WordPress Security In-Depth Analysis: Understanding Its True Security

How secure is WordPress? Many newbies may worry about this, especially when they hear that WordPress is an open source project. So, is there some data that can help us understand how secure WordPress is?

The answer is yes. In this post, we've gathered as much important data and information about WordPress security as we could. We'll look in detail at everything from the security of WordPress core, themes and plugins, to the security of login information and hosting services.

Our goal is to give you a clear picture of WordPress security, as well as point out possible risks and how to protect against them.

WordPress is statistically the most targeted by hackers

When we talk about WordPress security, there's an important number to keep in mind: 43%. According to W3Techs, that's how many websites around the world are built with WordPress. Note that this number refers not to WordPress' market share of all content management systems (which is actually higher), but to its share of all websites on the entire Internet.

This is a fairly high percentage, which shows that WordPress is very popular. While this is good news for WordPress supporters, it also means that it's an easier target for hackers.

Due to the large number of WordPress websites, this platform has become a focus for hackers. In fact, according to a threat study released by Sucuri in 2022, WordPress websites accounted for a whopping 96.21 TP3T of all infected websites.

Doesn't sound very safe, does it?

When you see WordPress being the target of so many hacking attacks, you might think that the platform does have security vulnerabilities. Why is it such a prime target for hackers?

The reason is simple: the sheer popularity of WordPress makes it a much more visible and attractive target for hackers. It's more efficient and easier for hackers to attack a platform used by hundreds of millions of websites than it is to attack a platform with a smaller user base. Hackers have used this wisely.

The bad news is that it's true that many WordPress sites are successfully attacked by hackers every year. But the good news is that, as you'll see next, these attacks are not inevitable. In fact, many successful attacks are preventable. The key is to know how to protect yourself.

WordPress Core Vulnerability Statistics

To determine if WordPress is secure, let's first look at the security statistics regarding the core WordPress software.

Most hacked sites have not been updated

According to Sucuri's report, most hacked WordPress sites are using older versions. By 2022, more than half of malware-infected websites have not been updated to the latest version of WordPress.

Not surprisingly, some older CMS versions have been found to have many known security vulnerabilities. So if you're still using one of these versions to run your website, it's a direct invitation for someone to attack it.

In fact, most of the security issues were concentrated in WordPress version 4.0 and earlier. Since then, there has been a significant drop in the number of security vulnerabilities.

Sucuri's research also shows this trend. The number of WordPress sites that are hacked because they are not updated is decreasing compared to before.

In fact, of all the content management systems they surveyed, WordPress had the smallest percentage of infections due to the use of older versions.

This trend has been going on for two years, during which time WordPress has seen a slight decrease in infections from older versions. Here's a comparison with data from 2021.

This is a user issue, not a WordPress issue!

How diligent are WordPress users in updating their sites? The truth is, many of them aren't keeping up. Here's the distribution of WordPress versions running on sites in the wild, as documented by WordPress.org.

Looking at the data, only about 60% users have installed the latest version of WordPress. however, the good news is that the majority of users are running at least the more secure version of WordPress 4.0 or later, and three-quarters have updated to at least the latest major version, which is an improvement. In 2016, for example, only about 50% users did so.

One of the reasons for this progress could be the automatic update feature introduced in WordPress version 5.6. Users no longer need to manually click on the update button and websites are able to install new versions of WordPress automatically, which definitely promotes a positive update dynamic.

WordPress Security Infrastructure Effective

While not all users are actively updating their sites, WordPress' core security team is able to effectively respond to and promptly fix security issues found in each new release. In 2023, WordPress has already released three security-focused updates that address approximately 20 to 30 potential security vulnerabilities, with the WordPress 6.0.3 release alone fixing 16 security issues. And in 2022, WordPress has released four security-specific releases, fixing a total of 26 vulnerabilities.

This focus on security is not limited to the core WordPress software, it extends to the entire ecosystem. For example, when Elementor encountered a major security vulnerability, it was quickly fixed. Similarly, Ninja Forms resolved a security issue after receiving a mandatory update from WordPress.org, and BackupBuddy quickly fixed a high-risk security vulnerability and pushed out an update to users.

So while WordPress, like any other software, can run into security challenges, it has protections in place to deal with them quickly. The biggest challenge is making sure that users apply these security updates and patches in a timely manner.

WordPress Theme and Plugin Security Statistics

As the world's most popular content management system, WordPress offers a huge number of extensions, many of which are free. To date, the official WordPress catalog alone contains nearly 60,000 plugins and over 11,000 themes.

Beyond the official WordPress catalog, there are thousands of other plugins available online, many with paid premium options. This makes WordPress a powerful platform because no matter what functionality you need, chances are someone has already developed a solution.

However, every additional plugin or theme installed on a website may open a new door for attackers. These extensions are the responsibility of various developers, and they may not be scrutinized as rigorously as the core WordPress software, making them more likely to hide security risks. Also, sometimes developers may no longer update their products, making these plugins and themes obsolete.

That's why plugins in particular figure so prominently in WordPress security issues, with data from WPScan.com showing that plugins are the source of the majority of WordPress security vulnerabilities.

Patchstack got similar numbers.

Apparently, free plugins pose a greater risk to WordPress security. According to Sucuri's research, paid themes and plugins constitute only a small portion (8.621 TP3T) of all third-party vulnerabilities, while the majority (91.381 TP3T) come from free extensions.

Another common problem is websites that continue to use older versions of plugins or themes that are known to be security risks.Sucuri's data shows that 36% had at least one plugin or theme with known vulnerabilities installed at the time the infected sites were found.

Popular extensions are the cause of most hacking attacks

Interestingly, the distribution of problematic plugins and themes is broad.Sucuri reports that some of the most vulnerable plugins include older versions of Contact Form 7 (accounting for 27.441 TP3T), Freemius Library (accounting for 20.851 TP3T), and WooCommerce (accounting for 14.511 TP3T). There are also several others on the list as well.

So why are we using these plugins with security issues? Actually, the problem is not the security of these plugins themselves, but because they are very popular. For example, Contact Form 7 has over 5 million installations.

Moreover, the development teams of these plugins are usually quick to address security issues once they are identified. The problem mainly arises when users do not update their plugins in a timely manner. Meanwhile, some work is still being done to address these security risks, such as a proposal for a plugin checker, which is similar to the idea of a theme checker tool.

So, the key thing we need to remember is to keep the theme and plugins up to date, which is just as important as maintaining the rest of the WordPress site.

login loophole

Login information is another key factor that makes a website vulnerable to hacking. If simple usernames and passwords are used, it becomes very easy to crack these credentials through brute force or crash attacks.

In this case, no matter how up-to-date your site is, or how secure your plugins and themes are, once someone has gained full access to your site, there are no limits to what they can do.

For example, Sucuri found malicious WordPress administrator users among the infected sites at 32.69%. Here are some examples of usernames and email addresses they often use.

On the other hand, this section is one of the places where the user has direct control. For example, WordPress comes with the ability to automatically generate secure passwords, so why not use it up?

However, you need to do the same for other accounts on your website, such as your hosting account and FTP credentials. Aside from that, there are other ways to enhance your login page security, such as limiting the number of login attempts and enabling dual authentication.

Hosting security statistics

The hosting environment and the technology used are also important for the security of your website, especially for the version of PHP that runs WordPress. For example, PHP 7 introduces better security features compared to the previous PHP 5.

In addition, PHP developers have a strict stop-support policy for older versions. As of this writing, support and security updates have been discontinued for versions prior to PHP 8.0, so it is best not to use these older versions for long periods of time.

Here, WordPress doesn't look so good. While the vast majority of WordPress sites run on at least PHP 7.0, with nearly half of them running on 7.4, only slightly more than a quarter of them use an actively supported version.

There are even about 6% still running on PHP version 5.x, which hasn't had any support for years. So if you haven't updated your version of PHP, please do so.

WordPress Security Statistics in a Nutshell

No CMS is 100% secure, and in fact, nothing connected to the web is ever completely secure. However, despite what you may have heard elsewhere to the contrary, WordPress has a pretty good security record overall. Yes, there are some issues that need to be addressed, but most of them are being dealt with aggressively.

Here are a few tips to follow if you want to make your website more secure:

• Always update your WordPress, plugins and themes to the latest version.
• Use only extensions from trusted sources.
• Use strong passwords for all accounts on your site.
• Consider using a firewall or CDN.
• Limit the number of login attempts.
• Encrypt website traffic with SSL certificates, including backend administration pages.
• Choose a hosting service that keeps PHP versions up to date.

Follow these tips and your WordPress site will have a positive track record at least when it comes to security.

Contact Us
Can't read the tutorial? Contact us for a free answer! Free help for personal, small business sites!	Customer Service
① Tel: 020-2206-9892
② QQ咨询：1025174874
(iii) E-mail: info@361sale.com
④ Working hours: Monday to Friday, 9:30-18:30, holidays off