Exploring WordPress security statistics is a great way to lose sleep at night if you’re a website owner. Still, it’s also a great way to stay informed with relevant information about the vulnerabilities that threaten millions of sites in the ecosystem.
This article explores 18 security statistics that are as up-to-date as possible to give you the knowledge you need to make better security decisions.
Keep in mind that WordPress security is an ongoing process, and cybersecurity experts need time to process the data they receive, often meaning that we only get comprehensive security reports after the year ends.
As a result, there aren’t many comprehensive security statistics for 2023 yet. Still, we did our best to provide you with the most current possible information available by compiling statistics from 3 security reports by companies heavily invested in WordPress security:
The Sucuri 2021 report.
The Wordfence 2022 report.
The iThemes 2022 report.
The bulk of the statistics presented here come from these reports. Now let’s get into it.
18 WordPress security statistics
Around 1 in 25 WordPress sites get hacked (2021)
Approximately 4.3% of WordPress websites scanned with the security scanner SiteCheck in 2021 had been infected (hacked). That’s a little over 1 out of every 25 WordPress sites.
Since only some WordPress sites use SiteCheck, this statistic is not definitive. Still, SiteCheck is one of the major players in WordPress security, and their data is considered reliable. As a result, this is one of the best estimations available.
Plugins are by far the most common source of WordPress vulnerabilities (2022)
According to iThemes security, there were 1,779 WordPress vulnerabilities disclosed in 2022. Of those, 1,659 (93.25%) originated from plugins. The remaining vulnerabilities came from themes (97 or 5.45%) and WordPress core files (23 or 1.29%). It confirms that WordPress is highly secure, but the software elements you add may not be.
Credential stuffings are the most common type of attack (2022)
In 2022, credential stuffing was the most common attack against WordPress sites. A credential stuffing attack consists of an attacker guessing multiple username and password combinations for a site. The username and password combinations come from data breaches and leaked password lists.
Security plugin Wordfence claims to have blocked more than 159 billion credential-stuffing attacks in 2022.
Over 1,000 plugins have at least one vulnerability in any given week (2022)
In any given week in 2022, 1,361 plugins and 64 themes had at least one known vulnerability.
Cross-site scripting is the most commonly disclosed WordPress vulnerability (2022)
According to Wordfence, cross-site scripting (XSS) was the most common category of disclosed (publicly known) WordPress vulnerability in 2022, accounting for nearly half of all disclosed vulnerabilities known to Wordfence. The next most common types were cross-site forgery requests (CSFR), authorization bypass vulnerabilities, SQL injections (SQLi), and information disclosure.
The iThemes report presented similar findings. XSS was the most common vulnerability type (50%), followed by cross-site forgery requests (15%), SQL injections (2%), and bypasses (2%). XSS, CSFR, and SQLi vulnerabilities represented 73% of all disclosed vulnerabilities.
Most attacks take place on already-compromised websites (2022)
In 2022, most WordPress attacks took place on sites already compromised instead of sites that had been secured to this point not. This type of security breach is known as “persistent infection.”
Most plugins are patched after vulnerability disclosure (2022)
According to iThemes, 69% of plugins are patched after a security vulnerability is disclosed. 26% of vulnerabilities result in no known fix (no known way to patch it), and 5% result in the plugin being closed.
Almost half of website owners don’t keep their WordPress cores updated (2021)
In 2021, 48% of SiteCheck (a security plugin) users had outdated CMS installations, making them more vulnerable to exploits. About 95% of SiteCheck’s users use WordPress as their CMS.
Most WordPress security threats are considered “medium” in severity (2022)
The Common Vulnerability Scoring System (CVSS) is a rating from 0 to 10 that indicates how severe security vulnerabilities are in a given software. 10 is the most severe, and 0 is the least severe. The severity of the vulnerability is classified as follows:
0.1 – 3.9
4.0 – 6.9
7.0 – 8.9
9.0 – 10.0
In 2022, iThemes Security determined that most known vulnerabilities were considered medium (50%), followed by high (25%), low (21%), and critical (4%).
The problem of credential reuse is growing (2022)
Credential reuse is reusing the same password for multiple systems (admin account, cPanel account, phpMyAdmin account, etc.). As more leaked passwords accumulate yearly, malicious actors have a larger pool of potentially reusable passwords.
Unmaintained WordPress accounts are especially vulnerable.
Abandoned plugins are highly vulnerable (2021)
Abandoned plugins are those no longer being updated by their developers. It makes them likely to be exploited since developers no longer patch known vulnerabilities. In 2021, abandoned plugins Kaswara and Store Locator Plus were two of the most vulnerable in the WordPress ecosystem.
Kaswara is a page builder, meaning users who built their page using Kaswara had to rebuild it entirely or stay open to security leaks.
The most common types of WordPress malware (2021)
The following is a list of the most common types of malware found during SiteCheck’s scans and cleanups:
Generic malware such as PHP malware, site URL/ home URL infections, malicious processes that primarily affect .htaccess and index.php, etc. (61%)
SEO spam (52)
The percentages overlap because sites are often infected by multiple types of malware simultaneously.
2% of plugins and themes were the source of 99% of all vulnerabilities (2022)
iThemes identified 1,425 plugins and themes that experienced new vulnerabilities week-to-week. That’s 2% of the 70,000+ pool of themes and plugins in the WordPress.org ecosystem.
Most plugins and themes are secure, but a few are very insecure, leading to security issues for the entire community.
Over 280,000 sites were attacked through WPGateway in 30 days (2022)
Between August and September 2022, Wordfence blocked over 4 million attacks aimed at 280,000 sites that installed the plugin WPGateway. The plugin suffered a vulnerability that allowed hackers to add a malicious admin account, potentially taking control of the website.
20 to 50 plugin and theme vulnerabilities surface every week (2022)
In 2022, iThemes identified 20-50 new weekly vulnerabilities from plugins and themes.
An average of 121 vulnerabilities are disclosed every month (2022)
iThemes disclosed between 90 and 199 vulnerabilities per month in 2022, for an average of 121 disclosed vulnerabilities a month.
The 10 most vulnerable WordPress plugins by popularity (2021)
In 2021, these were the most vulnerable WordPress plugins, based on the number of installations:
WooCommerce (5+ Million)
All In One SEO (3+ Million )
Ninja Forms (1+ Million)
Redux Framework (1+ Million)
WP Fastest Cache (1+ Million)
Astra Starter Templates (1+ Million)
WP Statistics (600,000+)
WP User Avatar / ProfilePress (400,000+)
Simple 301 Redirects by BetterLinks (200,000+)
Thrive Themes Plugins/Themes (100,000+)
This data does not necessarily indicate that these plugins were the attack vector. Still, they likely contributed to an unsafe environment for the websites they were installed in.
The 10 most vulnerable plugins, based on their CVSS score (2021)
Based on their CVSS score in 2021, the plugins with the most severe security vulnerabilities were:
Thrive Themes Plugins/Themes (10)
Kaswara (abandoned by the developers, 9.9)
Simple 301 Redirects (9.9)
External Media (9.9)
Store Locator Plus (abandoned by the developers, 9.9)
All In One SEO (9.9)
WP User Avatar / ProfilePress (9.8)
Booster for WooCommerce (9.8)
Image Hover Effects Ultimate (9.8)
PublishPress Capabilities (9.8)
What do secure WordPress sites have in common?
In 2021, Sucuri found that the most well-protected WordPress sites employed auto-updates for plugin components and used a Web Application Firewall (WAF) to block attack attempts.
How to secure your WordPress site?
The WordPress security landscape is constantly changing, forcing developers to come up with more advanced security features over time. However, the following measures will secure your WordPress site as much as possible:
Update WordPress, PHP, plugins, and themes.
Install a security plugin.
Limit login attempts with a plugin like Limit Login Attempts Reloaded.
Enforce unique, strong passwords for all users and accounts associated with your WordPress site, including admins, email, FTP, and cPanel accounts.
Add two-factor authentication to your login with a plugin like Shield WordPress Security, Google Authenticator – Two Factor Authentication (2FA), and Duo Two-Factor Authentication.
Install an SSL certificate.
Back up your site regularly.
Monitor user activity and log out inactive users.
Perform malware scans with scanners like Sucuri, Wordfence, and iThemes security.
Modify file permissions so that users can only edit what they’re supposed to, limiting the possibility of security leaks.
Get a secure web host.
Use a web application firewall (WAF).
For a more detailed breakdown of each of these measures, click here.
In addition to taking these measures, staying informed about ongoing security vulnerabilities and updating components is one of the best ways to keep your site secure. The iThemes blog, for example, publishes a weekly vulnerability report with a list of plugins experiencing known vulnerabilities and whether they’ve been patched.
Stay in touch with WordPress security resources; you’ll be much better positioned to protect your site from vulnerabilities.