WordPress is on the way to have a record-breaking year for plugin vulnerabilities disclosed to its database, according to a collaborative mid-year security study issued by WPScan and Wordfence. WPScan discovered 602 new vulnerabilities in the first half of 2021. Moreover, it is much more than 514 discovered in the entire year of 2020.
The research uses attack data from Wordfence’s platform. And vulnerability data from WPScan’s database to give a more complete view of WordPress security than any firm could provide on its own.
The trend Wordfence identified as of an increase in password attacks. Wordfence shared its report that it had stopped over 86 billion vulnerable password login attempts in the first half of 2021. Moreover, there are various ways which the attackers use to obtain access to WordPress sites. Including testing sites against lists of compromised passwords, dictionary attacks, and resource-intensive brute force attacks.
Themes are less vulnerable than plugins
According to Wordfence, the most common password attack target was conventional login. Which accounted for 40.4% of all attempts, followed by XML-RPC (37.7%). These attacks are growing at a fast rate. And that’s why website owners should use 2-factor authentication on all available accounts, use strong safe passwords. That are unique to each account, disable XML-RPC when not in use. And utilize brute force protection, according to the research.
More than 4 billion requests banned by Wordfence to prevent exploits and blocked IP addresses. According to data from Web Application Firewall from Wordfence. The percentage of firewall-blocked requests broken down by firewall rule in the report. Directory traversal is responsible for 27.1% of queries. When an attacker tries to obtain unauthorized access to files and do activities like reading or deleting a site’s /wp-config.php file, for example, this happens. This breakdown also reveals that attackers continue to target certain older vulnerabilities.
Moreover, the plugins, the most commonly reported vulnerabilities in the WordPress environment. And when compared to themes, they accounted for a much smaller portion. According to the report, only three of the 602 vulnerabilities discovered by WPScan in the first half of this year were in WordPress core.
Cross-Site Scripting (XSS) vulnerabilities accounted for more than half of all vulnerabilities (52%) detected by WPScan. Followed by Cross-Site Request Forgery (CSRF) at 16%, SQL Injection (13%), Access Control issues (12%). And File Upload issues (12%). (12%). 7%. According to the Common Vulnerability Scoring System (CVSS) scores. 17% of identified vulnerabilities were critical, 31% were high, and 50% were medium in severity.
Moreover, the increased number of vulnerabilities identified this year, according to Wordfence and WPScan. Demonstrates the development of the WordPress ecosystem and a maturing, healthy interest in security. Themes and plugins aren’t becoming more vulnerable over time; instead, more people interested in finding and reporting security problems.
It exemplifies the growth of the WordPress ecosystem – WordPress Security Report
“First and foremost, we aren’t seeing a lot of newly introduced vulnerabilities in plugins and themes. But rather a lot of older vulnerabilities in older plugins and themes being reported/fixed that simply weren’t detected until now”. Wordfence Threat Analyst Chloe Chamberland explained.
“Vulnerabilities aren’t being introduced as frequently. And more vulnerabilities are being detected simply due to the higher activity of researchers. Which is in turn positively impacting the security of the WordPress ecosystem. Considering it isn’t newly introduced vulnerabilities that are being frequently discovered. I feel confident in saying that the increase in discoveries doesn’t indicate. That the ecosystem is getting less secure at all but rather getting more secure.”
Chamberland also feels that if vendors are made aware of vulnerabilities and learn from their experiences. They will design better secure products in the future.
“Speaking from experience as I spend a lot of my time looking for vulnerabilities in WordPress plugins. Things have definitely been getting more secure from my perspective,” she said. “Today, I frequently find capability checks and nonce checks in all the right places along with proper file upload validation measures in place. And all the good stuff. It’s becoming harder to find easily exploitable vulnerabilities in plugins and themes. That are actively maintain, which is a great thing!”
In addition, you can download the mid-year report’s free PDF by the WPScan from its official website. The end-of-year report for 2021 expected, according to WPScan founder and CEO Ryan Dewhurst. He hasn’t told Wordfence about it yet, but the two firms are discussing additional ways to work together.
You may also like: