We all know that plenty of WordPress sites are getting hacked each year. Is it because WordPress is an insecure system? Is it a global WordPress issue, or does it come from those webmasters’ actions? How, and why is it happening?
Whether you are running a personal blog, business website, or an eCommerce site on WordPress, the security of your website should be a priority. There can be many reasons due to which your site’s security is compromised. The most common reasons are weak passwords, users mistakes, outdated software and missing security updates.
In this article we use the latest statistics from the WPScan vulnerability database to highlight which are the most vulnerable WordPress components, and to make emphasis on the importance of running up to date software and installing the necessary security patches.
You can also find some interesting stats and facts about WordPress vulnerabilities, as well as a few recommendations. Let’s dive right in.
What is the WPScan vulnerability database?
Before we dive into the statistics, let’s explain from where we got these numbers. All data is retrieved from the WPScan vulnerability database, an online browsable version of WPScan’s data files.
WPScan is an open source automated WordPress black box security scanner. This scanner uses this data to detect known WordPress core, plugins and themes vulnerabilities in WordPress websites.
To date the WPScan vulnerability database contains 21,755 vulnerabilities, 4,154 of which are unique vulnerabilities.
WordPress, plugins and themes vulnerabilities overview
According to the WPScan Vulnerability Database, ~80% of the known vulnerabilities they logged are in the WordPress core software. But here’s the kicker – the versions with the most vulnerabilities are all way back in WordPress 3.X.
So far there are 17,467 WordPress core software vulnerabilities in the WPScan vulnerability database. Then there are 3,846 (17%) WordPress plugin vulnerabilities, and 442 (3%) WordPress themes vulnerabilities.
Why are there so many WordPress core vulnerabilities?
The number of vulnerabilities in the WordPress core are inflated in the vulnerability database because of the many versions of WordPress. Below is an explanation of why this happens;
A cross-site scripting vulnerability is found in a component in WordPress version 5.4.2. This component has been used in WordPress since version 3.7. Therefore all the previous released versions of WordPress are also vulnerable.
Therefore in the WPScan vulnerability database there will be one unique vulnerability, and 256 vulnerabilities!
So WordPress core as such is not insecure. It is very important to point out that WordPress core came a very long way and it’s much better and more secure software than it ever was.
Type of vulnerabilities in WordPress core, plugins & themes
The most popular vulnerability types in WordPress core, plugins and themes are Cross-site Scripting and SQL Injection.
This is not surprising considering these 2 vulnerabilities have been listed in the OWASP Top 10 list of most common web security issues since its inception.
Statistics of WordPress core vulnerabilities
The below graph highlights the top 10 most vulnerable WordPress core versions, with versions 3.7.1 and 3.8.1 leading the pack with 92 vulnerabilities each. In second place, with 91 vulnerabilities is WordPress version 3.9.
However, since then WordPress has definitely become more secure. Let’s take a look at the number of vulnerabilities in the last 5 versions of WordPress. As you can see the difference is quite big.
Top 10 most vulnerable WordPress plugins
Here are some facts about the Top 10 most vulnerable WordPress plugins:
NextGEN Gallery, NinjaForms and WooCommerce lead the pack with 22 vulnerabilities each.
We were surprised to see All In One WP Security & Firewall, a WordPress security plugin in the Top 10 most vulnerable WordPress plugins. I am not saying such plugins are bulletproof. Though I would expect that a plugin that’s written by security people to have less vulnerabilities, or at least not to be in the top 10 list.
Top 10 most vulnerable WordPress themes
The below graph highlights the top 10 most vulnerable WordPress themes. The highest one has only 5 vulnerabilities under its name.
Themes tend to have much less vulnerabilities than plugins because they do much less in terms of functionality. For example, while most plugins handle data, user input and manipulate user data, themes mostly change the look & feel of WordPress websites.
What do these WordPress vulnerabilities tell us?
People love WordPress because of the huge array of available plugins and themes. As of writing this, there are over 57,000 plugins and more than 7,000 themes on the WordPress repository, and thousands of additional premium ones scattered across the web.
While all those options are great for making your site better, you should always do a little research before installing a plugin or theme to your WordPress website. While most WordPress developers do a good job of following code standards and patching reported security issues once they become known, there are still a few potential issues:
- The plugin or theme is no longer maintained,
- Developers take a long time to issue a security patch or are non-responsive,
- A plugin or theme has a vulnerability, however, since there is not much attention on it that vulnerability goes undetected.
Refer to how to choose the best WordPress plugin for your requirements for more details on this subject and how to determine if a plugin is a good choice for your WordPress website.
So what’s the takeaway?
In short, keep all your software up to date!
WordPress is one of the most popular CMS in the world, and if you follow security best practices and keep it up to date it’s very unlikely that your website experiences any issues.
Are these WordPress vulnerabilities statistics accurate?
These statistics are based on the information stored in the WPScan Vulnerability Database. Although it is frequently updated, it is by no means complete.
There are many other vulnerable WordPress plugins and themes that are not listed here. However, this gives us a good overview of the state of WordPress vulnerabilities.
Submit known WordPress vulnerabilities
The WPScan team encourages everyone who knows about WordPress core, plugin or theme vulnerabilities to submit the details to them.
Before submitting a new vulnerability, do a search in the database to ensure the issue was not submitted before. This will ensure we have one centralized and reliable source of information.
How to Ensure WordPress Security (security best practices)
Now that we have covered all potential and known vulnerabilities, let’s take a look at the different ways to secure your website.
The first thing is to regularly update your WordPress version. You should definitely develop the practice of updating your WordPress version and also, don’t forget to update your plugins and themes.
Here are some additional actions that you can do in order to secure your WordPress website:
- Avoid Using Common Passwords
When you have a strong password, any hacking attempt can be avoided or at least delayed.
- Set up a two-factor authentication login
Anyone who wants to log in to your WordPress website would have to go through one more step before gaining access to your account.
- Do not use nulled plugins and themes
It tempts almost everybody, however these free copies of premium plugins and themes more often than not are loaded with malicious malware. Support the developers of the plugins you use by buying the premium edition. It helps further develop the product, add new features and keep it secure.
- Use WordPress Security Plugins
Nowadays there is a huge variety of security plugins that are created to protect your website from various attacks. The best ones are updated regularly, which makes them capable of detecting any attempt of hacking and any addition to your code. We develop a number of WordPress security and site management plugins. Check them out!
To wrap up
Securing your website is super essential. Having a clear view of the threats and the tools that you can use to deal with the potential attacks is crucial. Your first and foremost priority should be to have and maintain a secure website.
As a result of its popularity, WordPress is a big target for hackers. That’s why you must go an extra mile to ensure your site’s safety. A secured site will surely embed trust in your potential customers, and hence, assist in the growth of your business.
Keep your website protected, and stay safe!
