Crunching the Numbers – Too Many WordPress Vulnerabilities Can Only Mean Good Things

Last updated on June 25th, 2020 by Robert Abela. Filed under WordPress Security


Since the beginning of the WordPress ecosystem, security researchers and developers have found gazillions of vulnerabilities in both the WordPress core and in many of the WordPress plugins and themes.

Follow a WordPress security news aggregation website and you’ll notice it; another day, another WordPress or WordPress plugin vulnerability is reported. WordPress users feel that the software they are using is full of vulnerabilities, hence why WordPress also earned the reputation of being a very insecure software.

Actually, having a lot of reported vulnerabilities is more of a good thing than not. Let’s dig deep into the history of some of the most popular software used in web hosting to try and explain things better.

What is a WordPress Core or WordPress Plugin Vulnerability?

First things first, for those who do not know a WordPress core or plugin a vulnerability is a security bug, also known as security flaw. Unlike other typical software bugs, which typically hinder the user experience, when exploited security flaws allow the attacker to either gain unauthorized access to a system and its data, or hijack a user session. Refer to our WordPress security glossary for more detailed explanation of what a vulnerability and other WordPress security terms mean.

Does Other Software Have Vulnerabilities?

All software has vulnerabilities, be it a web application, operating system or client software. As an example we searched through the CVE-ID database (a listing of publicly known information security vulnerabilities and exposures) for some keywords associated with popular software typically used in web hosting environments Here are the numbers of vulnerabilities found for each keyword:

  • Apache: 918
  • Joomla!: 639
  • Drupal: 996
  • MySQL: 598
  • WordPress: 963
  • Google: 1,471
  • phpMyAdmin: 346
  • cPanel: 115

If you graph the above numbers it would look something like the below, with WordPress in the third position.

A graph showing how many vulnerabilities have been reported so far for the listed software

What does the above numbers tell us? So far more vulnerabilities have been reported for Drupal and Google products than for WordPress, its plugins and themes. Apache is not far and MySQL server, one of the most widely used database server has had nearly 600 vulnerabilities so far. Yet no software got the same bad reputation as WordPress did because of reported vulnerabilities;

Google is still the number one search engine and their products are used by millions of people from all over the world. Apache is always the first or second most used web server in the world, competing with NginX.

Then Why WordPress Got Such a Reputation?

As of today WordPress powers around 19% of the websites on the internet. Such popularity also brings along a lot of attention, therefore each time a new vulnerability is discovered in the WordPress core or in a WordPress plugin the media sensationalizes such news. This also means that the news of a WordPress plugin vulnerability reaches way more people than the news of a vulnerability in Apache, hence why the generic public is misled to believe that WordPress is insecure, when it is not.

More Reported Vulnerabilities = More Secure WordPress, Plugins & Themes Code

The more popular a software is, the more attention it will get and the higher the chances are of security researchers looking at it. And the more eyes there are on WordPress or a plugin, the more vulnerabilities will be identified. Though that’s all is good; the more vulnerabilities security researchers find in a WordPress plugin or core the better it is for you as an end user.

When reporting a vulnerability security researchers are reducing the chances of a malicious hacker finding a vulnerability in your website, as long as you keep your WordPress, plugins and themes up to date.

Busting the WordPress Core, Plugin and Themes Vulnerabilities Myths

One could argue that the majority of the WordPress and WordPress plugins are more critical than those found in other software such as Apache, and I fully agree with that. I also do acknowledge the fact that that everyone in the WordPress ecosystem has still a lot to learn, especially about WordPress security.

Though let’s not complain about the number of vulnerabilities that are being discovered every day. As long as the developers respond in a timely manner and they are fixed, and as long as you keep your software up to date, the more the merrier!

Let there be more vulnerabilities! The more that are reported and fixed, the better equipped the developers will be and the more secure the code of the WordPress core and plugins will be.

WordPress Hosting, Firewall and Backup

This Website is:


Diane Ensey 27/07/2016

I’d like to see these numbers adjusted for useage. For example, WP has 74,652,825 sites ( while Drupal powers around 1,230,213 sites ( and Joomla around 2.8 million (

Robert Abela 28/07/2016

Hello Diane,

Thank you for your comment. That’s kind of something else I tried to point out in the article, the more popular a software is, the more eyes it will have on it and the more vulnerabilities are discovered. Just by looking at your numbers, we get the answer.

Olaf 20/07/2020

Could all be true, but having the XML-RPC interface open by default, which allows anyone to read the admin username with a simple URL request doesn’t really provide a lot of trust in how hardened the WP codebase is versus ease-of-use and features….could be much better imho.

Robert Abela 31/07/2020

I agree Olaf. However, something like that can be easily fixed with a few lines in a .htaccess file, or with a plugin. WordPress is not perfect, however, it is the best solution there is out there at the moment.

David 13/08/2020

WordPress is still not a good choice. These happen to be “reported” vulnerabilities. Too many people contribute sloppy code. The vulnerabilities pose significant risk during the time before the vulnerability is report then patched. The fact that it is a very common CMS also makes it a target for attacks in and of itself. Standardized CMS platforms give attackers a cookie cutter attack on multiple sites in one fell swoop. If you are storing sensitive data on your site I highly recommend not using wordpress. I can’t tell you how many times I have had customers come to me because their WP site was hacked.

Radostin Angeloic 10/09/2020

Hi David,

Thanks for reaching out.
WordPress is not the issue here. Its core is quite secure. WordPress Security Team does a good job at quickly fixing issues in the core software. Therefore If you apply all security updates in a timely manner, it’s highly unlikely that your site experiences any issues as a result of core vulnerabilities.

Users using old vulnerable software or weak passwords are actually the biggest issues. Just that accounts for 95% of the attacks.

John Smith 10/11/2020

Even if WordPress itself is secure many of the available plugins and theme’s are not and this goes for commercial plugins and themes as well. It’s been cold comfort for us that some of our theme and plugin authors have fixed their vunerabilities months after several of our sites have been hacked and the customers have walked. Maybe partly our fault for not reviewing the work done by third party contractors. Generally if it works it’s delivered. WordPress tends to be for low end cheap sites but it’s ongoing maintenance is not cheap and is probably the reason why their has been a flood of people leaving WordPress and defecting to Wix and the like.

Radostin Angelov 10/11/2020

Hi John,

Thanks for reaching out and sharing your thoughts on this.
However, all software in the world has vulnerabilities, but what matters is that these vulnerabilities are addressed on time by the developer.

If you use plugins that had issues, which were fixed months after they were reported, my suggestion is to change the plugin.
Note that not all every WordPress plugin or theme is like that. In general, developers are very responsive and issue fixes before the advisory is made public.

To avoid such cases in the future, I’d recommend you to always do a research on how to choose the best plugin for WordPress before installing anything on your site.

Also, I wouldn’t say that WordPress is for low and cheap sites. Here you can see who are some of the biggest brands that use WordPress.

Leave a Reply

Your email address will not be published. Required fields are marked *