AI Is Making It Easier to Build Websites - and Easier to Attack Them
The same technology that lets you generate a landing page in minutes is now being used to scan, probe, and break into websites at a scale we've never seen before.
In 2025, over 11,300 new vulnerabilities were discovered across the WordPress ecosystem alone - a 42% increase from the previous year. Roughly 13,000 WordPress sites are being compromised every single day. And the window between a vulnerability being disclosed and the first automated attack? Five hours. Not days. Hours.
This isn't a hypothetical risk. It's happening right now, and it's accelerating.
What Changed?
AI didn't just make web development faster - it made cyberattacks faster too. Automated bots now scan thousands of websites simultaneously, looking for outdated plugins, weak configurations, and known vulnerabilities. They don't need to be clever. They just need to be fast and persistent.
What used to require a skilled attacker now runs on autopilot: mass vulnerability scanning, automated exploit generation, and even AI-assisted malware that adapts to avoid detection. The barrier to entry for launching an attack has dropped dramatically - while the number of potential targets keeps growing.
WordPress, which powers over 43% of all websites on the internet, is the single largest target. Not because its core is insecure - but because the vast majority of vulnerabilities sit in third-party plugins and themes. The average WordPress site runs 20 to 30 of them. Each one is a potential entry point.
And here's the uncomfortable truth: traditional hosting firewalls only block about 12% of WordPress-specific attacks. Standard defenses aren't enough anymore.
What Attackers Are After
It's not always about stealing customer data - though that remains a major risk, especially for e-commerce sites handling personal and payment information. Attackers also hijack servers to send spam, inject malicious redirects that damage your SEO and brand reputation, or install hidden scripts that quietly mine cryptocurrency using your server's resources. In many cases, the site owner doesn't even realise their website has been compromised until performance drops or Google flags the domain.
Let That Sink In: 91% of Vulnerabilities Are in Plugins
This is the number that should change how you think about your website. WordPress core itself is remarkably secure - only six vulnerabilities were found in it throughout all of 2025. But the plugins and themes that make WordPress functional? They account for 91% of all discovered vulnerabilities. The average site runs 20 to 30 plugins. Every single one is a door that could be left unlocked.
And with AI now enabling what researchers call "vibe coding" - where developers ship AI-generated plugins without properly auditing the code - the problem is only getting worse. Studies show that roughly 45% of AI-generated code contains security flaws. That's code going live on production websites, often without any security review.
How We Approach Security at KOS Design
We've been building and maintaining websites for clients across industries for nearly 20 years, and security has always been central to how we work. Our client portfolio includes enterprise-level projects for organisations like PTT, King Power, Pruksa, Sharp, and Bangkok Bank - environments where security isn't optional, it's a requirement before anything goes live.
These large corporate clients require formal security penetration testing as part of their project delivery process, and we handle it end-to-end: from initial vulnerability assessment through to full penetration testing, remediation, and final sign-off. This is something we offer across all our projects - not just enterprise. Whether you're a growing business or a multinational, the same rigorous approach applies.
Here's how we handle security across the board:
Platform selection matters. Not every project needs WordPress. We work across multiple CMS platforms and custom-built solutions, selecting the right technology based on each client's requirements - including their security profile. When WordPress is the right choice, we lock it down properly. When it isn't, we recommend alternatives that reduce the attack surface from the start.
Security penetration testing. We conduct thorough penetration tests to identify vulnerabilities before attackers do - simulating real-world attack scenarios against your website and server infrastructure. This includes application-level testing, server configuration review, and detailed reporting with prioritised remediation steps.
Server-level protection. Every site we host runs behind properly configured firewalls, DDoS mitigation, and bot management. We actively monitor server traffic and maintain strict access controls - so threats are caught before they reach your website.
Proactive maintenance. Security isn't a one-time setup. We handle ongoing updates, plugin audits, and vulnerability patching as part of our hosting and maintenance plans. When a critical vulnerability is disclosed, we don't wait for the client to notice - we act.
Backups and recovery. Automated daily backups stored on separate infrastructure, with tested recovery procedures. If the worst happens, we can restore a site quickly and completely.
SSL, hardening, and access control. Every site ships with SSL encryption, hardened configurations, two-factor authentication where supported, and role-based access to minimise exposure.
The Bottom Line
Building a great website has never been more accessible. But keeping it secure requires experience, vigilance, and the right infrastructure behind it. The threats are automated, persistent, and getting smarter - your defenses need to be too.
If you're running a business website and you're not sure how protected it really is, it might be time for a conversation. We're always happy to take a look.
KOS Design is a creative design agency and software house based in Bangkok, building and securing websites for clients across Thailand and internationally since 2006. Get in touch at [email protected] or visit www.kos.co.th.
