WordPress Security: Why it’s more important than ever today
WordPress security is a topic that’s been gaining more attention recently. To understand why it’s happening, let’s look at some statistics first:
WordPress is used on about 43% of all sites on the internet, with the figure going up to 65% for sites made on a CMS (content management system). These figures are constantly growing, meaning that WordPress is becoming an even bigger target for hackers every day. Case in point:
- Cybercrime is up 600% due to the COVID-19 pandemic
- 60% of data breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied
- Vulnerabilities in plugins and themes remain one of the biggest threats to websites built on WordPress
- 99.42% of security vulnerabilities were found in WordPress plugins and themes, while only 0.58% of security vulnerabilities originated from WordPress Core
- We’ve seen a 150% growth in vulnerabilities reported in 2021 compared to 2020 which is a significant increase
- Meanwhile, 29% of the WordPress plugins with critical vulnerabilities received no patch
The point is clear: addressing vulnerabilities is arguably the most important thing you can do for your site.
How we make the Web safer with WP Toolkit
To make the internet a safer place for all, WP Toolkit is now introducing an automated vulnerability scan based on the vulnerability database provided by our partners at Patchstack. Every hour we’re checking if there are any plugins, themes, or WordPress sites on a given server with known vulnerabilities. We are also fetching information about new vulnerabilities from the vulnerability database on an hourly basis. Once a vulnerability is detected, WP Toolkit will mark the site in the interface, letting site admins know they should take action.
A vulnerability scan isn’t something we’ve decided to do “just in case”. There has been a 150% increase in vulnerabilities found compared to 2020. Nearly 1,500 new vulnerabilities have been added to Patchstack vulnerability database in 2021. These vulnerabilities were in WordPress plugins, themes, and WordPress core. For comparison, in 2020 we saw almost 600 vulnerabilities.
As the primary source for WordPress plugins and themes, the wordpress.org repository leads the way in terms of vulnerable assets. Vulnerabilities in plugins and themes hosted on wordpress.org represented 91.79% of vulnerabilities added to Patchstack vulnerability database.
The remaining 8.21% of the reported vulnerabilities in 2021 were reported in the premium or paid versions of the WordPress plugins or themes that are sold through other marketplaces e.g. Envato, ThemeForest, Code Canyon, or made available for direct download only.
As you can see, the situation with security vulnerabilities in the WordPress ecosystem seems to be getting out of hand. Who’s going to help us mitigate the consequences?
WebPros is partnering with fine folks from Patchstack to make the web a safer place. Patchstack is a security service leading the way in open-source security by connecting technology, threat intelligence, and community to secure the open-source ecosystem. As officially authorized CNA to assign CVE IDs to WordPress-related vulnerabilities, it is also a winner of Global InfoSec Awards 2021 in two categories: Open Source Security and Web Application Security for providing “Cutting Edge” solutions to the market.
In 2021, Patchstack launched a bug bounty community for ethical hackers (Patchstack Alliance) to identify and patch vulnerabilities across the entire WordPress ecosystem. In 2021, around $13,000 was paid out as bounties. Brands such as Plesk, cPanel, Pagely, and many others are already supporting it.
All of the reported vulnerabilities in WordPress Core in 2021 were reported through this vulnerability disclosure program which sets forth proper rules and expectations for all parties involved.
Patchstack encourages all developers, including small open-source developers to have a public vulnerability disclosure policy. You don’t need to pay big bug bounties to have one, and a vulnerability disclosure policy is exactly where you can state you offer no bounties on security bugs at all.
Public vulnerability disclosure policies are about setting expectations. It also states who is responsible for reviewing security reports for the project and how to get in contact with policies and include bug bounty details.
Summing it up
WP Toolkit keeps your WordPress sites under constant watch with help from Patchstack, our trusted partners and leading WordPress security experts. If you want to learn more about WordPress security, get the latest State Of WordPress Security whitepaper courtesy of Patchstack. Finally, when it comes to WP Toolkit, a vulnerability scan isn’t the last thing we’re adding for handling the security of your sites – on the contrary, it’s just the beginning. Stay in touch to learn more, and see you next time!