To say that WordPress is popular would be an understatement. Over 30% of websites trust WordPress as their CMS, which means that around 1/3 of all sites rely on WordPress to be the backbone of their digital footprint. But, what happens when the world's most popular CMS isn't safe?
Researchers at Imperva released their "State of Web Applications Vulnerability Report" last Wednesday, which detailed an alarming rise in WordPress vulnerabilities. In fact, in 2018, WordPress had 3x more vulnerabilities, and that number has been rising year-over-year.
Today, we're going to dive into this report and dig out the details. Let's figure out what's going on, and what this may mean for all of you who are using WordPress as your primary CMS.
A First Look
Let's start off by saying that the report wasn't all bad news for the security industry. IoT attacks had an overall decline and PHP vulnerabilities also had a surprising decline — though, to be fair, the few that we covered this year were particularly bad — But, the report did have some alarming news about both WordPress and Drupal.
WordPress vulnerabilities tripled, and that number continues to grow. At the same time, Drupal had the broadest reaching attacks.
While the Drupal news was to be expected, WordPress's staggering rise in vulnerabilities was a little shocking. After all, this is a CMS that powers over 46% of all websites who rely on a CMS. That's an astounding number of websites (22% of ALL new U.S. domains.) As WordPress's vulnerability issues continue to pressurize, the platform itself seems to be a regular member of the news — especially in the cybersecurity world. This year alone, there's been:
- The United Nations hack
- tagdiv and Ultimate Members injections
- AMP & GDPR vulnerabilities (via ajax hook)
- jQuery vulnerability
- Tons of plugin vulnerabilities
- Core vulnerabilities
- and others
And those are just the ones that we've covered.
In fact, 542 WordPress vulnerabilities were discovered last year, which is almost two-a-day
So, let's dive deeper into the report so we can get a clearer picture of what's happening.
Fewer Plugins More Problems?
Not only did the number of WordPress vulnerabilities skyrocket, the number of new plugins significantly decreased. According to the report, the total number of WordPress plugins is 55,271 and only 1,914 — or 3% — were added in 2018. This is a significant drop from the year before, where the total number of plugins increased from 48,044 to 53,357 — or ~10%. This means that there were 3x FEWER plugins added this year, yet there were 3x MORE vulnerabilities.
Why is this alarming?
This means that the source of these vulnerabilities is not coming from new plugins containing vulnerabilities. Instead, hackers are finding existing vulnerabilities to exploit.
In fact, according to the report, more than HALF (54%) of all web application vulnerabilities have a public exploit available to hackers. This means that these exploits aren't just being abused by small niche groups of hackers, they are completely public. At the same time, 38% of all web application vulnerabilities (over 1/3!) don't have a solution! This means that these exploits have no patch, no workaround, and no fix.
Any Plugins More Problems
98% of WordPress's vulnerabilities came directly from plugins, while 2% (10!) came from the WordPress core.
To explain this, Imperva says:
"WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities."
Of course, these sentiments have been mirrored by major cybersecurity analysts for years.
But, the problem goes well beyond plugins. This year alone there have been 10 core vulnerabilities, and some of those WordPress had known about for YEARS before deciding to patch.
What It All Means
So, what does it all mean for WordPress?
Well, let's sum everything up first.
- WordPress has 3x more vulnerabilities in 2018!
- WordPress vulnerabilities are coming from plugins and core vulnerabilities BUT only 3% of WordPress plugins this year were new.
- 38% of all web app vulnerabilities have no workaround.
- and 54% of all web app vulnerabilities are public.
Of course, the primary vulnerability types were all injections, but that's not surprising given the current atmosphere of cybersecurity.
To sum this all up. WordPress has added fewer plugins, but they have a growing vulnerability issue. Why would this be? For one, WordPress has over 30% of the web under its umbrella, which means its a ripe target for hackers. Second, WordPress's open source nature continues to prove problematic from a security standpoint. We're also seeing a scary number of known vulnerabilities without fixes, meaning that anyone whose infected will remain so, or be forced to delete their entire website.
Finally, WordPress is simply losing its ability to protect its users against vulnerabilities. As their numbers continue to swell, they have an ongoing cybersecurity war that they just can't seem to get in front of. After all, anyone and everyone can look at their code, and that's proven to be lucrative for savvy hackers.
With the PHP change incoming* and an ever-increasing number of vulnerabilities, WordPress may be fighting a losing battle against hackers. Only time will tell.
By the way, there are still ~30k servers with unsupported PHP versions! If this is you, you need to upgrade!
The web is growing increasingly dangerous for site owners. Vulnerabilities continue to rise, and the damages related to hacking are getting more serious each year.
WordPress's open nature has put them in a tough spot. They have more vulnerabilities than ever, yet fewer new plugins to blame. As cybersecurity becomes an increasingly important element for site owners, WordPress may start to see number dips — especially if they don't secure their CMS better.
If you're looking for a CMS that takes security very seriously, contact us. We aren't trying to be the latest-and-greatest WordPress-like CMS, but we are trying to be the most secure and easy-to-use CMS on the planet.