- Blogs
- WordPress Security
- How safe is WordPress? What you need to know in 2024
WordPress Security / 10 min read
How safe is WordPress? What you need to know in 2024
Unsecured websites are often the target of cybercriminals and otherwise bad actors. With the cost of cybercrime projected to climb to $24 trillion in 2027, it’s only natural for website owners and developers to be even more careful when managing website security.
WordPress is the most popular CMS in the world. It’s used in about 63% of websites with a known CMS or around 43% of all websites. Being so widespread, it’s no surprise that WordPress sites are often the victim of hacks and breaches.
This article will explore the essential information you need to know about WordPress security, including:
- The main elements of WordPress’ security.
- Common WordPress security vulnerabilities and threats.
- Current WordPress security statistics.
- WordPress security best practices.
Keep reading to understand better how to set up and maintain a secure WordPress site.
Elements of WordPress’ security
WordPress websites consist of the core WordPress installation and the additional software component you add later (plugins and themes).
When boosting your site’s security, you need to be aware of these three main elements. It is a short overview of each of the elements and their role in your site’s security.
Core
The WordPress core is the set of files you install on your server when you start a WordPress.org webpage. They are the essential files all WordPress sites need to operate.
The WordPress core is developed and maintained by the team behind WordPress.org, which employs world-class cybersecurity experts to monitor and patch vulnerabilities constantly. As a result, the core is very secure, but it may still be open to occasional vulnerabilities before they’re patched.
Older WordPress cores are not maintained, and as a result, they’re much more vulnerable to exploits. Keeping the core files updated is a crucial security measure.
Plugins and themes
WordPress.org’s team does not develop plugins and themes. As a result, their security level depends on the developers’ dedication to it.
It means some plugins and themes are very secure because they have a team of cybersecurity experts behind them. In contrast, others are much less secure due to a lack of maintenance and updates. Some plugins and themes may even be abandoned, making them even more insecure.
The best way to avoid vulnerabilities in plugins and themes is to install only reputable ones and keep them updated.
Common WordPress security vulnerabilities and threats
WordPress has vulnerabilities that can be turned into security threats by malicious actors, such as hackers motivated for monetary gain, website traffic, or any other reason.
These are the most common and significant WordPress vulnerabilities and threats.
Out-of-date CMS cores and PHP versions
As we explained above, the core is the main WordPress installation containing the fundamental basis of your website. Older versions are no longer supported by WordPress.org, meaning their known vulnerabilities will forever remain unpatched.
As a result, hackers can exploit them more easily, safely knowing that they cannot be stopped via security patches. The same goes for PHP, the programming language powering the core files. Older PHP versions are less secure.
Unsecured admin panels
Exploiting the admin login URL via brute force attacks is one of the most common ways. WordPress sites are hacked, providing full access to the admin dashboard. There are many ways to secure your admin login URL, but these three are probably the most common and effective:
- Change the default login URL to a unique one that is harder to guess.
- Add two-factor authentication to the login process.
- Establish a limit for failed login attempts.
Brute Force Login Attempts
Brute force login attempts or brute force attacks are cyberattacks in which the attacker guesses every possible combination of characters to find a password that allows them access to a site.
It’s one of the simplest cyberattacks and can take a lot of time before stumbling into the correct password. Using long, strong, unique passwords makes brute-force attacks less effective.
Vulnerable, unsecured plugins and themes
Considering there are dozens of thousands of plugins and themes that interact with your websites in multiple ways, it’s possible for hackers to eventually find a vulnerability in one of them and exploit it to gain access to unsuspecting websites.
Plugin and theme vulnerabilities can be the most harmful when exploited in popular plugins and themes installed on thousands or millions of websites. The wide adoption increases the pool of possible targets and provides larger amounts of information to steal.
Malware
Malware (malicious software) is a broad family of software created to damage or gain unauthorized access to a computer system. Various types of malware operate in different ways to exploit different website mechanisms.
In WordPress, the most common types of malware are:
Hotlinking
Hotlinking is linking content (images, music, videos, documents, etc.) from one website to another instead of downloading the file and hosting it on your own server. When Website A links to content in Website B instead of hosting the file, Website A costs Website B bandwidth and processing resources by not hosting the files.
It increases bandwidth spent on Website B without directing traffic their way while providing traffic to Website A. At best, it’s bad etiquette. At worst, it’s malicious.
Denial-of-Service (DoS)
DoS attacks shut down a service, network, or website, disrupting it so visitors cannot use it.
Most often, hackers overwhelm the victim’s systems with an excessive amount of traffic requests. When the requests come from multiple devices instead of a single one, it’s called a distributed denial of service (DDoS).
SQL injections
SQL is a programming language used to manage relational databases. All WordPress sites use relational databases. SQL injections are malicious uses of SQL to gain access to backend information that was supposed to stay hidden from the public.
Cross-Site Scripting (XSS)
XSS is a type of attack where a third party injects malicious scripts into otherwise benign websites. The injected scripts can impersonate legitimate users, steal sensitive data, and more. XSS is one of the most common types of cyberattacks in the WordPress ecosystem.
WordPress security statistics
Now that we have context about WordPress’ common vulnerabilities and threats, let’s explore vital security statistics you should be aware of.
For some context, it’s estimated that around 90,000 WordPress sites are attacked every day. WordPress’s also well-known as the most vulnerable CMS: in 2021, over 95% of sites where SiteCheck performed a malware scan and cleanup were WordPress sites. The other CMSs accumulated less than 5% of attacks.
Since SiteCheck’s user base is almost entirely WordPress users, we shouldn’t take this statistic to mean that 95% of all cyberattacks occur on WordPress sites. Still, given WordPress’ massive market share, it’s expected to be the most common target for cyberattacks.
As you read through these nuggets of data, remember that they come from reports created by specific companies that monitor security in WordPress and sometimes other CMSs, too. More specifically, our sources are:
The scope of these reports is limited when compared to all of WordPress’ user base. However, they still provide a good overview of WordPress’ security environment. With that in mind, let’s explore some WordPress security statistics.
Credential stuffings are the most common type of attack
In 2022, the most common type of attack against WordPress was credential stuffings, where an attacker tries to guess multiple username and password combinations for a site. The username and password combinations come from data breaches and password lists.
Wordfence blocked more than 159 billion credential-stuffing attacks in 2022.
Source: Wordfence’s 2022 State of WordPress Security Report.
Cross-site scripting is the most commonly disclosed WordPress vulnerability.
Cross-site scripting (XSS) was the most common category of disclosed (publicly known) WordPress vulnerability in 2022, accounting for nearly half of all disclosed vulnerabilities. The next most common types were cross-site request forgery, authorization bypass vulnerabilities, SQL injections, and information disclosure.
Source: Wordfence’s 2022 State of WordPress Security Report.
Most attacks take place on already-compromised websites
In 2022, most attacks against WordPress occurred in sites that had already been compromised rather than sites that had been secure up to that point. It is known as “persistent infection.”
Source: Wordfence’s 2022 State of WordPress Security Report.
Many website owners don’t keep their WordPress cores updated
In 2021, 48% of SiteCheck users (most of which use WordPress) had outdated CMS installations, making them more vulnerable to exploits.
Source: Wordfence’s 2022 State of WordPress Security Report.
The problem of credential reuse is growing.
Credential reuse is reusing the same password for multiple systems (admin account, cPanel account, phpMyAdmin account, etc.). As more leaked passwords accumulate yearly, malicious actors have a larger pool of potentially reusable passwords.
Unmaintained WordPress accounts are especially vulnerable.
Source: Wordfence’s 2022 State of WordPress Security Report.
WordPress security-related lists
The most common types of WordPress malware in 2021
The following is a list of the most common types of malware found during SiteCheck’s scans and cleanups:
- Generic malware such as PHP malware, site URL/ home URL infections, malicious processes that primarily affect .htaccess and ./index.php, etc.. (61%)
- Backdoors (60%)
- SEO spam (52)
- Hacktools (20%)
- Phishing (7%)
- Defacements (6%)
- Mailers (5%)
- Droppers (0.63%)
The percentages overlap because sites are often infected by multiple types of malware simultaneously.
Source: Sucuri’s 2021 Website Threat Research Report.
The 10 most vulnerable WordPress plugins in 2021 by popularity
In 2021, these were the most vulnerable WordPress plugins, based on the number of installations:
- WooCommerce (5+ Million)
- All In One SEO (3+ Million )
- Ninja Forms (1+ Million)
- Redux Framework (1+ Million)
- WP Fastest Cache (1+ Million)
- Astra Starter Templates (1+ Million)
- WP Statistics (600,000+)
- WP User Avatar / ProfilePress (400,000+)
- Simple 301 Redirects by BetterLinks (200,000+)
- Thrive Themes Plugins/Themes (100,000+)
This data does not necessarily indicate that these plugins were the attack vector. Still, they likely contributed to an unsafe environment for the websites they were installed in.
Source: Sucuri’s 2021 Website Threat Research Report.
The 10 most vulnerable plugins, based on their CVSS score
The Common Vulnerability Scoring System (CVSS) is a rating from 0 to 10 that indicates how severe security vulnerabilities are in a given software. 10 is the most severe, and 0 is the least severe.
Based on their CVSS score, in 2021, the plugins with the most severe security vulnerabilities were:
- Thrive Themes Plugins/Themes (10)
- Kaswara (abandoned by the developers, 9.9)
- Simple 301 Redirects (9.9)
- External Media (9.9)
- Store Locator Plus (abandoned by the developers, 9.9)
- All In One SEO (9.9)
- WP User Avatar / ProfilePress (9.8)
- Booster for WooCommerce (9.8)
- Image Hover Effects Ultimate (9.8)
- PublishPress Capabilities (9.8)
Source: Sucuri’s 2021 Website Threat Research Report.
Abandoned plugins are highly vulnerable.
Abandoned plugins are those no longer being updated by their developers. This makes them likely to be exploited since developers no longer patch known vulnerabilities. In 2021, abandoned plugins Kaswara and Store Locator Plus were two of the most vulnerable in the WordPress ecosystem.
Kaswara is a page builder, which means that users who built their page using Kaswara had to rebuild it entirely or stay open to security leaks.
Source: Sucuri’s 2021 Website Threat Research Report.
The most well-protected WordPress sites in 2021
The most well-protected WordPress sites in 2021 were the ones employing auto-updates for plugin components and using a Web Application Firewall (WAF) to block attack attempts.
Source: Sucuri’s 2021 Website Threat Research Report.
Are WordPress websites secure?
In the hands of an experienced WordPress developer who is informed about common vulnerabilities and knows how to secure a site, WordPress sites can be as secure as any website can be in any CMS.
In the hands of someone unaware of common vulnerabilities, who doesn’t update plugins and themes, doesn’t update PHP versions and core files, doesn’t make regular backups, and doesn’t understand security best practices, it can lead to a costly security breach.
The WordPress ecosystem has the tools to build a secure website. Still, it’s up to the developers and owners to take the necessary measures and stay on top of known vulnerabilities if they want to create a secure environment.
If you found this post useful, read our blog for more WordPress insights, guides, and tips.
Related Articles
WordPress 101 / 8 min read
WordPress 101 / 8 min read
How to audit a WordPress website’s security?
WordPress, being the most popular content management system, attracts a fair amount of malicious attention. To prevent yours from falling victim to a cyberattack, you should periodically audit your WordPress…
Read MoreWordPress Security / 10 min read
WordPress Security / 10 min read
Why Is Your WordPress Site “Not Secure”? What You Need to Know
In July 2018, Google Chrome started flagging sites without an SSL certificate as “not secure.” Any website still using HTTP instead of HTTPS to exchange information with users has been…
Read MoreHow to... / 7 min read
How to... / 7 min read
WordPress CSRF attacks: what they are and how to prevent them?
WordPress CSRF (cross-site request forgery) attacks are one of the most common security vulnerabilities plugin, theme, and website developers have to account for. A dedicated hacker can take over admin…
Read MoreHow to... / 8 min read
How to... / 8 min read
WordPress SEO spam: what is it and how to prevent it?
WordPress SEO spam is one of the most common security threats for websites using this CMS. It can get your website labeled deceptive, cause your users to suffer scams, and…
Read MoreWordPress Security / 7 min read
WordPress Security / 7 min read
WordPress supply chain attacks: what are they and how to prevent them?
WordPress is the most popular content management system, attracting many hackers wanting to exploit such a rich ecosystem for their benefit. WordPress supply chain attacks are one of the methods…
Read More