After a number of WordPress hack incidents this year many started questioning if WordPress is secure. As such WordPress, especially the WordPress core is quite secure as I explained in the article Is WordPress Secure? Most successful WordPress hack attacks are typically the result of human error, be it a configuration error or failing to maintain WordPress, such as keeping core and all plugins up to date, or installing insecure plugins etc.
In this article I am going to use the statistics from the WPScan Vulnerability database to highlight which are the most vulnerable WordPress components, and to make emphasis on how important it is to always run the latest version of any type of software you are using.
What is WPScan Vulnerability Database?
The WPScan Vulnerability Database is an online browsable version of WPScan’s data files which are used to detect known WordPress core, plugins and themes vulnerabilities. To date it contains 2407 vulnerabilities, 1570 of which are unique vulnerabilities.
WPScan is an open source automated WordPress black box security scanner. I recommend you to read Getting to Know WPScan Automated Black Box Security Scanner for WordPress for more information on WPScan and how it can be used to help you improve the security of your WordPress.
WordPress Vulnerabilities Overview
As per the below pie chart, WordPress plugins are the biggest source of vulnerabilities in WordPress. So far there are 1,305 WordPress plugins vulnerabilities in the WPScan Vulnerability database. That accounts to 54% of the global WordPress vulnerabilities count. Then there are 344 (14.3%) WordPress themes vulnerabilities and 758 (31.5%) WordPress core vulnerabilities.
Type of WordPress Vulnerabilities
The most popular vulnerability types in WordPress core, plugins and themes are Cross-site Scripting and SQL Injection. This is not surprising considering these 2 vulnerabilities have been listed in the OWASP Top 10 since its inception.
Statistics of WordPress Core Vulnerabilities
The below graph highlights the top 10 most vulnerable WordPress core versions, with versions 3.0 and 3.0.1 leading the pack with 15 vulnerabilities each. In second place, with 13 vulnerabilities each there are WordPress version 3.5, 3.5.1 and 3.6.
Top 10 Most Vulnerable WordPress Plugins
Here are some worrying facts about the Top 10 most vulnerable WordPress plugins:
- 5 of them are commercial plugins
- These plugins were downloaded around 21 million times
- 1 of these plugins is a WordPress security plugin
Why are these worrying facts? I would not be surprised if a commercial plugin is vulnerable, I mean everyone makes mistakes and as long as they are rectified immediately then all is good. But what is worrying is that commercial plugins are listed in the top 10 most vulnerable WordPress plugins list. I was also very surprised to see Wordfence, a WordPress security plugin in the Top 10 most vulnerable WordPress plugins with 9 vulnerabilities. Again I am not saying such plugins should be bullet proof as it and all the other plugins will never be. Though I would expect that a plugin written from security people to help WordPress users keep their WordPress secure to have less vulnerabilities, or at least not to be in the top 10 list.
Top 10 Most Vulnerable WordPress Themes
The below graph highlights the top 10 most vulnerable WordPress themes with the highest one having only 3 vulnerabilities under its name.
Are These WordPress Vulnerabilities Statistics Accurate?
These statistics are based on the information stored in the WPScan Vulnerability Database, which although it is frequently updated it is by no means complete. There are many other vulnerable WordPress plugins and themes out there which are not listed here, or vulnerabilities which have not been made public yet. But at least this gives us a good overview of the state of WordPress vulnerabilities.
Submit Known WordPress Vulnerabilities
As a matter of fact the WPScan team encourages everyone who knows of a WordPress core, plugin or theme vulnerability that is not yet listed in the vulnerabilities database to submit it to them to ensure we have one centralized and reliable source of information.
What Can You Learn From These Statistics?
WordPress Users and Administrators
These statistics highlight how important it is to always run the latest version of WordPress, plugins and themes thus ensuring that you always have the most secure and stable version of the software. You can make this easier on yourself by choosing a hosting provider which provides auto-updates for both plugins and WordPress itself, effectively eliminating the need to update plugins manually.
It is also very important to choose the right plugin for your WordPress and when it comes to WordPress security plugins, first I recommend you to get a better understanding of the WordPress security plugins ecosystem and how they all work.
WordPress Plugins Developers
If you are a WordPress plugin developer, especially of a commercial plugin you should go the extra mile to ensure the security of your customers. Hence I would recommend you to always double check the code and if possible do a WordPress plugin security source code audit. Investing in security will actually help your business and plugin’s reputation.