• Home
  • Servers
  • Hosting Tutorials
    • cPanel&WHM
  • WordPress Tutorial
    • WordPress General
    • WooCommerce
    • Useful Plugin

Subscribe to Updates

Get the latest creative news from FooBar about art, design and business.

What's Hot

WordPress Two-Factor Authentication (2FA): what is it & using it on your site

January 26, 2023

The biggest source of WordPress vulnerabilities

January 26, 2023

15 ways to secure your WordPress site

January 19, 2023
Facebook Twitter Instagram
  • Home
  • Servers
    Featured
    Servers

    What Is Imunify360? How Does It Enhance Website Security?

    By The GeekJanuary 2, 20230
    Recent

    What Is Imunify360? How Does It Enhance Website Security?

    January 2, 2023

    How to set up a Raspberry Pi ownCloud server in 7 steps

    December 20, 2022

    How To Install Linux, Nginx, MySQL, PHP (LEMP) stack On CentOS 7

    December 20, 2022
  • Hosting Tutorials
    1. cPanel&WHM
    Featured
    Hosting Tutorials

    What is Let’s Encrypt SSL certificate

    By The GeekDecember 26, 20220
    Recent

    What is Let’s Encrypt SSL certificate

    December 26, 2022

    What Is Web Hosting? What Is Shared Hosting?

    December 26, 2022

    How to install cPanel on CentOS 7

    December 22, 2022
  • WordPress Tutorial
    1. WordPress General
    2. WooCommerce
    3. Useful Plugin
    Featured
    Usefull Plugin

    WordPress Two-Factor Authentication (2FA): what is it & using it on your site

    By The GeekJanuary 26, 20230
    Recent

    WordPress Two-Factor Authentication (2FA): what is it & using it on your site

    January 26, 2023

    The biggest source of WordPress vulnerabilities

    January 26, 2023

    15 ways to secure your WordPress site

    January 19, 2023
Facebook Instagram
Horizen.ro – Tech Blog & Server environmentHorizen.ro – Tech Blog & Server environment
Subscribe
  • Home
  • Servers
    Featured
    Servers

    What Is Imunify360? How Does It Enhance Website Security?

    By The GeekJanuary 2, 20230
    Recent

    What Is Imunify360? How Does It Enhance Website Security?

    January 2, 2023

    How to set up a Raspberry Pi ownCloud server in 7 steps

    December 20, 2022

    How To Install Linux, Nginx, MySQL, PHP (LEMP) stack On CentOS 7

    December 20, 2022
  • Hosting Tutorials
    1. cPanel&WHM
    Featured
    Hosting Tutorials

    What is Let’s Encrypt SSL certificate

    By The GeekDecember 26, 20220
    Recent

    What is Let’s Encrypt SSL certificate

    December 26, 2022

    What Is Web Hosting? What Is Shared Hosting?

    December 26, 2022

    How to install cPanel on CentOS 7

    December 22, 2022
  • WordPress Tutorial
    1. WordPress General
    2. WooCommerce
    3. Useful Plugin
    Featured
    Usefull Plugin

    WordPress Two-Factor Authentication (2FA): what is it & using it on your site

    By The GeekJanuary 26, 20230
    Recent

    WordPress Two-Factor Authentication (2FA): what is it & using it on your site

    January 26, 2023

    The biggest source of WordPress vulnerabilities

    January 26, 2023

    15 ways to secure your WordPress site

    January 19, 2023
Horizen.ro – Tech Blog & Server environmentHorizen.ro – Tech Blog & Server environment
Home»Wordpress»The biggest source of WordPress vulnerabilities
Wordpress

The biggest source of WordPress vulnerabilities

The GeekBy The GeekJanuary 26, 2023Updated:January 26, 2023No Comments8 Mins Read
Facebook Twitter Pinterest LinkedIn Tumblr Email
image
Share
Facebook Twitter LinkedIn Pinterest Email

We all know that plenty of WordPress sites are getting hacked each year. Is it because WordPress is an insecure system? Is it a global WordPress issue, or does it come from those webmasters’ actions? How, and why is it happening?

Whether you are running a personal blog, business website, or an eCommerce site on WordPress, the security of your website should be a priority. There can be many reasons due to which your site’s security is compromised. The most common reasons are weak passwords, users mistakes, outdated software and missing security updates.

In this article we use the latest statistics from the WPScan vulnerability database to highlight which are the most vulnerable WordPress components, and to make emphasis on the importance of running up to date software and installing the necessary security patches.

You can also find some interesting stats and facts about WordPress vulnerabilities, as well as a few recommendations. Let’s dive right in.

Table of Contents

  • What is the WPScan vulnerability database?
  • WordPress, plugins and themes vulnerabilities overview
    • Why are there so many WordPress core vulnerabilities?
    • Type of vulnerabilities in WordPress core, plugins & themes
    • Statistics of WordPress core vulnerabilities
    • Top 10 most vulnerable WordPress plugins
    • Top 10 most vulnerable WordPress themes
  • What do these WordPress vulnerabilities tell us?
    • So what’s the takeaway?
    • Are these WordPress vulnerabilities statistics accurate?
    • Submit known WordPress vulnerabilities
  • How to Ensure WordPress Security (security best practices)
  • To wrap up

What is the WPScan vulnerability database?

Before we dive into the statistics, let’s explain from where we got these numbers. All data is retrieved from the WPScan vulnerability database, an online browsable version of WPScan’s data files.

WPScan is an open source automated WordPress black box security scanner. This scanner uses this data to detect known WordPress core, plugins and themes vulnerabilities in WordPress websites.

To date the WPScan vulnerability database contains 21,755 vulnerabilities, 4,154 of which are unique vulnerabilities.

WordPress, plugins and themes vulnerabilities overview

According to the WPScan Vulnerability Database, ~80% of the known vulnerabilities they logged are in the WordPress core software. But here’s the kicker – the versions with the most vulnerabilities are all way back in WordPress 3.X.

So far there are 17,467 WordPress core software vulnerabilities in the WPScan vulnerability database. Then there are 3,846 (17%) WordPress plugin vulnerabilities, and 442 (3%) WordPress themes vulnerabilities.

WordPress core software vulnerabilities in the WPScan vulnerability database.

Why are there so many WordPress core vulnerabilities?

The number of vulnerabilities in the WordPress core are inflated in the vulnerability database because of the many versions of WordPress. Below is an explanation of why this happens;

A cross-site scripting vulnerability is found in a component in WordPress version 5.4.2. This component has been used in WordPress since version 3.7. Therefore all the previous released versions of WordPress are also vulnerable.

Therefore in the WPScan vulnerability database there will be one unique vulnerability, and 256 vulnerabilities!

So WordPress core as such is not insecure. It is very important to point out that WordPress core came a very long way and it’s much better and more secure software than it ever was.

Type of vulnerabilities in WordPress core, plugins & themes

The most popular vulnerability types in WordPress core, plugins and themes are Cross-site Scripting and SQL Injection.

This is not surprising considering these 2 vulnerabilities have been listed in the OWASP Top 10 list of most common web security issues since its inception.

Types of vulnerabilities

Statistics of WordPress core vulnerabilities

The below graph highlights the top 10 most vulnerable WordPress core versions, with versions 3.7.1 and 3.8.1 leading the pack with 92 vulnerabilities each. In second place, with 91 vulnerabilities is WordPress version 3.9.

Top 10 WordPress core vulnerabilities

However, since then WordPress has definitely become more secure. Let’s take a look at the number of vulnerabilities in the last 5 versions of WordPress. As you can see the difference is quite big.

Overview of vulnerabilities in the last versions of WordPress

Top 10 most vulnerable WordPress plugins

Here are some facts about the Top 10 most vulnerable WordPress plugins:

NextGEN Gallery, NinjaForms and WooCommerce lead the pack with 22 vulnerabilities each.

Top 10 most vulnerable plugins

We were surprised to see All In One WP Security & Firewall, a WordPress security plugin in the Top 10 most vulnerable WordPress plugins. I am not saying such plugins are bulletproof. Though I would expect that a plugin that’s written by security people to have less vulnerabilities, or at least not to be in the top 10 list.

Top 10 most vulnerable WordPress themes

The below graph highlights the top 10 most vulnerable WordPress themes. The highest one has only 5 vulnerabilities under its name.

Top 10 most vulnerable themes in WordPress

Themes tend to have much less vulnerabilities than plugins because they do much less in terms of functionality. For example, while most plugins handle data, user input and manipulate user data, themes mostly change the look & feel of WordPress websites.

What do these WordPress vulnerabilities tell us?

People love WordPress because of the huge array of available plugins and themes. As of writing this, there are over 57,000 plugins and more than 7,000 themes on the WordPress repository, and thousands of additional premium ones scattered across the web.

While all those options are great for making your site better, you should always do a little research before installing a plugin or theme to your WordPress website. While most WordPress developers do a good job of following code standards and patching reported security issues once they become known, there are still a few potential issues:

  • The plugin or theme is no longer maintained,
  • Developers take a long time to issue a security patch or are non-responsive,
  • A plugin or theme has a vulnerability, however, since there is not much attention on it that vulnerability goes undetected.

Refer to how to choose the best WordPress plugin for your requirements for more details on this subject and how to determine if a plugin is a good choice for your WordPress website.

So what’s the takeaway?

In short, keep all your software up to date!

WordPress is one of the most popular CMS in the world, and if you follow security best practices and keep it up to date it’s very unlikely that your website experiences any issues.

Are these WordPress vulnerabilities statistics accurate?

These statistics are based on the information stored in the WPScan Vulnerability Database. Although it is frequently updated, it is by no means complete.

There are many other vulnerable WordPress plugins and themes that are not listed here. However, this gives us a good overview of the state of WordPress vulnerabilities.

Submit known WordPress vulnerabilities

The WPScan team encourages everyone who knows about WordPress core, plugin or theme vulnerabilities to submit the details to them.

Before submitting a new vulnerability, do a search in the database to ensure the issue was not submitted before. This will ensure we have one centralized and reliable source of information.

How to Ensure WordPress Security (security best practices)

Now that we have covered all potential and known vulnerabilities, let’s take a look at the different ways to secure your website.

The first thing is to regularly update your WordPress version. You should definitely develop the practice of updating your WordPress version and also, don’t forget to update your plugins and themes.

Here are some additional actions that you can do in order to secure your WordPress website:

  • Avoid Using Common Passwords

When you have a strong password, any hacking attempt can be avoided or at least delayed.

  • Set up a two-factor authentication login

Anyone who wants to log in to your WordPress website would have to go through one more step before gaining access to your account.

  • Do not use nulled plugins and themes

It tempts almost everybody, however these free copies of premium plugins and themes more often than not are loaded with malicious malware. Support the developers of the plugins you use by buying the premium edition. It helps further develop the product, add new features and keep it secure.

  • Use WordPress Security Plugins

Nowadays there is a huge variety of security plugins that are created to protect your website from various attacks. The best ones are updated regularly, which makes them capable of detecting any attempt of hacking and any addition to your code. We develop a number of WordPress security and site management plugins. Check them out!

To wrap up

Securing your website is super essential. Having a clear view of the threats and the tools that you can use to deal with the potential attacks is crucial. Your first and foremost priority should be to have and maintain a secure website.

As a result of its popularity, WordPress is a big target for hackers. That’s why you must go an extra mile to ensure your site’s safety. A secured site will surely embed trust in your potential customers, and hence, assist in the growth of your business.

Keep your website protected, and stay safe!

featured
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
The Geek
  • Website

Related Posts

WordPress Two-Factor Authentication (2FA): what is it & using it on your site

January 26, 2023

15 ways to secure your WordPress site

January 19, 2023

What Is Imunify360? How Does It Enhance Website Security?

January 2, 2023
Add A Comment

Leave A Reply Cancel Reply

Editors Picks

WordPress Two-Factor Authentication (2FA): what is it & using it on your site

January 26, 2023

The biggest source of WordPress vulnerabilities

January 26, 2023

15 ways to secure your WordPress site

January 19, 2023

What Is Imunify360? How Does It Enhance Website Security?

January 2, 2023
Top Reviews
Advertisement
Demo
Horizen.ro – Tech Blog & Server environment
Facebook Twitter Instagram Pinterest Vimeo YouTube
  • Home
  • Hosting Tutorials
  • Cpanel & WHM
  • Cookie Policy (EU)
© 2023

Type above and press Enter to search. Press Esc to cancel.

Manage Cookie Consent
We use technologies like cookies to store and/or access device information. We do this to improve browsing experience and to show personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}