
You may be wondering why I’m using pictures of Jenga towers. They’re a great way of showing the difference between vulnerabilities and threats.
Understanding vulnerabilities
A vulnerability is a weakness. You can view a longer definition in the NIST glossary.
In the game of Jenga, the main vulnerabilities are the missing blocks in the tower.
Here are a few examples of potential vulnerabilities in WordPress sites:
- Contact form plugins not sanitising data properly, leaving sites vulnerable to Cross Site Scripting (XSS).
- Users using poor passwords which can be easily guessed.
- Developers making mistakes when changing settings on your site.
Vulnerabilities don’t exploit themselves. This is where threats come in.

But first, threat actors…
A threat actor is a person or group of people which can exploit a vulnerability. In the game of Jenga, each player is a threat actor. If several opponents teamed up, they could work together to cheat.
Understanding Threats
A threat is something which can exploit a vulnerability.
In our Jenga game, a few examples of threats are:
- opponents kicking the table
- wind or air movement
- earthquakes (an extreme example but they’re still a threat!).
On a WordPress site, examples of threats include:
- bots brute forcing the login form with common passwords
- targeted attacks from individuals
- targeted attacks from organisations.
