites were storing passwords, credit card information, or API keys in plain text in their databases.
What we fixed: We implemented proper encryption for sensitive data on 7 sites.
Why it matters: Storing unencrypted sensitive data violates PCI-DSS, GDPR, and other regulations. It also means compromised data is immediately usable by attackers.
CROSS-SITE SCRIPTING (XSS) VULNERABILITIES
User input wasn’t properly sanitized on several contact forms and comment sections, allowing potential XSS attacks where malicious code could be injected and executed in users’ browsers.
What we fixed: We implemented input validation and output encoding on 9 sites.
Why it matters: XSS can steal user sessions, credentials, and cookies. It can redirect users to malicious sites or display fake content.
NO WEB APPLICATION FIREWALL (WAF)
Many sites had no WAF protection—meaning common attacks like SQL injection, XSS, and bot attacks had direct access to the site.
What we fixed: We deployed WAF protection on 31 sites this month.
Why it matters: A WAF blocks common attack patterns before they reach your application. It’s essential defense infrastructure.
EXCESSIVE FILE PERMISSIONS
Server file permissions were too permissive on 14 sites, allowing unauthorized access or modification of critical files.
What we fixed: We corrected file permissions, ensuring only necessary users and processes could read/write files.
Why it matters: Proper permissions prevent unauthorized file access and modification.
UNENCRYPTED ADMIN PASSWORDS IN CODE
Hardcoded credentials were found in source code or configuration files on 5 sites—sometimes even in version control systems.
What we fixed: We removed hardcoded credentials and implemented secure credential management.
Why it matters: Credentials in code are eventually exposed—either through source code leaks, developer departures, or repository breaches.
MISSING RATE LIMITING
Login pages, password reset forms, and API endpoints had no rate limiting, making them vulnerable to brute force and DoS attacks.
What we fixed: We implemented rate limiting on login attempts, API calls, and form submissions on 26 sites.
Why it matters: Rate limiting prevents automated attacks that try thousands of credentials per second.
OUTDATED PHP VERSIONS
Many sites were running PHP 5.6 or 7.0—versions that are no longer supported and have known vulnerabilities. Some were running even older versions.
What we fixed: We upgraded 18 sites to PHP 8.0 or higher, testing thoroughly to ensure compatibility.
Why it matters: Unsupported software versions don’t receive security patches. Vulnerabilities in old PHP versions are well-documented and easily exploited.
NO SECURITY MONITORING OR LOGGING
Several sites had no access logs, audit trails, or security event logging. If they were compromised, they wouldn’t know how the attack happened or what was accessed.
What we fixed: We implemented comprehensive logging and monitoring on 23 sites, including access logs, failed login attempts, and file modifications.
Why it matters: Without logs, you can’t detect breaches, investigate incidents, or prove compliance with regulations like HIPAA or GDPR.
UNPATCHED SERVER SOFTWARE
Server software (Apache, Nginx, MySQL) was outdated on 19 sites, with known vulnerabilities present.
What we fixed: We updated server software on all 19 sites to the latest stable versions.
Why it matters: Servers are attack vectors. Outdated server software contains known exploits that hackers actively use.
WHAT THIS MEANS FOR YOUR BUSINESS
These 20 vulnerabilities represent the most common threats we’re seeing across our client base. The good news: nearly all of them are preventable with proper maintenance.
Most of these vulnerabilities aren’t new—they’re well-documented issues that responsible website owners address through regular maintenance. The fact that we’re finding them in such high numbers (40% of clients affected by unpatched plugins, 22 sites with no backups) shows how widespread neglect really is.
The even better news: once we patch these vulnerabilities, our clients’ websites are protected. They don’t have to worry about becoming breach statistics.
WHY SHERDORE MONITORS FOR THESE VULNERABILITIES
At SherDore, our 24/7 security monitoring is designed specifically to catch these vulnerabilities before attackers do. Our process includes:
Continuous vulnerability scanning that identifies known issues automatically. We run scans daily on every client website, checking for outdated software, weak configurations, and known vulnerabilities.
Proactive patching that applies security updates immediately. When WordPress releases a critical patch, we’re applying it to all client sites that same day—not weeks later.
Security hardening that implements best practices beyond just patching. We configure security headers, implement WAFs, set proper permissions, and harden configurations.
Incident response and recovery that handles breaches when they do occur. Despite best efforts, nothing is 100% secure. When incidents happen, we can respond quickly with our forensics team and recovery procedures.
WHAT YOU SHOULD DO
If you’re reading this and recognizing some of these vulnerabilities on your site, don’t panic. Take these steps:
- Get a security audit. Have a professional scan your site for vulnerabilities. You might discover you have several of these issues. A comprehensive audit will identify exactly what needs to be fixed, prioritized by severity. This is the foundation of any remediation effort.
- Prioritize critical vulnerabilities. Not all vulnerabilities are equal. Start with the most critical ones: unpatched software, weak credentials, missing backups. A vulnerability that affects thousands of websites is more likely to be exploited than an obscure flaw. Start with the high-impact issues.
- Implement ongoing maintenance. Rather than fixing problems one at a time, implement a comprehensive maintenance plan that keeps your site secure continuously. The businesses we work with that have the fewest vulnerabilities are those that maintain their sites consistently, not those that fix things reactively.
- Monitor for incidents. Set up logging and monitoring so you can detect breaches quickly. Early detection is critical. The difference between a minor incident and a catastrophic breach often comes down to how quickly the attack was detected and stopped.
- Plan for recovery. Have a backup and disaster recovery plan in place. Hope for the best, but prepare for the worst. Know exactly how you’d restore your site from a backup. Test your recovery procedures. When an incident does occur, you’ll be glad you did.
TRENDS WE’RE SEEING
Across this month’s findings, a few trends stand out:
WordPress sites continue to be the most vulnerable. This makes sense—WordPress powers over 40% of all websites, making it a priority target for attackers. WordPress sites are easier to identify and exploit because the software is so widely used.
Business owners still underestimate the importance of backups. The fact that we found 22 sites with no backup system at all is shocking. This suggests businesses haven’t experienced a disaster yet, so they don’t appreciate how critical backups truly are.
Outdated software is the #1 culprit. Whether it’s WordPress plugins, themes, PHP versions, or server software—keeping systems up to date prevents the majority of vulnerabilities we find.
Custom code is often less secure than standard frameworks. The SQL injection vulnerabilities we found were in custom-built code. Standard frameworks often have built-in protections; custom code requires developers to implement these protections manually.
Professional maintenance matters. The sites that are most secure are the ones receiving regular professional maintenance. Sites maintained entirely by the business owner or freelancers (without a comprehensive plan) are significantly more vulnerable.
THE BIGGER PICTURE
This month’s vulnerability report tells a story: most website owners are reactive rather than proactive. They fix things when they break, rather than preventing problems in the first place.
The businesses winning in today’s competitive landscape are the ones that take security seriously. They maintain their websites consistently. They monitor for vulnerabilities. They respond quickly to threats.
Those businesses don’t end up in breach statistics. They don’t face fines and legal liability. Their websites consistently deliver value.
If your website is showing any of these vulnerabilities, the time to act is now. Every day a vulnerability exists is another day an attacker could exploit it.
Next month, we’ll release our February vulnerability report covering the top threats we’ve discovered and patched. Subscribe to stay informed about emerging security trends and the vulnerabilities that matter most to your business.
About Sherdore
Sherdore is a web security and maintenance company dedicated to protecting business websites from threats. We provide continuous vulnerability monitoring, proactive patching, security hardening, and incident response services. Our 24/7 monitoring catches threats before they become breaches.
If you want your website to be secure and fully protected, learn more about our comprehensive security and maintenance services at https://www.sherdore.com/services/website-support-maintenance-plan/