In the world of cyber crime getting access to web sites that are powered by a popular software like WordPress opens doors to large scale attacks or perhaps to ransomware revenue. WordPress has over 40% market share of web site software which makes it a very attractive target. A new report from security consultancy Pathstack has some alarming statistics: more than 70 million web sites that are built on WordPress are running plugins and themes that are known to be vulnerable.
Here are the highlights from Pathstack’s Security vulnerabilities of WordPress ecosystem in 2020 report:
- Altogether 582 vulnerabilities were discovered in 2020 in WordPress.
- Only 22 security problems were in the core WordPress software, 82 vulnerabilities were in themes, and 478 in plugins.
- In other words, 99.22% of known security issues are in third party plugin modules that extend the functionality of WordPress.
Patchstack has categorised the security holes in WordPress into five types. This is the top 5 ranking by vulnerability type:
- Cross-Site Scripting (XSS) – 211 cases
- SQL injection (SQLi) – 53
- Cross-Site Request Forgery (CSRF) – 38
- Sensitive Information Disclosure – 29
- Arbitrary File Upload – 16
- Other – 131
Are the results a worrying sign, or business as usual?
The report writers analyzed 50 000 WordPress web sites for their plugins and themes. On average, a WordPress site has 23 plugins. 4 out of those 23 plugins were outdated, waiting for the admin to update them.
I never would have thought that a web site needs so many plugins to function. I believe one of our sites had nine or ten plugins a couple of years ago, but we have cut it down to seven now. Our other sites have even less plugins. The lure of plugins that add functionality to a site that then may bring more visitors to the pages is, however, understandable.
With 70 million WordPress sites that are running vulnerable plugins, it is also understandable that professionals in the WordPress community are worried. Patchstack conducted a survey among 400 professionals, and 70% of them said they were increasingly concerned about the security of their web sites because of third party plugins.
The quality of third party plugins is a major issue that the large WordPress community and the core product developer Automattic can’t escape anymore. There maybe a committee already planning a solution – if so, please communicate. Everyone wants plugins to their sites, many small businesses have been established to develop plugins, but security is lacking.
The scale of the problem is so large that it may lead to nasty large scale consequences. After reading and reviewing the book This is how they tell me the world ends by Nicole Perlroth, I have been convinced that every individual, every business, every organization, every public office must be prepared for the moment their computer systems are hacked. Anyone, anywhere can be an accidental or carefully chosen, unintended or intended target.
News discovered via Wptavern.