Security whitepaper
Data updated 04.03.2022

State Of WordPress Security In 2021

WordPress is the technology powering 43.2% of websites on the web in 2021, this is up from 39.5% at the end of 2020.

Vulnerabilities from plugins and themes remain as one of the biggest threats to websites built on WordPress. In fact, just 0.58% of security vulnerabilities originate from WordPress core in 2021.

We’ve seen a 150% growth in vulnerabilities reported in 2021 compared to 2020 which is a significant increase. Meanwhile, 29% of the WordPress plugins with critical vulnerabilities received no patch.

In 2021, Patchstack launched a bug bounty community of ethical hackers (Patchstack Alliance) to identify and patch vulnerabilities across the entire WordPress ecosystem. In 2021, around $13,000 was paid out as bounties. Brands such as Plesk, cPanel, Pagely, and many others are already supporting it. Join the movement!

This whitepaper summarises the year 2021. We’ll be looking into WordPress core security in general, dive into plugin vulnerabilities, and explore the data we have gathered.

Patchstack is leading the way in open-source security by connecting technology, threat intelligence, and community to secure the open-source ecosystem.

Patchstack is officially authorized CNA to assign CVE IDs to WordPress-related vulnerabilities. Patchstack is also a winner of Global InfoSec Awards 2021 in two categories: Open Source Security and Web Application Security for providing “Cutting Edge” solutions to the market.

WordPress core is showing continuous improvements at regular intervals. There have been 4 security releases in 2021 – 5.7.1, 5.7.2, 5.8.1, and 5.8.2. Such a regular release schedule is a sign of a mature product.

Of those 4 security releases, only one contained a patch for a critical vulnerability. This sole critical vulnerability was not in WordPress logic either but was a security concern caused by insecurity found in an open-source component WordPress core was including.

This insecure component was the PHPMailer library, and WordPress core addressed this issue by updating that library. The PHPMailer library was affected by an object injection vulnerability (described in CVE-2020-36326) this vulnerability is also known as insecure de-serialization.

A successful attack could lead to PHP creating any object the attacker chooses, with the values the attacker chooses. Depending on the PHP codebase, this could have little effect on the website or could lead to actions being performed within PHP without any security or safety checks.

Dependency confusion is a risk that is caused when a piece of software’s auto-updating functionality can be tricked into updating software from the wrong source. For WordPress, dependency confusion attacks put custom plugins at high risk of being updated from the wrong source.

If a custom plugin shares the same name or “slug” as a plugin available via the plugin repository, the auto-update mechanism in WordPress core would have updated with the plugin repository version, but this is no longer the case as of WordPress 5.8.

The WordPress Core team added a feature in 2021 to protect sites from dependency confusion attacks. This new security feature allows developers of plugins to identify the source URI and update method for their plugin(s), ensuring the plugins are being updated from the same originating source.

Another sign of a mature product is the vulnerability disclosure policy and bug bounty program. All of the reported vulnerabilities in WordPress Core in 2021 were reported through this vulnerability disclosure program which sets forth proper rules and expectations for all parties involved.

Patchstack encourages all developers, including small open-source developers to have a public vulnerability disclosure policy. You do not need to pay big bug bounties to have one, and a vulnerability disclosure policy is exactly where you can state you offer no bounties on security bugs at all.

Public vulnerability disclosure policies are about setting expectations and stating who is responsible for reviewing security reports for the project and how to get in contact with them. Policies that go the extra mile and include bug bounty details are also great, but not required.

Feature-filled themes help users build websites with ease. These features though, sometimes lead to themes becoming more than just design. Many themes include PHP code for additional functionality, and, any code added to a website has the possibility of harboring insecurities.

As theme vulnerabilities can be as critical as plugin vulnerabilities, it’s advised to make sure to find a designer who is familiar with security issues and regularly updates their projects.

Site owners should also monitor their websites’ themes for security updates, this is just as important as monitoring the plugins.

Out of the theme vulnerabilities reported in 2021, the most critical would lead to a full site compromise via an arbitrary file upload. Patchstack Alliance member Lenon Leite identified over 50 themes that had security issues in their file upload functionalities throughout 2021.

2021 showed a continued trend of critical vulnerabilities in themes related to file upload features provided by the WordPress theme. This is not a new trend, but a recurring issue related to the fact that themes commonly include custom code for file upload functionality.

File upload vulnerabilities are critical to websites. These sorts of vulnerabilities are sought after by attackers, because being able to upload a web shell in a PHP file, is basically the same as a full site compromise.

WebHosts or Advanced users may want to consider disallowing the execution of PHP files in the file upload directories. This can be done via Apache .htaccess file, Nginx rules, or even a WAF firewall rule.

Simply block access to URLs ending in “.php” with URLs that contain the word “upload” (or match your known upload paths). This is relatively sane protection to implement, as website uploads are intended to be media like images, videos, or pdfs, but not PHP code.

In 2021 there were 35 critical vulnerabilities reported in WordPress plugins. Two of these critical vulnerabilities were found in plugins with over one million installations. These likely had many users scrambling to update their sites and hosting providers rushing to apply firewall rules to protect their customers.

We applaud the developers of these plugins for taking responsibility and acting quickly to get a security patch released. These vulnerabilities are on the lighter side of critical, as they had per-requisites such as a valid user account or interaction with a user on the site, but either could have resulted in a significant impact if an attacker was successful in their attack.

The positive action of these two projects is juxtaposed by the inaction of nine projects which had critical vulnerabilities identified in the plugins and with no security patch made available. We will discuss this next.

For example, the following 9 plugins have all been removed from their respective repositories due to not addressing security bugs. Two of the plugins were removed from the Code Canyon marketplace, while the other 7 were removed from the repository.

In these cases where no patches are made available, users need to manually check if they have these plugins installed and remove them or find alternatives. There is no method of communicating this issue directly to website owners running these plugins as the plugins will appear “up to date” in the WordPress administration pages if installed.

Because the insecure components have been removed from their respective repositories, no method to apply a patch is available to site owners running these plugins. In fact, no notice or warning is made available of the risk of running these plugins unless site owners have a security tool like the Patchstack plugin to notify them of insecure components on their websites.

What many of these critical vulnerabilities have in common is the lack of verification that the user has the appropriate privileges. Most of these vulnerabilities would not exist if this validation was present in the code. In addition, close attention must be paid to:

nopriv endpoints should never perform dangerous actions and should be under high scrutiny
Use current_user_can and wp_verify_nonce for privileged endpoints

In 2021, Patchstack added nearly 1500 new vulnerabilities to the Patchstack database. These vulnerabilities were in WordPress plugins, themes, and WordPress core.

If you compare these numbers with 2020 when we saw nearly 600 new vulnerabilities, it’s clear that 2021 has been an exceptional year for the security of the WordPress ecosystem.

The repository leads the way as the primary source for WordPress plugins and themes. Vulnerabilities in these components represented 91.79% of vulnerabilities added to the Patchstack database.

The remaining 8.21% of the reported vulnerabilities in 2021 were reported in the premium or paid versions of the WordPress plugins or themes that are sold through other marketplaces like Envato, ThemeForest, Code Canyon, or made available for direct download only.

Cross-site scripting (XSS) vulnerabilities once again topped the charts in 2021 accounting for almost 50% of the total vulnerabilities added to the Patchstack Database in 2021. Compared to 2020 – XSS vulnerabilities accounted for a bit more than 36%, in 2021 we see a rise in cross-site scripting vulnerabilities.

When comparing 2020 and 2021 we see CSRF and SQLi have changed places. SQL Injection counted for 9.1% of the vulnerabilities in 2020 and Cross-Site Request Forgery came third with 6.5% of vulnerabilities in 2020.

CVSS (3.1) is a great way to calculate the severity of the vulnerability and it’s easier to show the level of risk posed by the vulnerability without writing a broad explanation. That’s why we try to calculate CVSS (3.1) score for all vulnerabilities that we’re publishing on the database.

You will see a CVSS score with every vulnerability recorded in the Patchstack database. When possible, we also try to add further application-specific context. For example: with WordPress components, we clarify which default user roles would be needed to perform the attack, something CVSS does not cover.

This information shows up as a statement like “Requires subscriber or higher role user authentication.” on the vulnerability description page.

It is important to understand the context of a vulnerability’s risk. Without that, you could end up needlessly stressing out and performing emergency updates when risk is simply not present, or worse yet, ignoring or delaying addressing a vulnerability because it seems “medium risk” when in fact your websites are at immediate risk based on the context.

Patchstack has been offering protection for WordPress sites for years. Looking into Patchstack users we see important information about how our users manage security.

In 2021 we analyzed about 50 000 sites and looked at the installation count of plugins and themes. We found that on average a single WordPress website has 18 different components (plugins and themes) installed.

Comparing it to 2020 where we found that an average website had 23 plugins and themes installed on a single site. It shows improvement until we compare the number of average outdated plugins and themes on a site.

In 2020 we saw 4 out of 23 components outdated and in 2021 we saw 6 out of 18 components outdated on a single WordPress site. With every additional plugin installed on the website, the risk of being exposed to a potential vulnerability increases. The fact that websites are lagging behind with updates increases the risk even more.

Typically, only easy to exploit vulnerabilities are targeted. Vulnerabilities that have more prerequisites for successful exploitation are mostly not used in mass exploitation campaigns.

Vulnerabilities that we see being weaponized in mass exploitation campaigns don’t require any authentication. Below is a list of vulnerability types that are most attractive to the attackers.

These types of vulnerabilities, especially the ones in popular plugins are often exploited within hours of the vulnerability being disclosed to the public.

When looking at the statistics of Patchstack virtual patches to see which vulnerabilities were most actively targeted, some critical vulnerabilities that date back years are still being actively targeted.

This can be explained as the use of “hacking tools” that are available online. Such tools are pre-programmed to attempt all exploits and popular vulnerabilities against a target, and all the hacker needs to do is select a target website (or list of targets.)

Below is a list of top vulnerabilities that are being attacked the most on a daily basis.

Patchstack Alliance is a bug hunting platform that connects ethical hackers with open-source vendors to improve the security of the open-source web. Patchstack Alliance has members from Germany, France, Russia, Portugal, Brazil, Vietnam, Columbia, Netherlands, India, Estonia, Lithuania, Myanmar, Thailand, Malaysia, China, Indonesia.

In 2021 Patchstack paid 12,850.00 USD in bounties. Since April 2021, we received more than 1000 vulnerability reports from the Alliance members.

The biggest count of vulnerable points/parameters found in a single plugin was 47. We’ve accepted reports that affected plugins with less than ten active installs and also ones with over 5 million active installations. The most popular vulnerabilities reported by the members of Patchstack Alliance are XSS and CSRF.

The first year has proven a strong interest in the program by ethical hackers, open-source vendors, and also partners such as hosting companies.

In the end of 2021 Patchstack conducted a survey among website developers, website owners, and digital agencies. The aim of the survey was to get an understanding of how was the year 2021 regarding WordPress security.

When asking the respondents who they rely on for website security help, the majority said they deal with security issues primarily by themselves, while also relying on their hosting provider or a security plugin’s support team.

In WordPress security updates are a very important task of vulnerability management. We asked the respondents how often they update their plugins, themes, and WordPress core. Around 53% of the respondents stated they update their components weekly. 20% of respondents stated they perform updates daily and 18% monthly. Others have auto-updated enabled or have no information due to not being responsible for updates.

The WordPress ecosystem has countless security plugins and tools to choose from. Some of the tools are free, some cost up to hundreds per month. We wanted to know what is the average spend on website security among website owners, developers, and digital agencies.

Based on the data we gathered 28% of the respondents had zero budget to protect their websites. About 27% of the respondents stated their website’s security budget per website per month is between 1-3 dollars.

Only about 7% of the respondents said their website security budget is around $50 per site per month and most of these respondents were from digital agencies.

When looking at costs for malware removal we saw that the respondents spend on average $613 for WordPress malware removal. The highest price paid was $4,800 and the lowest was $50.

The average cost for website security among those who got their websites hacked during 2021 was around $8 per site/per month.

For the second year in the row (see 2020 survey report here), we have found that respondents see that the biggest problem in WordPress security is – WordPress core, plugin, and theme vulnerabilities.

The most popular challenges faced when dealing with website security in 2020 were lack of knowledge, blocking and preventing attacks, and plugin and theme vulnerabilities.

In 2021 the challenges remain the same. More than half of the respondents (59%) responded that in their opinion the biggest problem in WordPress security is core, plugin, and theme vulnerabilities.

About 15% shared that in their opinion insecure passwords are the biggest problem in WordPress security. The same amount of respondents said the biggest problem is nulled (malicious) plugins, themes. A little more than 9% of the respondents saw the biggest problem to be an insecure hosting environment.

Vulnerabilities from plugins and themes remain one of the biggest threats to websites built on WordPress. In fact, 99.42% of security vulnerabilities were found in WordPress plugins and themes, while only 0.58% of security vulnerabilities originated from WordPress Core.

We’ve seen a 150% growth in vulnerabilities reported in 2021 compared to 2020 which is a significant increase. Meanwhile, 29% of the WordPress plugins with critical vulnerabilities received no patch.

In 2021, Patchstack launched a bug bounty community for ethical hackers (Patchstack Alliance) to identify and patch vulnerabilities across the entire WordPress ecosystem. In 2021, around $13,000 was paid out as bounties. Brands such as Plesk, cPanel, Pagely, and many others are already supporting it. Support the movement!