This week is a little different. In the beginning of each year, we take a look at how the ecosystem has evolved and what the data shows about the current state of WordPress security. This year, we went a step further, and instead of doing it alone, we partnered up with Sucuri, who has incredibly wide coverage and has been doing some of the best WordPress malware research for more than a decade.
It’s important to take time for reflection to understand where we are heading, what needs attention, and what to prepare for. 2023 was a turbulent (I use this word because I’m writing this currently in an airplane somewhere above Spain) year. It was another record year in terms of the volume of security vulnerabilities being fixed in the ecosystem, but 2023 also introduced a switch in mindset which we believe will change the entire WordPress ecosystem for the better.
The report from this year has a lot to unpack, so for those who prefer a quick overview, this post is for you. If you wish to deep dive into the entire thing, look at here: https://patchstack.com/whitepaper/state-of-wordpress-security-in-2024
5,948 new security vulnerabilities discovered in 2023
As mentioned, 2023 was another record year of cleaning up vulnerabilities from the WordPress ecosystem. Compared to 2022, there was 24% increase in the volume of new vulnerabilities being discovered. 58.86% of the vulnerabilities required no authentication for exploitation and 42.9% had high or critical severity.
Unfortunately, not all of the discovered vulnerabilities are getting fixed. Even worse, 15.7% of vulnerabilities published by Patchstack (which accounts to 73% of all WordPress security vulnerabilities published in 2023 ) were closed by the WordPress plugin repository due to the projects being abandoned.
Vulnerability management and fast mitigation remains one of the most important security measures one could deploy to avoid ending up with hacked websites. Relying just on updates is not enough and since plugin vulnerabilities are becoming exploited in a matter of hours after being disclosed, the speed to mitigation should be everyones security KPI.
When in 2022, we reported 147 potentially abandoned plugins to the WordPress plugin repository team, then in 2023 that number increased to 827. This is a real issue, and we’ve also written about this in a blog post which we’ve called “The WordPress Zombie Plugin Pandemic” here: https://patchstack.com/articles/the-wordpress-zombie-plugins-pandemic-affects-1-6-million-websites/
Ecosystem shifting into more mature approach to security
Majority of the security solutions offered in the WordPress ecosystem have been reactive. People have mostly thought about security only after they’ve become hacked, which is the reason why most security companies have focused on malware scanning and remediation.
WordPress is perhaps the only ecosystem where “malware clean-ups” is presented as a security feature, essentially signalling as if full compromises are inevitable. Imagine if Google Cloud or AWS would tell its users that if their customers infrastructure gets hacked, they jump in and clean things up. That would raise a lot of questions and they would probably be looked like as if they’ve gone insane.
While companies have been focusing on the malware scanners and remediation services, the actual underlying reasons of why websites are becoming hacked have received significantly less attention. That’s why regardless of the abundance of different security solutions on the market, a large number of websites are still getting hacked every single day.
People are clearly tired of this seemingly endless loop malware scanning and cleanups. Making matters worse, the concept of plugin based malware scanners are also flawed, and hackers know it. WordFence, Sucuri and other popular malware scanners are constantly being turned off by hackers as they infect the websites, turning their malware essentially hidden behind the curtain of false sense of security.
Security has become a very active topic in the WordPress ecosystem. Developers and users are looking for better ways to secure their websites, and the understanding about layered approach to security and secure development practices has finally started to lay deeper roots in the WordPress ecosystem.
That being said, I’ve never been more optimistic about WordPress security as I am today.
Resources:
- State of WordPress Security 2024: https://patchstack.com/whitepaper/state-of-wordpress-security-in-2024
- The WordPress Zombie Plugins Pandemic: https://patchstack.com/articles/the-wordpress-zombie-plugins-pandemic-affects-1-6-million-websites/
- Patchstack weekly security newsletter: https://patchstack.com/articles/announcing-the-patchstack-wordpress-security-weekly-newsletter/