Menu
iThemes
WordPress Backup, Security & Maintenance
  • Products
    • iThemes Security Pro
    • BackupBuddy
    • Kadence WP
    • Restrict Content Pro
    • iThemes Sync
    • Why buy from iThemes?
  • Bundles
    • Essentials Bundle
    • Plugin Suite
    • WordPress Web Designer’s Toolkit
    • Customer Spotlights
  • Resources
    • Blog
    • WordPress 101 Tutorials
    • WordPress Ebooks
    • Weekly WordPress Vulnerability Report
    • The Ultimate Guide to Starting a Web Design Business
  • Training
    • Upcoming Webinars
    • Free Webinar Library
    • Premium Courses
    • Become a Member
    • Member Login
  • Support
    • Documentation
    • Get Help
    • Product Updates
    • Upgrade Policy
    • Contact
    • Our Mission: Make People’s Lives Awesome
  • Log In
WordPress News and Updates from iThemes
Categories
  • Product Updates
  • WordPress Backup
  • WordPress Block Editor
  • WordPress Ecommerce
  • WordPress for Freelancers
  • WordPress Security
  • WordPress Tutorials
  • WPprosper

Read the 2021 WordPress Vulnerability Annual Report

Written by Kristen Wright on January 26, 2022

Last Updated on January 26, 2022

As a WordPress user or developer, you already know that one of the biggest challenges you face is fully securing your site from vulnerabilities and the threat of malicious attacks.

In an uncertain world where website and online security is under constant attack, all WordPress site owners need to take their security protocols more seriously than in the past.

The data just released in our first ever 2021 WordPress Vulnerability Report not only shows you the entire year of reported 2021 WordPress vulnerabilities, it also reveals the specific vulnerabilities that hackers most often exploit.

For example, did you know that 97.1% of total 2021 WordPress vulnerabilities were due to plugins? That’s important to know if running a secure WordPress site matters to you.

Read the 2021 Annual Report
Download the Infographic

Here at iThemes, we don’t want to just point out problems. We also want to give you proven solutions that work to keep your WordPress website site fully secure from vulnerabilities. And you’ll learn exactly what to do to fully secure your WordPress site after reviewing this data.

2021’s Biggest Takeaway: Keep a Close Eye On Your WordPress Plugins

In 2021, a full 97.1% of all WordPress vulnerabilities disclosed last year were due to issues with plugins. You read that right. 

2021 Vulnerabilities By Source

Vulnerability SourceNumber ReportedPercentage of Total (1,628)
WordPress Core80.05%
Plugins158197.1%
Theme392.4%

But what’s most concerning is that, of the 1581 plugin vulnerabilities that were reported in 2021, 23.2% of them had no known fix. This means that, as we move forward into 2022 and beyond, we need to be all the more vigilant on the plugins we download and use.

For example, while you may be able to get a free plugin solution from an unknown plugin developer, do you fully trust its security? As the data shows, 29% of reported plugin vulnerabilities have yet to be patched by their developers.

Plugin Status at Time of Disclosure

Threat LevelNumber ReportedPercentage of Total (1,628)
Patched115671%
No Known Fix37723.2%
Plugin Closed955.8%

Whenever possible, stick with the plugin developers that you trust and never use nulled WordPress plugins and themes. And, of course, keep your plugins and themes updated with available patches whenever they are released.

But even when you do that, vulnerabilities will still be exploited by skilled hackers and malicious attackers before plugin developers can create patches to fix them.

This is exactly why your WordPress site needs rock-solid security protection, as we’ll discuss in a minute. 

For now, it’s important to know that the iThemes Security Pro plugin has a built-in site scanner that pairs with the Version Management feature to automatically scan for known vulnerabilities and auto-update any vulnerable plugins so you don’t have to worry so much about your site security.

A Huge September 2021 Uptick of Reported Vulnerabilities

September was the month that stood out from the rest. In fact, September saw 20.5% of the total reported vulnerabilities, or 335 in total. For perspective, the month that saw the second-highest number of vulnerabilities was October, which had 173 reported. July wasn’t far behind, with 157 occurrences.

Vulnerabilities Per Individual Plugin/Theme/Core By Month (2021)

MonthPluginsThemeCore
January1900
February4220
March5810
April6712
May3752
June8070
July15770
August14900
September33531
October17310
November12000
December4500

While it certainly isn’t possible to know if a similar pattern will play out as we move further into 2022, this is certainly important data to keep our eyes on.

Vulnerabilities By Threat Level By Month (2021)

MonthCriticalHighMediumLow
January53111
February2510021
March1619350
April2527371
May418323
June718641
July8651209
August111355637
September1917415638
October8737562
November9465322
December030189

Cross-Site Scripting As Most Common Plugin Vulnerability

Cross-site scripting (XSS) is a type of website security vulnerability that is found in many WordPress applications, such as plugins and themes. 

These XSS attacks enable attackers to inject client-side scripts into WordPress web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls, and fully access the back end of your site. 

Cross-site scripting carried out on WordPress websites in 2021 accounted for 54.4% of all WordPress vulnerabilities. And that was a total of 885 total vulnerabilities.

Threat LevelNumber ReportedPercentage of Total (1,628)
Cross-Site Scripting (CSS)88554.4%
Cross-Site Forgery Request (CSFR)16710.2%
SQL Injections1529.3%
Bypasses684.2%
RCE Vulnerabilities201.2%
PHP Vulnerabilities191.2%
Var Disclosures191.2%
REST API110.7%
Sensitive Information Disclosure60.4%
All Others28117.3%

As you can see, cross-site scripting is a major security concern for all WordPress site owners. But the vulnerability concerns don’t end there.

Another 10.2%, or 167 vulnerabilities, stemmed from Cross-Site Forgery Requests (CSFR). 

Cross-site request forgery, also known as one-click attack or session riding, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts.

It doesn’t take long to see that, without proper WordPress security protocols in place, your WordPress website is wide open to cross-site attacks of all kinds.

But those aren’t the only types of vulnerabilities that you should be concerned about. Beyond them, there are seven distinct types of vulnerabilities that were reported in 2021.

And don’t dismiss the 281, or 17.3%, of reported vulnerabilities that are labeled in the report as “Other.”

Often, these types of attacks are the ones that aren’t yet understood by theme and plugin developers, and require a powerful WordPress security plugin to keep them from damaging or hacking your site.

Vulnerability Threat Levels in 2021

Threat LevelNumber ReportedPercentage of Total (1,628)
Critical1378.4%
High63038.7%
Medium67841.6%
Low18311.2%

WordPress Core and Theme Vulnerabilities

As a WordPress site owner, you probably already know the importance of keeping your plugins updated at all times to avoid potential attacks.

After all, the vast majority of vulnerabilities are exploited through plugins.

But, as the 2021 numbers indicate, plugins aren’t where your security protocols begin and end. Even if you’re 100% vigilant with the plugins you use and keeping them updated, your site can still be exploited by vulnerabilities in your theme.

It can also be exploited through the core WordPress software. Last year, we saw a total of 47 vulnerabilities that were exploited through WordPress core and various themes. That number accounts for about 2.5% of all 2021 WordPress security vulnerabilities.

And while that may not seem like much, it only takes one exploited site vulnerability to completely ruin the reputation of your website and business. 

Of course, the first solution is to keep WordPress core and your theme fully patched and updated at all times. But as we stated regarding plugins, that only helps solve past known vulnerabilities.

For the new ones, you need to run security software that knows how to detect when malicious attacks are happening in real time.

Make Sure to Keep Website Security a Focus in 2022

This is where the iThemes Security Pro plugin steps in to help keep your WordPress site secure. With our easy-to-use, straight forward WordPress security solution, you’ll immediately be able to sleep better at night knowing that your site is fully protected from hackers and malicious attacks.

The first step is understanding the bombardment of security threats your site is constantly under. After that, it’s time to get iThemes Security Pro and get serious about your WordPress website security protocol.

With a built-in WordPress site scanner to scan for known WordPress vulnerabilities, paired with layers of protection for your login page like brute force protection, as well as file change detection and user logging, your site has a strong defense against hacks and security breaches.

The Best WordPress Security Plugin to Secure & Protect WordPress

Built by the WordPress security experts since 2014

WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. iThemes Security Pro takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website.

Buy iThemes Security Pro

Kristen Wright
Kristen Wright

Kristen has been writing tutorials to help WordPress users since 2011. As marketing director here at iThemes, she’s dedicated to helping you find the best ways to build, manage, and maintain effective WordPress websites. Kristen also enjoys journaling (check out her side project, The Transformation Year!), hiking and camping, step aerobics, cooking, and daily adventures with her family, hoping to live a more present life.

Share via:

  • Facebook
  • Twitter
  • LinkedIn
  • More
Other related posts
WordPress vulnerability report
WordPress Vulnerability Report – June 22, 2022
what-is-a-pharma-hack
What is a WordPress Pharma Hack?
WordPress vulnerability report
WordPress Vulnerability Report, Special Edition – June 20, 2022: Critical Vulnerability in Ninja Forms
wordpress vulnerability report
WordPress Vulnerability Report – June 15, 2022

Get updates on new themes & plugins plus special discounts

About iThemes

  • The Team
  • Contact Us
  • Website Accessibility Statement
  • Sitemap

Resources

  • Blog
  • Documentation
  • WordPress Tutorials
  • Free WordPress Ebooks
  • Free Webinar Library
  • Free Upcoming Webinars
  • iThemes Training
  • Affiliates

Customers

  • Member Panel Login
  • Support
  • FAQs
  • Upgrade Policy
  • Licensing
  • Terms and Conditions
  • Refund Policy

Top Products

  • BackupBuddy
  • iThemes Security Pro
  • iThemes Sync
  • Restrict Content Pro
  • WPComplete
  • WordPress Hosting
  • WordPress Plugins
  • Content Upgrades
  • WordPress Landing Page Plugin
  • BackupBuddy Stash

iThemes Media LLC Copyright © 2022 All rights reserved | Privacy Policy

© 2022 All Rights Reserved.

Share via
Facebook
Twitter
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap