WordPress is a great option to build your website — it’s customizable, scalable, and can help you create a polished, professional website without learning coding. But like all software, it comes with certain risks.
Below are some recent metrics showing WordPress security vulnerabilities — and why your web security must be a top priority this year. We’ve also written about WordPress security for other organizations. We take your website security seriously, and here’s why you should, too.
WordPress at Work
Did you know that WordPress powered over 27 million websites in 2019?1 In fact, WordPress now powers over 35% of all websites on the Internet, and more than 51% of all content management system (CMS) websites.1
Because WordPress is so popular, it’s also a popular target for hackers. Malicious website attackers can decide: should they spend a lot of time coming up with unique solutions to break into custom website? Or work on discovering one major flaw in WordPress, with the potential to compromise millions of sites in a single go?
Unfortunately for WordPress website users, the answer is clear — hackers target WordPress, knowing that the platforms could grant access to millions of websites across the web. Numbers don’t lie: there was a 30% increase in WordPress vulnerabilities from 2017 to 2018.2 In fact, 90% of all breached content management system (CMS) sites were WordPress.3
“Hackers attack WordPress sites both big and small, with over 90,978 attacks happening per minute.” — WordFence
The number of vulnerabilities is only going to grow — and your security needs to grow, too!
The Problem with Plugins
Many of the most critical vulnerabilities result from plugins. There are literally tens of thousands of WordPress plugins available; at the time of this article, there are over 55,500 plugins available through the official WordPress site4 — and that’s not counting plugins for sale through other websites.
Add in the 7,200 WordPress plugins for sale on just one site, Code Canyon5, and you’re at more than 62,700 available plugins total.
At first, this wide variety can seem like a good thing. Whatever feature you’re trying to add to your website, there’s probably a plugin already available that can fit your needs.
However, the truth is more complicated. Many of these plugins are outdated or poorly maintained. WordPress is open-source — anybody can develop a plugin and release it to for use on other websites. As a result, many developers produce plugins that are not aligned with best practices, or are not maintained as the year (and software updates) go by.
In fact, only 3% of available WordPress plugins were developed in the last year.6 And in 2018, fully 98% of WordPress vulnerabilities were related to plugins.2
Keep in mind: having poorly developed or outdated plugins installed on your website can create major security risks, even if they are inactive.
What can you do to improve website security?
Armed with this information, what can you do to improve your web security? If you haven’t reviewed my Annual Website Security Checklist, I suggest you start there for tips to improve your WordPress security.
Of particular importance: update your WordPress files and plugins — even for inactive plugins! Better yet, remove all unnecessary plugins and themes.
Note: updating WordPress files and plugins can affect site functionality. I always recommend updating each element individually and testing the site between updates. If you’re unsure about updating your WordPress website, contact me about updating your site.
Invest in Your Website Security
As WordPress continues to grow in popularity, vulnerabilities will continue to grow, too. Your security needs to stay ahead of attacks and compromises, and I hope these stats show that your web security must be a top priority this year.
Concerned about your website?