Patchstack published a case study that examined how well Cloudflare and other general firewall and malware solutions protected WordPress websites from common vulnerability threats and attack vectors. The research showed that while general solutions stopped threats like SQL injection or cross-site scripting, a dedicated WordPress security solution consistently stopped WordPress-specific exploits at a significantly higher rate.
WordPress Vulnerabilities
Due to the popularity of the WordPress platform, WordPress plugins and themes are a common focus for hackers, and vulnerabilities can quickly be exploited in the wild. Once proof-of-concept code is public, attackers often act within hours, leaving website owners little time to react.
This is why it is critical to be aware of the security provided by a web host and of how effective those solutions are in a WordPress environment.
Methodology
Patchstack explained their methodology:
“As a baseline, we have decided to host “honeypot” sites (sites against which we will perform controlled pentesting with a set of 11 WordPress-specific vulnerabilities) with 5 distinct hosting providers, some of which have ingrained features presuming to help with blocking WordPress vulnerabilities and/or overall security.
In addition to the hosting provider’s security measures and third-party providers for additional measures like robust WAFs or other patching providers, we have also installed Patchstack on every site, with our test question being:
How many of these threats will bypass firewalls and other patching providers to ultimately reach Patchstack?
And will Patchstack be able to block them all successfully?”
Testing process
Each website was set up the same way, with identical plugins, versions, and settings. Patchstack used a “exploitation testing toolkit” to run the same exploit tests in the same order on every site. Results were checked automatically and by hand to see if attacks were stopped, and whether the block came from the host’s defenses or from Patchstack.
General Overview: Hosting Providers Versus Vulnerabilities
The Patchstack case study tested five different configurations of security defenses, plus Patchstack.
1. Hosting Provider A Plus Cloudflare WAF
2. Hosting Provider B + Firewall + Monarx Server and Website Security
3. Hosting Provider C + Firewall + Imunify Web Server Security
4. Hosting Provider D + ConfigServer Firewall
5. Hosting Provider E + Firewall
The result of the testing showed that the various hosting infrastructure defenses failed to protect the majority of WordPress-specific threats, catching only 12.2% of the exploits. Patchstack caught 100% of all exploits.
Patchstack shared:
“2 out of the 5 hosts and their solutions failed to block any vulnerabilities at the network and server levels.
1 host blocked 1 vulnerability out of 11.
1 host blocked 2 vulnerabilities out of 11.
1 host blocked 4 vulnerabilities out of 11.”
Cloudflare And Other Solutions Failed
Solutions like Cloudflare WAF or bundled services such as Monarx or Imunify failed to consistently address WordPress specific vulnerabilities.
Cloudflare’s WAF stopped 4 of 11 exploits, Monarx blocked none, and Imunify did not prevent any WordPress-specific exploits. Firewalls such as ConfigServer, which are widely used in shared hosting environments, also failed every test.
These results show that while those kinds of products work reasonably well against broad attack types, they are not tuned to the specific security issues common to WordPress plugins and themes.
Patchstack is created to specifically stop WordPress plugin and theme vulnerabilities in real time. Instead of relying on static signatures or generic rules, it applies targeted mitigation through virtual patches as soon as vulnerabilities are disclosed, before attackers can act.
Virtual patches are mitigation for a specific WordPress vulnerability. This offers protection to users while a plugin or theme developer can create a patch for the flaw. This approach addresses WordPress flaws in a way hosting companies and generic tools can’t because they rarely match generic attack patterns, so they slip past traditional defenses and expose publishers to privilege escalation, authentication bypasses, and site takeovers.
Takeaways
Standard hosting defenses fail against most WordPress plugin vulnerabilities (87.8% bypass rate).
Many providers claiming “virtual patching” (like Monarx and Imunify) did not stop WordPress-specific exploits.
Generic firewalls and WAFs caught some broad attacks (SQLi, XSS) but not WordPress-specific flaws tied to plugins and themes.
Patchstack consistently blocked vulnerabilities in real time, filling the gap left by network and server defenses.
WordPress’s plugin-heavy ecosystem makes it an especially attractive target for attackers, making effective vulnerability protection essential.
The case study by Patchstack shows that traditional hosting defenses and generic “virtual patching” solutions leave WordPress sites vulnerable, with nearly 88% of attacks bypassing firewalls and server-layer protections.
While providers like Cloudflare blocked some broad exploits, plugin-specific threats such as privilege escalation and authentication bypasses slipped through.
Patchstack was the only solution to consistently block these attacks in real time, giving site owners a dependable way to protect WordPress sites against the types of vulnerabilities that are most often targeted by attackers.
According to Patchstack:
“Don’t rely on generic defenses for WordPress. Patchstack is built to detect and block these threats in real-time, applying mitigation rules before attackers can exploit them.”
A vulnerability advisory was published for the Inspiro WordPress theme by WPZoom. The vulnerability arises due to a missing or incorrect security validation that enables an unauthenticated attacker to launch a Cross-Site Request Forgery (CSRF) attack.
Cross-Site Request Forgery (CSRF)
A CSRF vulnerability in the context of a WordPress site is an attack that relies on a user with admin privileges clicking a link, which in turn leverages that user’s credentials to execute a malicious action. The vulnerability has been assigned a CVSS threat rating of 8.1.
The advisory issued by Wordfence WordPress security company warned:
“This makes it possible for unauthenticated attackers to install plugins from the repository via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.”
The vulnerability affects Inspiro theme versions up to and including 2.1.2. Users are advised to update their theme to the latest version.
A vulnerability advisory was issued for a WordPress Contact Form 7 add-on plugin that enables unauthenticated attackers to “easily” launch a remote code execution. The vulnerability is rated high (8.8/10) on the CVSS threat severity scale.
Screenshot from Wordfence advisory showing 8.8 CVSS severity rating
Redirection for Contact Form 7 plugin
The vulnerability affects the Redirection for Contact Form 7 WordPress plugin, which is installed on over 300,000 websites. The plugin extends the functionality of the popular Contact Form 7 plugin. It enables a website publisher not only to redirect a user to another page but also to store the information in a database, send email notifications, and block spammy form submissions.
The vulnerability arises in a plugin function. WordPress functions are PHP code snippets that provide specific functionalities. The specific function that contains the flaw is called the delete_associated_files function. That function contains an insufficient file path validation flaw, which means it does not validate what a user can input into the function that deletes files. This flaw enables an attacker to specify a path to a file to be deleted.
Thus, an attacker can specify a path (such as ../../wp-config.php) and delete a critical file like wp-config.php, clearing the way for a remote code execution (RCE) attack. An RCE attack is a type of exploit that enables an attacker to execute malicious code remotely (from anywhere on the Internet) and gain control of the website.
“This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).”
The vulnerability affects all versions of the plugin up to and including version 3.2.4. Users of the affected plugin are advised to update the plugin to the latest version.
Featured Image by Shutterstock/Everyonephoto Studio
An advisory was issued about a critical vulnerability in the popular Tutor LMS Pro WordPress plugin. The vulnerability, rated 8.8 on a scale of 1 to 10, allows an authenticated attacker to extract sensitive information from the WordPress database. The vulnerability affects all versions up to and including 3.7.0.
Tutor LMS Pro Vulnerability
The vulnerability results from improper handling of user-supplied data, enabling attackers to inject SQL code into a database query. The Wordfence advisory explains:
“The Tutor LMS Pro – eLearning and online course solution plugin for WordPress is vulnerable to time-based SQL Injection via the ‘order’ parameter used in the get_submitted_assignments() function in all versions up to, and including, 3.7.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. “
Time-Based SQL Injection
A time-based SQL injection attack is one in which an attacker determines whether a query is valid by measuring how long the database takes to respond. An attacker could use the vulnerable order parameter to insert SQL code that delays the database’s response. By timing these delays, the attacker can deduce information stored in the database.
Why This Vulnerability Is Dangerous
While exploitation requires authenticated access, a successful exploitation of the flaw could be used to access sensitive information. Updating to the latest version, 3.7.1 or higher is recommended.
An advisory was issued for three WordPress file management plugins that are affected by a vulnerability that allows unauthenticated attackers delete arbitrary files. The three plugins are installed in over 1.3 million websites.
Outdated Version Of elFinder
The vulnerability is caused by outdated versions of the elFinder file manager, specifically versions 2.1.64 and earlier. These versions contain a Directory Traversal vulnerability that allows attackers to manipulate file paths to reach outside the intended directory. By sending requests with sequences such as example.com/../../../../, an attacker could make the file manager access and delete arbitrary files.
Affected Plugins
Wordfence named the following three plugins as affected by this vulnerability:
1. File Manager WordPress Plugin Installations: 1 Million
3. File Manager Pro – Filester Installations: 100,000+
According to the Wordfence advisory, the vulnerability can be exploited without authentication, but only if a site owner has made the file manager publicly accessible, which mitigates the possibility of exploitation. That said, two of the plugins indicated in their changelogs that an attacker needs at least a subscriber level authentication, the lowest level of website credentials.
Once exploited, the flaw allowed deletion of arbitrary files. Users of the named WordPress plugins should consider updating to the latest versions.
A vulnerability advisory was issued for a WordPress plugin that saves contact form submissions. The flaw enables unauthenticated attackers to delete files, launch a denial of service attack, or perform remote code execution. The vulnerability was given a severity rating of 9.8 on a scale of 1 to 10, indicating the seriousness of the issue.
Database for Contact Form 7, WPForms, Elementor Forms Plugin
The Database for Contact Form 7, WPForms, Elementor Forms, also apparently known as the Contact Form Entries Plugin, saves contact form entries into the WordPress database. It enables users to view contact form submissions, search them, mark them as read or unread, export them, and perform other functions. The plugin has over 70,000 installations.
The plugin is vulnerable to PHP Object Injection by an unauthenticated attacker, which means that an attacker does not need to log in to the website to launch the attack.
A PHP object is a data structure in PHP. PHP objects can be turned into a sequence of characters (serialized) in order to store them and then deserialized (turned back into an object). The flaw that gives rise to this vulnerability is that the plugin allows an unauthenticated attacker to inject an untrusted PHP object.
If the WordPress site also has the Contact Form 7 plugin installed, then it can trigger a POP chain during deserialization.
“This makes it possible for unauthenticated attackers to inject a PHP Object. The additional presence of a POP chain in the Contact Form 7 plugin, which is likely to be used alongside, allows attackers to delete arbitrary files, leading to a denial of service or remote code execution when the wp-config.php file is deleted.”
All versions of the plugin up to and including 1.4.3 are vulnerable. Users are advised to update their plugin to the latest version, which as of this date is version 1.4.5.
How to make your content visible in the age of AI search
So, what exactly is LLM Optimization? Well, the answer to that question depends on who you ask. For example, if you ask a machine learning engineer, they’ll tell you it’s all about tweaking prompts and token limits to get better performance from a large language model. In fact, Iguazio actually defines LLM optimization as improving the way models respond, which means smarter, faster, and with more contextual recognition.
If, on the other hand, you are a content strategist or SEO enthusiast, LLM optimization will mean something completely different to you and that is making sure that your content shows up in AI-generated search results. And, that needs to be true no matter whether you’re talking to ChatGPT, searching with Perplexity, or scanning Google’s new AI Mode for answers. Some call this ChatGPT SEO or Generative Engine Optimization.
So, if you fall into the latter of those two groups, ie: the people who want their content and product pages to be seen and clicked, then this article is for you. And, if you’d like to read on, we’ll show you why LLM optimization in an AI-search landscape isn’t some sort of luxury option; it’s an absolute necessity.
What are LLMs and why should you care?
AI engineers train Large Language models on huge amounts of text and data to generate answers, summaries, code, and human-like language. They’ve read everything (not just the Classics) and that includes blogs, news articles and your website.
The reason that’s important is that LLMs don’t crawl your website in real time like Search Engines do. What they do is read it, learn from it and when someone asks them a question, they try to recall what they saw and rephrase it into an answer. If your site shows up as the answer, “Great” but if not, you’ve got a visibility problem.
The new way of searching
Search is not just about Google anymore. Also, it’s not as if just one other thing has come to dominate which means we’re left with a rather messy mix of Perplexity answers, Chat GPT chats, Gemini summaries and voice assistants reading out answers while we try to do two tasks at once.
In short, people aren’t just searching, they’re conversing and if your content can’t hold its own in this environment then you’re missing out on visibility, traffic, and the ability to build trust. We’ll walk you through exactly how to fix that.
SEO vs. GEO vs. AEO vs. LLMO: Are we just rebranding SEO?
If you’ve been wondering whether you now need four different strategies for SEO (Search Engine Optimization), GEO (Generative Engine Optimization), AEO (Answer Engine Optimization), and LLMO (Large Language Model Optimization), relax, it’s not as big a deal as you might think. You see, despite all the buzzwords, the core of optimization hasn’t changed much.
All four terms point to the same central goal: making your content more findable, quotable, and credible in machine-generated output regardless of whether that comes from Google’s AI Overviews, ChatGPT, or an answer box on Bing.
So, should you overhaul your entire content strategy to ‘do LLMO’?
Not really. At least, not yet.
Most of what boosts your presence in LLMs is already what SEO professionals have been doing for years. Structured content, semantic clarity, topical authority, entity association, clean internal linking, it’s all classic SEO.
Where they slightly diverge:
SEO (Search Engine Optimization)
Relies on backlinks and site architecture to establish authority
GEO (Generative Engine Optimization
Puts extra emphasis on unlinked brand mentions and semantic association
AEO (Answer Engine Optimization)
Focuses on being the single best, most concise, and sourceable response to a specific query
LLMO (Large Language Model Optimization)
Leans into optimizing content not just for people or search crawlers but for LLMs reading in chunks, skipping JavaScript, and relying on embeddings and grounding datasets
But the thing is: you don’t need four different playbooks. All you need is one solid SEO foundation. In fact, this point is backed up by Google’s Gary Illyes who confirmed that AI Search does not require specialized optimization, saying that “AI SEO” is not necessary and that standard SEO is all that is needed for both AI Overviews and AI Mode.
Focus more on entity mentions, not just links
Treat your core site pages (home, pricing, about) and PDFs as important LLM fuel.
Remember that AI crawlers don’t render JavaScript, so client-side content might be invisible
Think about how LLMs process structure (chunking, context, citations), not just how humans skim it
So, if you’ve already been investing in foundational SEO, you’re already doing most of what GEO, AEO, and LLMO ae all about. That’s why not every new acronym needs you to have a whole rethink on your efforts. Sometimes, it’s just like SEO.
Key LLM SEO optimization techniques
Now that we know LLMs aren’t crawling our site but are understanding it, we need to think a little differently about how we create and construct content and for more on this, you may find this article extremely insightful. This is not about cramming in keywords or trying to play the algorithm, it’s about clarity, structure and credibility because these are the things LLMs care about when deciding what to quote, summarize or ignore. Below are some techniques that will help your content stay visible now that people are using generative search.
The bar has been raised on the quality of content
LLMs love clarity. The more natural and specific your language is, the easier it is for them to understand and reuse your content. That means not using jargon, avoiding ambiguity and instead, focusing on writing like you’re explaining something to a colleague.
To give an exact example:
Don’t Say:
“Our innovative tool revolutionizes the digital landscape for modern businesses.”
Instead Say:
“The Yoast SEO plugin for WordPress helps businesses to improve their website’s visibility and appear inn search results
Use Structure, Chunked Formatting
Chunked formatting means breaking your content into small pieces (chunks) of informatin that are easy to understand and remember. LLMs tend to prioritize the most easily digestible content construction – which means your headings, bullet points, and clearly defined sections must do a lot of heavy lifting. Not only does organizing your content like this help people to skim read, but it also helps machines understand what each section is about.
Structuring your content like this will help:
Write clear, descriptive H2s and 3s
Use bullet points that can provide standalone value
Include summaries and tables to give quick overviews
Be Factual, Transparent, and Authoritative
Just like Google, LLMs need to trust that your content is reliable before they start taking you seriously. This means you need to show your working out, quote sources, reveal authors, and follow the principles of E-E-A-T. Experience, Expertise, Authority, and Trust.
Include an author bio and credentials if possible (include a link to actual author bios and social profiles)
Name your sources when you use claims or statistics
Share real experiences if possible “As a small business owner…”
The more real, relatable and trustworthy your content looks, the more AI will like it.
Optimize for Summarization
LLMs won’t quote your entire blog post; they’ll only use snippets. Your job is to make those snippets irresistible. Start with strong lead sentences so that each paragraph begins with a clear point followed by context. Also, it’s a good idea to front-load your content. Don’t save your best bits for the end.
As a reminder:
Start each section with what you want the key takeaway to be
Keep paragraphs short and self-contained
Create standalone summary paragraphs as these often get quoted in AI generated answers
Use Schema
Behind every great summary is a structured content model. That’s where Schema markup comes in and to help the AI understand your content, you need to speak in a certain way.
Once you’ve got the basics completed, like clear writing, structure and trust signals, there’s still more you can do to give your content the best shot at visibility. These bonus strategies focus on how to make your site even more AI-friendly by anticipating how LLMs interpret and reuse information.
Use Explicit Context and Clear language
Humans have an incredible ability to be able to ‘fill in the blanks’ and still ‘get the message’ even if the information they got was vague or unclear. One of the biggest differences between humans and LLMs? Humans can infer meaning from vague references. LLMs on the other hand… well, let’s just say that it doesn’t come naturally to them.
In any case, the point is that if your article mentions “this tool” or “our product” without any context, an LLM might miss the connection entirely. The result? You’re left out of the answer, even if you’re the best source.
So, to give your content the clarity it deserves:
Use the full product or brand name, like “Yoast SEO plugin for WordPress,” not just “Yoast”
Define technical or niche terms before using them
Avoid vague language (“this page,” “the above section,” “click here”)
You don’t need to be repetitive, but you do need to be explicit rather than implicit.
Leverage FAQs and Conversational Formats
LLMs love FAQs because they’re direct, predictable, and easy to quote. They closely match real user intent and provide high-value snippets that tools like Perplexity and Gemini can pull from without much guesswork.
That said, there’s an important limitation to keep in mind if you’re using the Yoast SEO FAQ block in Gutenberg:
You cannot use H2 or H3 heading tags inside the FAQ block. The block creates its own question-answer formatting using custom HTML, which is great for structured data (FAQ Page schema), but it doesn’t support native heading tags which limits your ability to optimize AI readability and skimmability.
So, if your goal is to appear in AI-generated summaries or answer boxes, where headings like “What is LLM SEO?” make it easy for AI to quote your content, you might be better off using manual formatting.
Here’s how to get the best of both worlds:
STEP 1: Use H2 or H3 tags for each question (e.g., “What is llms.txt?”) and write a clear, short answer beneath it. This improves LLM visibility but doesn’t generate structured FAQ schema.
Step 2: Use the Yoast FAQ block for schema support but know that it won’t give you a proper heading structure.
Ultimately, the more your FAQs resemble natural, searchable questions — and are structured in a way that both humans and AI can easily parse — the more likely they are to be featured in answers.
Enhance Trust with Freshness Signals
Just like search engines, some LLMs give preference to newer content, but remember that we need to talk to them in a certain way to get the best out of them.
Older content can be overlooked. Worse, it can be quoted incorrectly if something has changed since you last hit publish.
Make sure your pages include:
A clear “last updated” timestamp (can we get a picture of what one would look like for clarification?)
Regular reviews for accuracy
Changelogs or update notes if applicable (especially for software or plugin content)
It doesn’t have to be complicated, even a simple “Last updated: June 2025” can help both readers and AI systems trust that your content is current.
Today, we’re entering a phase where who wrote your content is just as important as what it says. That means you need to highlight author visibility and put effort into signaling real-world experience.
Use Person schema to formally associate the content with a specific individual
Weave in relevant experience (“As an SEO consultant who works with SaaS brands…”)
Remember, LLMs are more likely to trust, quote, and amplify expert-authored content.
Use Internal Linking Strategically
Think of internal linking as your site’s nervous system. It helps both humans and LLMs understand what’s important, how topics relate, and where to go next.
But internal linking isn’t just about SEO hygiene anymore — it’s also a way to establish topic authority and help LLMs build a map of your expertise.
Do:
Cluster related articles together (e.g., link from “LLM Optimization” to “Schema Markup for SEO”)
Use descriptive anchor text like “read our full guide to Schema markup,” not just “click here”
Ensure every piece of content supports a broader narrative
The role of llms.txt. Giving AI search all the right signals
Now let’s talk about one of the most recent developments in LLM visibility; a little file called llms.txt.
Think of it as a sibling to robots.txt, but instead of guiding search engines, it tells AI tools how they’re allowed to interact with your content. Note: llms.txt is still an evolving standard, and support across AI tools may vary, but it’s a smart step toward asserting control
With llms.txt, you can:
Define how your content may be reused or summarized
Set clear expectations around attribution, licensing
It’s not just about protection, it’s about being proactive as AI usage accelerates.
LLM Optimization and SEO are part of the same family, but they serve different functions and require slightly different thinking.
Let’s compare:
Traditional SEO
LLM Optimization
Crawled and ranked by bots
Read, remembered, and reused by AIs
Emphasizes keywords
Emphasizes context and clarity
Optimizes for SERPs
Optimizes for AI-generated summaries and answers
The takeaway? You can’t ignore either. One brings traffic; the other boosts brand visibility within AI responses.
And considering that 42% of users now start their research with an LLM (not Google), you’ll want to be found in both places.
Common Mistakes to Avoid
Even well-meaning content creators fall into holes. So, take a look at the tips below to avoid any mishaps that could damage your LLM visibility:
Writing like a robot or allowing a robot to write for you (ironically, not appreciated by robots)
Leaving your content undated and unchanged for years
Publishing posts without any author information or editorial standards
Ignoring internal links or leaving orphaned pages
Using vague headings or anchor text like “read more” or “this article”
If your content looks generic, outdated, or anonymous, it won’t earn any trust. And, without trust, it won’t get quoted.
Tools and Resources to Get Started
Search used to be about visibility within SERPs. But now, it’s also about being seen in summaries, answers, snippets, and chats. LLMs aren’t just shaping the future of search; they’re shaping how your brand is perceived to both humans and robots alike.
To stand out:
Write with clarity and context
Structure for humans and machines
Cite your expertise and show your authors
Use tools like Yoast and llms.txt to signal your intent
Future-proof your visibility with Yoast SEO. From llms.txt integration to schema support, Yoast gives you all the tools you need to speak AI’s language and dominate both generative answers and search engines. Get started with Yoast SEO Premium nowand make it easy for AI to say something accurate, useful, and… ideally, about you.
Brendan Reid
Brendan is a seasoned writer with a particular interest in SMEs. What he really enjoys is being able to provide real, actionable steps that can be taken today to start making business better for everyone.
The Core Web Vitals Technology Report shows the top-ranked content management systems by Core Web Vitals (CWV) for the month of June (July’s statistics aren’t out yet). The breakout star this year is an e-commerce platform, which is notable because shopping sites generally have poor performance due to the heavy JavaScript and image loads necessary to provide shopping features.
This comparison also looks at the Interaction to Next Paint (INP) scores because they don’t mirror the CWV scores. INP measures how quickly a website responds visually after a user interacts with it. The phrase “next paint” refers to the moment the browser visually updates the page in response to a user’s interaction.
A poor INP score can mean that users will be frustrated with the site because it’s perceived as unresponsive. A good INP score correlates with a better user experience because of how quickly the website performs.
Core Web Vitals Technology Report
The HTTP Archive Technology Report combines two public datasets:
Chrome UX Report (CrUX)
HTTP Archive
1. Chrome UX Report (CrUX) CrUX obtains its data from Chrome users who opt into providing usage statistics reporting as they browse over 8 million websites. This data includes performance on Core Web Vitals metrics and is aggregated into monthly datasets.
2. HTTP Archive HTTP Archive obtains its data from lab tests by tools like WebPageTest and Lighthouse that analyze how pages are built and whether they follow performance best practices. Together, these datasets show how websites perform and what technologies they use.
The CWV Technology Report combines data from HTTP Archive (which tracks websites through lab-based crawling and testing) and CrUX (which collects real-user performance data from Chrome users), and that’s where the Core Web Vitals performance data of content management systems comes from.
#1 Ranked Core Web Vitals (CWV) Performer
The top-performing content management system is Duda. A remarkable 83.63% of websites on the Duda platform received a good CWV score. Duda has consistently ranked #1, and this month continues that trend.
For Interaction to Next Paint scores, Duda ranks in the second position.
#2 Ranked CWV CMS: Shopify
The next position is occupied by Shopify. 75.22% of Shopify websites received a good CWV score.
This is extraordinary because shopping sites are typically burdened with excessive JavaScript to power features like product filters, sliders, image effects, and other tools that shoppers rely on to make their choices. Shopify, however, appears to have largely solved those issues and is outperforming other platforms, like Wix and WordPress.
In terms of INP, Shopify is ranked #3, at the upper end of the rankings.
#3 Ranked CMS For CWV: Wix
Wix comes in third place, just behind Shopify. 70.76% of Wix websites received a good CWV score. In terms of INP scores, 86.82% of Wix sites received a good INP score. That puts them in fourth place for INP.
#4 Ranked CMS: Squarespace
67.66% of Squarespace sites had a good CWV score, putting them in fourth place for CWV, just a few percentage points behind the No. 3 ranked Wix.
That said, Squarespace ranks No. 1 for INP, with a total of 95.85% of Squarespace sites achieving a good INP score. That’s a big deal because INP is a strong indicator of a good user experience.
#5 Ranked CMS: Drupal
59.07% of sites on the Drupal platform had a good CWV score. That’s more than half of sites, considerably lower than Duda’s 83.63% score but higher than WordPress’s score.
But when it comes to the INP score, Drupal ranks last, with only 85.5% of sites scoring a good INP score.
#6 Ranked CMS: WordPress
Only 43.44% of WordPress sites had a good CWV score. That’s over fifteen percentage points lower than fifth-ranked Drupal. So WordPress isn’t just last in terms of CWV performance; it’s last by a wide margin.
WordPress performance hasn’t been getting better this year either. It started 2025 at 42.58%, then went up a few points in April to 44.93%, then fell back to 43.44%, finishing June at less than one percentage point higher than where it started the year.
WordPress is in fifth place for INP scores, with 85.89% of WordPress sites achieving a good INP score, just 0.39 points above Drupal, which is in last place.
But that’s not the whole story about the WordPress INP scores. WordPress started the year with a score of 86.05% and ended June with a slightly lower score.
INP Rankings By CMS
Here are the rankings for INP, with the percentage of sites exhibiting a good INP score next to the CMS name:
Squarespace 95.85%
Duda 93.35%
Shopify 89.07%
Wix 86.82%
WordPress 85.89%
Drupal 85.5%
As you can see, positions 3–6 are all bunched together in the eighty percent range, with only a 3.57 percentage point difference between the last-placed Drupal and the third-ranked Shopify. So, clearly, all the content management systems deserve a trophy for INP scores. Those are decent scores, especially for Shopify, which earned a second-place ranking for CWV and third place for INP.
Takeaways
Duda Is #1 Duda leads in Core Web Vitals (CWV) performance, with 83.63% of sites scoring well, maintaining its top position.
Shopify Is A Strong Performer Shopify ranks #2 for CWV, a surprising performance given the complexity of e-commerce platforms, and scores well for INP.
Squarespace #1 For User Experience Squarespace ranks #1 for INP, with 95.85% of its sites showing good responsiveness, indicating an excellent user experience.
WordPress Performance Scores Are Stagnant WordPress lags far behind, with only 43.44% of sites passing CWV and no signs of positive momentum.
Drupal Also Lags Drupal ranks last in INP and fifth in CWV, with over half its sites passing but still underperforming against most competitors.
INP Scores Are Generally High Across All CMSs Overall INP scores are close among the bottom four platforms, suggesting that INP scores are relatively high across all content management systems.
Find the Looker Studio rankings for here (must be logged into a Google account to view).
An advisory was issued about a vulnerability in the Customer Reviews for WooCommerce plugin, which is installed on over 80,000 websites. The plugin enables unauthenticated attackers to launch a stored cross-site scripting attack.
Customer Reviews for WooCommerce Vulnerability
The Customer Reviews for WooCommerce plugin enables users to send customers an email reminder to leave a review and also offers other features designed to increase customer engagement with a brand.
Wordfence issued an advisory about a flaw in the plugin that makes it possible for attackers to inject scripts into web pages that execute whenever a user visits the affected page.
The exploit is due to a failure to “sanitize” inputs and “escape” outputs. Sanitizing inputs in this context is a basic WordPress security measure that checks if uploaded data conforms to expected types and removes dangerous content like scripts. Output escaping is another security measure that ensures any special characters produced by the plugin aren’t executable.
“The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘author’ parameter in all versions up to, and including, 5.80.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”
Users of the plugin are advised to update to version 5.81.0 or newer version.
A security advisory was issued for the AI Engine WordPress plugin, installed on over 100,000 websites, the fourth one this month. Rated 8.8, this vulnerability enables attackers with only subscriber-level authentication to upload malicious files when the REST API is enabled.
AI Engine Plugin: Fifth Vulnerability In 2025
This is the fourth vulnerability discovered in the AI Engine plugin in July, following the first one of the year discovered in June, making a total of five vulnerabilities discovered in the plugin so far in 2025. There were nine vulnerabilities discovered in 2024, one of which was rated 9.8 because it enabled unauthenticated attackers to upload malicious files, plus another rated 9.1 that also enabled arbitrary uploads.
Authenticated (Subscriber+) Arbitrary File Upload
The latest vulnerability enables authenticated file uploads. What makes this exploit more dangerous is that it requires only subscriber-level authentication for an attacker to take advantage of the security weakness. That isn’t as bad as a vulnerability that doesn’t require authentication, but it’s still rated 8.8 on a scale of 1 to 10.
Wordfence describes the vulnerability as being due to missing file type validation in a function related to the REST API in versions 2.9.3 and 2.9.4.
File type validation is a security measure typically used within WordPress to make sure that the content of a file matches the type of file being uploaded to the website.
“This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server when the REST API is enabled, which may make remote code execution possible.”
Users of the AI Engine plugin are recommended updating their plugin to the latest version, 2.9.5, or a newer version.
The plugin changelog for version 2.9.5 shares what was updated:
“Fix: Resolved a security issue related to SSRF by validating URL schemes in audio transcription and sanitizing REST API parameters to prevent API key misuse.
Fix: Corrected a critical security vulnerability that allowed unauthorized file uploads by adding strict file type validation to prevent PHP execution.”
