In this video and associated blog post we dive into this report and dig out the details. Let’s figure out what’s going on, and what this may mean for all of you who are using WordPress as your primary CMS. You can view the entire blog post at: https://bit.ly/2HQmmDe
WordPress vulnerabilities tripled, and that number continues to grow. At the same time, Drupal had the broadest reaching attacks. While the Drupal news was to be expected, WordPress’s staggering rise in vulnerabilities was a little shocking. After all, this is a CMS that powers over 46% of all websites who rely on a CMS.
In fact, 542 WordPress vulnerabilities were discovered last year, which is almost two-a-day.
Not only did the number of WordPress vulnerabilities skyrocket, the number of new plugins significantly decreased. This means that there were 3x FEWER plugins added this year, yet there were 3x MORE vulnerabilities. Which means that the source of these vulnerabilities is not coming from new plugins containing vulnerabilities. Instead, hackers are finding existing vulnerabilities to exploit.
In fact, according to the report, more than HALF (54%) of all web application vulnerabilities have a public exploit available to hackers. This means that these exploits aren’t just being abused by small niche groups of hackers, they are completely public. At the same time, 38% of all web application vulnerabilities don’t have a solution! This means that these exploits have no patch, no workaround, and no fix.
To explain this, Imperva says:
“WordPress is open source, easy to manage, and there is no enforcement or any proper process that mandates minimum security standards (e.g. code analysis). Hence, WordPress plugins are prone to vulnerabilities.”
To sum this all up. WordPress has added fewer plugins, but they have a growing vulnerability issue. Why would this be? For one, WordPress has over 30% of the web under its umbrella, which means its a ripe target for hackers. Second, WordPress’s open source nature continues to prove problematic from a security standpoint. We’re also seeing a scary number of known vulnerabilities without fixes, meaning that anyone whose infected will remain so, or be forced to delete their entire website.