WordPress security vulnerabilities are on the rise, with plugin issues representing the vast majority. In 2023, Patchstack added 5,948 new vulnerabilities to their database, a 24-entry increase over 2022. An incredible 97% of these new vulnerabilities originated from plugins, compared to just 3% from themes and 0.2% from WordPress core.
Plugins Fuel the Web Security Crisis
Cross-site scripting (XSS) flaws accounted for a staggering 53.3% of the new 2023 entries, illustrating the prevalence of injection issues. Additional top vulnerability types consisted of cross-site request forgery (CSRF) at 16.9% and broken access control at 12.9%. Over 42.9% of the plugin-related vulnerabilities were scored as high or critical severity, and 58.9% could be exploited without any authentication.
In 2023 alone, Patchstack reported 827 plugins and themes as abandoned to the WordPress security team – over 5 times more than 2022’s 147 abandoned extensions. In response, 58.16% of these obsolete plugins were permanently removed from the repository. However, those already on existing sites remain as ticking time bombs if not updated.
Most Exploited Plugin Vulnerabilities in 2023
A single XSS vulnerability discovered in the popular Freemius plugin framework impacted a staggering 1,248 additional plugins. The top 5 most actively exploited vulnerabilities existed in these plugins:
- tagDiv Composer
- WooCommerce Payments
- Ultimate Member
- Essential Addons for Elementor
- HT Mega Absolute Addons for Elementor
Unmaintained Websites Fuel Plugin Vulnerabilities
While WordPress core and most popular themes are quite secure when updated, plugins pose the biggest threat. Many site owners install a plugin but never check if it is still supported, not realizing it may have been abandoned years ago with unpatched exploits. Some commercial plugins are only subscribed for the first year, losing critical security updates when subscriptions lapse.
There is also a thriving gray marketplace of nulled or pirated plugin copies from questionable sources. These unauthorized versions not only deny income to developers, but they lack access to the auto-update system and may even contain malicious backdoors or time bombs.
Some agencies unfortunately still install these nulled plugins, leaving their client sites unmaintained without updates unless they pay again for a valid license. Recently, a hacked plugin was found to be destroying site databases if it detected an invalid license.
Recommendations for Improving WordPress Security
To protect WordPress sites from compromised plugins and other threats, site owners should follow security best practices including:
- Regularly update WordPress, themes, and plugins
- Check last updated dates on plugins and ensure active development
- Only purchase themes/plugins from original developers
- Renew subscriptions for premium plugins to maintain updates
- Backup the site and databases on a regular basis
- Use a web application firewall and security plugins
Some of our recommendation of plugins for security will be:
- Admin and Site Enhancements (ASE) for WordPress (wpase.com) – Quite a complete toolset even for free version, do check out the options under Security and enable the Limit Login Attempts & Disable XML-RPC option.
- About nG Firewall | Perishable Press – As a WAF, that only utilize the htaccess file.
- WordPress Security for High Performance Websites – MalCare – Quick a good free all-rounder security plugin, do get the free account at their website to check out the very good dashboard.
- Fastest protection for WordPress security vulnerabilities – Patchstack also is quite good, especially the vulnerabilities detection, do sign up for their free tier, and setup security alert to email.
Additionally, check that any installed plugins have been updated within the last 3 months and that the developer website indicates it is still actively maintained. Avoid nulled or pirated copies from questionable sources.
These statistics paint a dire picture of WordPress security heading into 2024, driven by vulnerable, outdated, and abandoned plugins. Site owners must remain vigilant about plugin selection, updates, and maintenance to avoid becoming another victim in the growing cyber epidemic.
If anyone need any help on WordPress Security, do feel free to contact us to arrange for a security check.
