Crunching the Numbers – Too Many WordPress Vulnerabilities Can Only Mean Good Things

Last updated on June 02nd, 2019 by Robert Abela. Filed under WordPress Security


Since the beginning of the WordPress ecosystem, security researchers and developers have found gazillions of vulnerabilities in both the WordPress core and in many of the WordPress plugins and themes.

Follow a WordPress security news aggregation website and you’ll notice it; another day, another WordPress or WordPress plugin vulnerability is reported. WordPress users feel that the software they are using is full of vulnerabilities, hence why WordPress also earned the reputation of being a very insecure software.

Actually, having a lot of reported vulnerabilities is more of a good thing than not. Let’s dig deep into the history of some of the most popular software used in web hosting to try and explain things better.

What is a WordPress Core or WordPress Plugin Vulnerability?

First things first, for those who do not know a WordPress core or plugin a vulnerability is a security bug, also known as security flaw. Unlike other typical software bugs, which typically hinder the user experience, when exploited security flaws allow the attacker to either gain unauthorized access to a system and its data, or hijack a user session. Refer to our WordPress security glossary for more detailed explanation of what a vulnerability and other WordPress security terms mean.

Does Other Software Have Vulnerabilities?

All software has vulnerabilities, be it a web application, operating system or client software. As an example we searched through the CVE-ID database (a listing of publicly known information security vulnerabilities and exposures) for some keywords associated with popular software typically used in web hosting environments Here are the numbers of vulnerabilities found for each keyword:

  • Apache: 918
  • Joomla!: 639
  • Drupal: 996
  • MySQL: 598
  • WordPress: 963
  • Google: 1,471
  • phpMyAdmin: 346
  • cPanel: 115

If you graph the above numbers it would look something like the below, with WordPress in the third position.

A graph showing how many vulnerabilities have been reported so far for the listed software

What does the above numbers tell us? So far more vulnerabilities have been reported for Drupal and Google products than for WordPress, its plugins and themes. Apache is not far and MySQL server, one of the most widely used database server has had nearly 600 vulnerabilities so far. Yet no software got the same bad reputation as WordPress did because of reported vulnerabilities;

Google is still the number one search engine and their products are used by millions of people from all over the world. Apache is always the first or second most used web server in the world, competing with NginX.

Then Why WordPress Got Such a Reputation?

As of today WordPress powers around 19% of the websites on the internet. Such popularity also brings along a lot of attention, therefore each time a new vulnerability is discovered in the WordPress core or in a WordPress plugin the media sensationalizes such news. This also means that the news of a WordPress plugin vulnerability reaches way more people than the news of a vulnerability in Apache, hence why the generic public is misled to believe that WordPress is insecure, when it is not.

More Reported Vulnerabilities = More Secure WordPress, Plugins & Themes Code

The more popular a software is, the more attention it will get and the higher the chances are of security researchers looking at it. And the more eyes there are on WordPress or a plugin, the more vulnerabilities will be identified. Though that’s all is good; the more vulnerabilities security researchers find in a WordPress plugin or core the better it is for you as an end user.

When reporting a vulnerability security researchers are reducing the chances of a malicious hacker finding a vulnerability in your website, as long as you keep your WordPress, plugins and themes up to date.

Busting the WordPress Core, Plugin and Themes Vulnerabilities Myths

One could argue that the majority of the WordPress and WordPress plugins are more critical than those found in other software such as Apache, and I fully agree with that. I also do acknowledge the fact that that everyone in the WordPress ecosystem has still a lot to learn, especially about WordPress security.

Though let’s not complain about the number of vulnerabilities that are being discovered every day. As long as the developers respond in a timely manner and they are fixed, and as long as you keep your software up to date, the more the merrier!

Let there be more vulnerabilities! The more that are reported and fixed, the better equipped the developers will be and the more secure the code of the WordPress core and plugins will be.

WordPress Hosting, Firewall and Backup

This Website is:


Diane Ensey 27/07/2016

I’d like to see these numbers adjusted for useage. For example, WP has 74,652,825 sites ( while Drupal powers around 1,230,213 sites ( and Joomla around 2.8 million (

Robert Abela 28/07/2016

Hello Diane,

Thank you for your comment. That’s kind of something else I tried to point out in the article, the more popular a software is, the more eyes it will have on it and the more vulnerabilities are discovered. Just by looking at your numbers, we get the answer.

Leave a Reply

Your email address will not be published. Required fields are marked *