400 WordPress Security Vulnerabilities?!

Trust me: It’s not as bad as it sounds.

WordPress Security Statistics read correctly are nothing to worry aboutSearching the National Vulnerability Database using keyword “WordPress” blasts you with 400 listed vulnerabilities! I’ve seen this number quoted recently when comparing WordPress to other content management systems, and it puts WordPress security in a negative light.

“Holy hole in a firewall, Mattman! How can you sleep at night, knowing WordPress is putting the world at risk?”

Never fear! Read on to see the truth I found just beneath the surface of those numbers.

Statistics explored

Time periods

I found these 400 vulnerabilities include all security problems reported since 2004. Searching for the last 3 years only reports 176 records, and the last 3 months reports 23 records–an encouraging trend. Still, I wanted to dig deeper.

Limitations in the search engine

The only way to get the scary 400 WordPress security issues is to search the database by keyword. While there is an advanced search by “Product,” searching for all versions of WordPress this way yields only 231 issues total. Since we’re trying to address the recurring rant that WordPress has over 400 security vulnerabilities, we’ll stick with the broader results returned by my keyword search.

WordPress Security Reports broken out by origin and presented as a pie graph

Featured Plugin - WordPress Pop-Up Chat Plugin

No javascript required, no third part chat engine, just fully featured chat right in your own database on your own WP sites - couldn't be easier.
Find out more

Hacking off miscategorized results

28% of the results–112 issues–were not related to WordPress at all. They show up in the keyword search because somewhere in the details folks provided web links to WordPress-powered sites that give more details about the issue. Both WordPress.com blogs and self-hosted sites using the default “wordpress” directory name have “wordpress” in their page URLs.

Great–we’re down to 288 reports over 8 years.

Separating WordPress core from 3rd-party plugins and themes

WordPress enjoys a thriving theme and plugin development community, but that also means more potential security problems. 40% of results–159 issues–were from 3rd-party plugins and themes. While we need to be concerned about this, it seems the WordPress core–what you get when first installing WordPress–isn’t so bad after all. Removing the 159 3rd-party issues, we’re down to only 129 issues with WordPress core, spread over 8 years.

Featured Plugin - WordPress Ecommerce Shopping Cart Plugin

Out of all the WordPress ecommerce plugins available, MarketPress has got to be the winner - easy to configure, powerful functionality, multiple gateways and more. A simply brilliant plugin!
Find out more

Positive trends–warning included

Eight years of data helps us see two important trends. Security vulnerabilities reported for WordPress core have trended downward. Issues reported for 3rd-party plugins, however, are trending upward.

While it’s great to see WordPress core being really secure, those 3rd-party plugins and themes are an important part of the WordPress ecosystem.

WordPress Security Issues trend shows declining core issues and increasing plugin issues

Stay alert, but don’t freak out

  • WordPress core security is excellent and continues to improve, with quick patches released when anything is discovered.
  • Plugin and Theme developers need to understand and implement security better.
  • Website admins need to be careful installing plugins and themes they are unfamiliar with on a production machine.
  • Plugin security review in the community would be helpful, but difficult and time-consuming.

Featured Plugin - WordPress Wiki Plugin

To get a wiki up and running you used to need to install Mediawiki and toil away for days configuring it... not any more! This plugin gives you *all* the functionality you want from a wiki, in WordPress!!!
Find out more

A last word about the National Vulnerability Database

I couldn’t find any resource better than the NVD for this type of security information. That said, the database is only as good as those who report to it. Does data just come from random IT folks? Important data is being left out, for sure.

Case in point: TimThumb

Sorry to make most of you cringe. TimThumb is an on-the-fly image resizing PHP script used in many 3rd-party plugins and themes. In 2011, all hell broke loose in the WordPress community as a serious security flaw was found in TimThumb, affecting most derivative works.

There is absolutely no mention of TimThumb in the National Vulnerability Database. None.

Moving forward

Have faith in your WordPress core, fellow developers. And before you release that snazzy new plugin or theme, make sure you’ve covered the bases regarding WordPress security!

Credits

Comments (2)

  1. The more important (and unanswered) question is the average resolution time. From the day it’s reported to WP (or published as a zero-day exploit), how long does it ususally take before wordpress.org is pushing the fix? The WP Trac, for example, has 37 outstanding (visible) tickets tagged “security” – one of which is 3 years old.

    Whether this is the norm or not is important, security issues should always be at the top of the to-do list. But even so, there are recent tickets that *are* security-related tickets that are not tagged as security, and the reporter of any given issue shouldn’t be expected to understand that something *could* pose a security risk.

Participate