As a WordPress user or developer, you already know that one of the biggest challenges you face is fully securing your site from vulnerabilities and the threat of malicious attacks.
In an uncertain world where website and online security is under constant attack, all WordPress site owners need to take their security protocols more seriously than in the past.
The data just released in our first ever 2021 WordPress Vulnerability Report not only shows you the entire year of reported 2021 WordPress vulnerabilities, it also reveals the specific vulnerabilities that hackers most often exploit.
For example, did you know that 97.1% of total 2021 WordPress vulnerabilities were due to plugins? That’s important to know if running a secure WordPress site matters to you.
Here at iThemes, we don’t want to just point out problems. We also want to give you proven solutions that work to keep your WordPress website site fully secure from vulnerabilities. And you’ll learn exactly what to do to fully secure your WordPress site after reviewing this data.
2021’s Biggest Takeaway: Keep a Close Eye On Your WordPress Plugins
In 2021, a full 97.1% of all WordPress vulnerabilities disclosed last year were due to issues with plugins. You read that right.
2021 Vulnerabilities By Source
| Vulnerability Source | Number Reported | Percentage of Total (1,628) |
|---|---|---|
| WordPress Core | 8 | 0.05% |
| Plugins | 1581 | 97.1% |
| Theme | 39 | 2.4% |
But what’s most concerning is that, of the 1581 plugin vulnerabilities that were reported in 2021, 23.2% of them had no known fix. This means that, as we move forward into 2022 and beyond, we need to be all the more vigilant on the plugins we download and use.
For example, while you may be able to get a free plugin solution from an unknown plugin developer, do you fully trust its security? As the data shows, 29% of reported plugin vulnerabilities have yet to be patched by their developers.
Plugin Status at Time of Disclosure
| Threat Level | Number Reported | Percentage of Total (1,628) |
|---|---|---|
| Patched | 1156 | 71% |
| No Known Fix | 377 | 23.2% |
| Plugin Closed | 95 | 5.8% |
Whenever possible, stick with the plugin developers that you trust and never use nulled WordPress plugins and themes. And, of course, keep your plugins and themes updated with available patches whenever they are released.
But even when you do that, vulnerabilities will still be exploited by skilled hackers and malicious attackers before plugin developers can create patches to fix them.
This is exactly why your WordPress site needs rock-solid security protection, as we’ll discuss in a minute.
For now, it’s important to know that the iThemes Security Pro plugin has a built-in site scanner that pairs with the Version Management feature to automatically scan for known vulnerabilities and auto-update any vulnerable plugins so you don’t have to worry so much about your site security.
A Huge September 2021 Uptick of Reported Vulnerabilities
September was the month that stood out from the rest. In fact, September saw 20.5% of the total reported vulnerabilities, or 335 in total. For perspective, the month that saw the second-highest number of vulnerabilities was October, which had 173 reported. July wasn’t far behind, with 157 occurrences.
Vulnerabilities Per Individual Plugin/Theme/Core By Month (2021)
| Month | Plugins | Theme | Core |
|---|---|---|---|
| January | 19 | 0 | 0 |
| February | 42 | 2 | 0 |
| March | 58 | 1 | 0 |
| April | 67 | 1 | 2 |
| May | 37 | 5 | 2 |
| June | 80 | 7 | 0 |
| July | 157 | 7 | 0 |
| August | 149 | 0 | 0 |
| September | 335 | 3 | 1 |
| October | 173 | 1 | 0 |
| November | 120 | 0 | 0 |
| December | 45 | 0 | 0 |
While it certainly isn’t possible to know if a similar pattern will play out as we move further into 2022, this is certainly important data to keep our eyes on.
Vulnerabilities By Threat Level By Month (2021)
| Month | Critical | High | Medium | Low |
|---|---|---|---|---|
| January | 5 | 3 | 11 | 1 |
| February | 25 | 10 | 0 | 21 |
| March | 16 | 19 | 35 | 0 |
| April | 25 | 27 | 37 | 1 |
| May | 4 | 18 | 32 | 3 |
| June | 7 | 18 | 64 | 1 |
| July | 8 | 65 | 120 | 9 |
| August | 11 | 135 | 56 | 37 |
| September | 19 | 174 | 156 | 38 |
| October | 8 | 73 | 75 | 62 |
| November | 9 | 46 | 53 | 22 |
| December | 0 | 30 | 18 | 9 |
Cross-Site Scripting As Most Common Plugin Vulnerability
Cross-site scripting (XSS) is a type of website security vulnerability that is found in many WordPress applications, such as plugins and themes.
These XSS attacks enable attackers to inject client-side scripts into WordPress web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls, and fully access the back end of your site.
Cross-site scripting carried out on WordPress websites in 2021 accounted for 54.4% of all WordPress vulnerabilities. And that was a total of 885 total vulnerabilities.
| Threat Level | Number Reported | Percentage of Total (1,628) |
|---|---|---|
| Cross-Site Scripting (CSS) | 885 | 54.4% |
| Cross-Site Forgery Request (CSFR) | 167 | 10.2% |
| SQL Injections | 152 | 9.3% |
| Bypasses | 68 | 4.2% |
| RCE Vulnerabilities | 20 | 1.2% |
| PHP Vulnerabilities | 19 | 1.2% |
| Var Disclosures | 19 | 1.2% |
| REST API | 11 | 0.7% |
| Sensitive Information Disclosure | 6 | 0.4% |
| All Others | 281 | 17.3% |
As you can see, cross-site scripting is a major security concern for all WordPress site owners. But the vulnerability concerns don’t end there.
Another 10.2%, or 167 vulnerabilities, stemmed from Cross-Site Forgery Requests (CSFR).
Cross-site request forgery, also known as one-click attack or session riding, is a type of malicious exploit of a website where unauthorized commands are submitted from a user that the web application trusts.
It doesn’t take long to see that, without proper WordPress security protocols in place, your WordPress website is wide open to cross-site attacks of all kinds.
But those aren’t the only types of vulnerabilities that you should be concerned about. Beyond them, there are seven distinct types of vulnerabilities that were reported in 2021.
And don’t dismiss the 281, or 17.3%, of reported vulnerabilities that are labeled in the report as “Other.”
Often, these types of attacks are the ones that aren’t yet understood by theme and plugin developers, and require a powerful WordPress security plugin to keep them from damaging or hacking your site.
Vulnerability Threat Levels in 2021
| Threat Level | Number Reported | Percentage of Total (1,628) |
|---|---|---|
| Critical | 137 | 8.4% |
| High | 630 | 38.7% |
| Medium | 678 | 41.6% |
| Low | 183 | 11.2% |
WordPress Core and Theme Vulnerabilities
As a WordPress site owner, you probably already know the importance of keeping your plugins updated at all times to avoid potential attacks.
After all, the vast majority of vulnerabilities are exploited through plugins.
But, as the 2021 numbers indicate, plugins aren’t where your security protocols begin and end. Even if you’re 100% vigilant with the plugins you use and keeping them updated, your site can still be exploited by vulnerabilities in your theme.
It can also be exploited through the core WordPress software. Last year, we saw a total of 47 vulnerabilities that were exploited through WordPress core and various themes. That number accounts for about 2.5% of all 2021 WordPress security vulnerabilities.
And while that may not seem like much, it only takes one exploited site vulnerability to completely ruin the reputation of your website and business.
Of course, the first solution is to keep WordPress core and your theme fully patched and updated at all times. But as we stated regarding plugins, that only helps solve past known vulnerabilities.
For the new ones, you need to run security software that knows how to detect when malicious attacks are happening in real time.
Make Sure to Keep Website Security a Focus in 2022
This is where the iThemes Security Pro plugin steps in to help keep your WordPress site secure. With our easy-to-use, straight forward WordPress security solution, you’ll immediately be able to sleep better at night knowing that your site is fully protected from hackers and malicious attacks.
The first step is understanding the bombardment of security threats your site is constantly under. After that, it’s time to get iThemes Security Pro and get serious about your WordPress website security protocol.
With a built-in WordPress site scanner to scan for known WordPress vulnerabilities, paired with layers of protection for your login page like brute force protection, as well as file change detection and user logging, your site has a strong defense against hacks and security breaches.
The Best WordPress Security Plugin to Secure & Protect WordPress
Built by the WordPress security experts since 2014
WordPress currently powers over 40% of all websites, so it has become an easy target for hackers with malicious intent. iThemes Security Pro takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website.
Kristen has been writing tutorials to help WordPress users since 2011. As marketing director here at iThemes, she’s dedicated to helping you find the best ways to build, manage, and maintain effective WordPress websites. Kristen also enjoys journaling (check out her side project, The Transformation Year!), hiking and camping, step aerobics, cooking, and daily adventures with her family, hoping to live a more present life.
