Analysis: State of WordPress Security in 2021

Episode 41 March 10, 2022 00:22:50
WP Review
Analysis: State of WordPress Security in 2021

Hosted By

Joe Casabona

Show Notes

In a bit of serendipity, the same week I finished recording my next LinkedIn Learning course, Troubleshooting and Repairing Your WordPress Website, Patchstack has published its State of WordPress Security in 2021 white paper. I’ll go through some of the highlights from the white paper, and give you my analysis.

Brought to you by GoDaddy ProGet all of the show notes, and a written to be read article over at

Show Notes

View Full Transcript

Episode Transcript

Real quick before we get started. I want to tell you about a free resource I have called Creator Toolkits. Anyone can create content anytime and anywhere. But finding the right set of tools that add more value to your content creation process is hard. From figuring out the best membership plugin to choosing an LM,. the process can become overwhelming. And what's the guarantee you'll make the right choice? That's why I built Creator Toolkits. I've been around this space long enough to know the projects and tools that work. And you can find all of my recommendations over at []. But that's not all. If you sign up for the mailing list, you'll get a free private podcast where I talk about these toolkits for mailing list subscribers only. You can also join the Creator Crew. And by becoming a member, you get exclusive access to updates and detailed video tutorials. So to sum up, head over to []. Get the “What” for free. Get the “Why” by joining the mailing list. And get the “How” by joining Creator Crew Pro. Again, that's over at []. In a bit of serendipity, the same week I finished recording my next LinkedIn learning course, Troubleshooting, and Repairing Your WordPress Website, Patchstack has published its State of WordPress Security in 2021 White Paper. I became familiar with Patchstack through the work I do with Plesk on their Next-Level Ops podcast. Their next level OPS podcast, I'll link that in the show notes over at []. And Patchstack was kind enough to send me an advanced copy of the report which I went through. Since this is timely, I thought I'd delay Part 2 of Building a Better Business series until next week. And instead, I'll go through some of the highlights from the White Paper, and then give you my analysis. Hey, everybody. And welcome to Episode 41 of WP Review. A show that provides analysis on what's happening in WordPress and what it means for users and business owners in the ecosystem. This podcast is brought to you by GoDaddy Pro. My name is Joe Casabona. And today, we're going to dive into the State of WordPress Security in 2021. So the way this will work is, I'll go through again some of the highlights, a lot of direct quotes from the White Paper which I will link to at []. And then I'll provide some of my own analysis. So the first five statistics that stood out to me: 1. Vulnerabilities from WordPress and themes remain as one of the biggest threats to websites built on WordPress. Okay. But just .58% of vulnerabilities originated from WordPress core in 2021. So less than 1%, close to half a percent which is even more impressive number. 2. When you look at the next step which is they saw a 150% growth in vulnerabilities reported in 2021 compared to 2020. That's a significant increase. Meanwhile, “29% of WordPress plugins with critical vulnerabilities received no patch” which is incredible. 3. The third stat in 2020. They found that 96.22% of vulnerabilities originated from plugins and themes. In 2021, they saw that number rise to 99.42% which is the inverse of that .58% number we heard earlier. 4. Cross-site scripting or (XSS) vulnerabilities once again topped the charts in 2021 accounting for almost 50% of total vulnerabilities added to the Patchstack Database in 2021. Now, real quick. If you're not familiar with Patchstack, they are vulnerabilities reporting organization and database. But they also offer what are called these bug bounties. So they basically work with developers especially in the open-source space all over the world to help them find and patch vulnerabilities specifically in WordPress sites which is really cool. So that's again, that's how I learned about them. They have integration now with Plesk. So that was from the Patchstack Database. Now, that 50% number almost 50% of cross-site scripting vulnerabilities is compared to 36% in 2020. So there was a sharp rise in the number of cross-site scripting vulnerabilities in WordPress sites. 5. And then finally, the average cost for a WordPress malware removal in 2021 was $613. Now, looking through that White Paper it was unclear to me. It was unclear to me if that cost was just for malware removal or if the total cost of like losses was taken into account. But I will just quote the White Paper here “When looking at costs of our malware removal we saw that the respondents spent an average of $613 for a WordPress malware removal. The highest price paid was $4800, and the lowest was $50. The average cost for website security among those who got their websites hacked during 2021 was around $8.00 per site per month.” So I'll talk about that more in the analysis section. But I just want to provide more context around there because my read on this is that $613 average was for the service of removing the malware. Not necessarily taking into account downtime and things like that. So now, let's go through some of the more interesting pull quotes to me, at least the more interesting pull quotes from the report. The first is on Dependency Confusion. Dependency Confusion is a risk that is caused by a piece of software auto-updating functionality can be tricked into updating software from the wrong source. For WordPress, Dependency Confusion attacks can put custom plugins at high risk of being updated from the wrong source. The WordPress core team (here's the interesting part to me), the WordPress core team added a feature in 2021 to protect sites from Dependency Confusion attacks which I thought was really cool. I didn't realize that. And then the White Paper goes on to explain kind of how. So that's one big win for WordPress core and WordPress users is reducing the risk of Dependency Confusion. So kind of the way it works right is if you're using Gravity Forms that's a premium plugin, a malicious actor could go in and potentially add their own plugin called Gravity Forms with malicious code and caused that Dependency Confusion in WordPress. But WordPress core has added protection against that. Next up is the Disclosure Policy. So again, quote from the report “Another sign of a mature product is the vulnerability disclosure policy and bug bounty program. All of the reported vulnerabilities in WordPress core in 2021 were reported through this vulnerability disclosure program which sets forth proper rules and expectations for all parties involved. This is an incredible step for again mature software having a channel to appropriately report vulnerabilities. Because again, I'm not a security expert. But generally, the way it works is when a vulnerability is discovered, the idea is that the discoverer will report it to an official channel and then essentially give that organization some amount of time to patch that vulnerability before they go public with that information in the interest of public security. So if someone found that WordPress passwords or insecure and could be taken from WordPress sites, the person would report that to and say “You know, you have 30 days to patch this or whatever”. And if you don't, then I'm going to publish a blog post on my findings. So it's really cool that all of the vulnerabilities were reported through this disclosure program. Next up, File Upload Policy 2021 showed a continued trend of critical vulnerabilities and themes related to file upload features provided by the WordPress theme. This goes on to say later web hosts or advanced users may want to consider disallowing the execution of PHP files in the file upload directories. This can be done via Apache Engine X rules or even a WAF firewall rule. So this is a vulnerability that I hadn't really considered. But you know, people kind of think of plugins as the vulnerable things. But themes are also coded and could also be vulnerable. So that's a little food for thought there that I thought was interesting when the report called out. Fewer Plugins but more are Outdated. So here's a longer quote and I think it's worth reading the whole thing. “In 2021, we (Patchstack) analyzed 50,000 sites and looked at the installation count of plugins and themes. We found that on average, a single WordPress website has 18 different components (plugins and themes) installed. Comparing it to 2020 where we found that an average website had 23 plugins and themes installed on a single site. That is an improvement… (I'll break out of the quote here for a second) That's really good, right. I'm gonna guess part of it is the new site health check that tells you, you should uninstall unused themes and plugins. This is something that we've been talking about for a long time in the WordPress space. If you're not using a bunch of themes or plugins, you should delete them because that code is still executable on your server. Now, to continue with the quote) it shows improvement until we compare the number of average outdated plugins and themes on the site. In 2020 we saw 4 out of 23 components outdated. And in 2021, we saw 6 out of 18 components outdated on a single WordPress site. So while there are fewer components (plugins and themes), meaning not necessarily that people are using pure themes and plugins but probably that they're clearing out themes and plugins they don't need. More of those especially if we look at percentage-wise, more of those are outdated right. We're looking at around 25% in 2020 versus 33% in 2021. There were a couple of interesting charts after that. One is on update frequency. So again, this is visual so I’II strongly recommends you read the whole report I will link to the actual blog post and then the PDF that they sent me as well. 34.9% of people running WordPress sites update weekly. 20.2% update daily. 18.3% monthly 15.6 auto-update for all plugins. And, 5.5% update for vulnerable plugins only. And then there's some other mix for 5.5%. So weekly looks to be the most popular, and only 15.6% auto-update for all plugins. I understand why people might not want to do that. I generally do. But I'm also wanna host that kind of protects me against that. And we'll talk about that later. The other stat I thought was interesting, and the other chart I thought was interesting was the average number of websites broken down by state owners, developers, and agencies. Agencies obviously have the highest with 43, Developers 27, and Site Owners 13. So the average site owner has 13 websites. And I thought…I mean I'm kind of, I'm a Developer too but not really. If I look at Justin’s sites, I own. We've got, we've got this site WP Review, Creator Course, How I Built it, Podcast Liftoff, Make money podcasting which kind of redirects to Podcast Liftoff so maybe not that. And I'm at like 7 there. I'm sure there are others I'm not remembering. But then if we look at like custom domain landing pages to those count right. I just named a bunch of WordPress sites. So really interesting to see that breakdown. And the last thing I'll mention here before I get to my own analysis is Website Security Budgets “Based on data we gathered 28% of the respondents had “zero” budget to protect their websites. About 27% of respondents stated that their website's security budget per website per month is between $1 and $3. (So harkening back to that original stat, the average cost for malware removal is $613, and the lowest-paid was 50, over 50% of respondents have a budget of $36 per year or less which is bad.) Only 7% of respondents said that their website security budget is around $50 per site per month. And most of these respondents were from digital agencies. I'm going to guess the digital agencies are working that cost into the price of the project which honestly I think most freelancers should do at this point. The only time I've ever sold a security package was after a site fell victim to a vulnerability or malware attack. So I think if I were still freelancing full-time today, I would just build that in. And as a matter of fact, I'm going to mention a couple of resources for that. And so we'll get to my analysis in a minute. But first, let's hear from our sponsor GoDaddy Pro. This episode is brought to you by GoDaddy Pro. GoDaddy Pro is an experience tailored specifically to the needs of web designers and developers and helps them more efficiently manage their work and deliver results for their clients. Combining website, client, and project management, GoDaddy Pro is an integrated solution made by and for web professionals. Whether you are new to web design or looking to grow your business, you'll find the tools, products, guidance, and support to help you deliver results for clients. At the heart of GoDaddy pro is the hub. From one intuitive dashboard, the hub seamlessly brings your sites, clients, and projects together. Manage and monitor all of your client's WordPress sites from a single place. No more juggling multiple client passwords. With one click, perform bulk updates, backups, and security checks no matter where your client's sites are hosted. You will save time and free up your day. Integrated Project Management makes it easier to keep track of your client communications and deliver projects on time. Electronically sign, notarize, and store documents. You can create a visual timeline to break down projects into smaller tasks, to stay on track, and on time. Access all of your client accounts with a single sign-on through their tailored shopping experience by-products to help clients grow their business like powerful e-commerce stores using Woocommerce. You can always reach dedicated and knowledgeable customer support. 24/7. On top of that, you'll find a thriving community of web designers and developers who share advice, insights, and learning opportunities. GoDaddy Pro is free to join. Head over to [] to get started. That's []. Okay. So let's wrap things up with some analysis. Now, I'm no security expert but I've been making websites for a long time, particularly on WordPress. I started making WordPress websites in 2004 and went full-time on my client work for WordPress in 2006. Well, there are some things that you as the site owner can deal which will talk about that in a minute. Sometimes, those things are out of your hands. One stat that stood out to me was 29% of plugins with critical vulnerabilities received no patch. And some of the plugins listed in that White Paper were from surprising sources. I saw…Well, I don't want to name them out 'cause I wanna make sure that you know, maybe they've since patched but check out the report because some of them were surprising sources, some not so surprising sources as well. Aside from wholesale switching to a similar plugin, there's not a lot you can do when a vulnerability goes unpatched. So at that point, you need to do a risk analysis right. But that also makes the news on WordPress core incredibly good. All software will have vulnerabilities but only about half a percent of WordPress vulnerabilities originated from the core which means that you're most likely to find a vulnerability in a plugin. And that's a little bit easier to switch out than your whole website. So, plus their vulnerability reporting and disclosures got a lot better. And this news is even better when we think about what I talked about a few weeks ago on the episode titled, “WordPress’ Seat at the Table”. Open-source has been getting a bit of a bad rap since November or December of last year. But this report about WordPress websites from a credible source makes it seem like WordPress has a good handle on vulnerabilities in the open-source space. So what can you do as a site owner? Well, the best thing you can do are the following: 1. Be on good hosting that will help you mitigate such issues. Our sponsor, GoDaddy Pro does help you with that. I use Nexcess for my WooCommerce site. And last year when there was a vulnerability in WooCommerce, they took care of it before I knew about it. Really before I had time to react. They had taken care of it. 2. To take regular backups if needed. You can rollback or at least salvage some data, right. So if you do have a vulnerability where you need to blow up the site, you have something to start from 3. To have a good security setup services like Sucuri security who is owned by GoDaddy Pro. Disclosure, GoDaddy Pro sponsored the show. Sucuri can do scans and set up firewalls for you. And then finally, 4. Update as often as possible. You can now automatically update core plugins and themes. And a good host could even check those updates to make sure they don't break your site. Again, my host Nexcess has something called visual comparison where they'll do an update. They'll take screenshots before the update, they'll do the update, then take screenshots after. And if the Delta or the changes below a certain threshold will move forward with the update. Finally, you spend a little bit of money to keep your site secure. Again, according to that White Paper, the average cost for WordPress malware removal was $613. Yet, over 50% of site owners have a security budget of $0-3 dollars. And that cost as I said before doesn't take into account lost traffic, more data or sales. I think paying $30-50 a month which is above the average apparently, for a service like Go WP is well worth it to make sure your site is clean and secure. Go WP for $29 a month per site will do updates, malware scans, and more automatically for you. So that is it for this episode on the Security, The state of WordPress Security in 2021. Again, definitely check out that White Paper. It'll be over in the show notes at []. Thanks so much for listening. To get even more WordPress insights, and to subscribe to this show, head over to []. You can get all the show notes. You can also sign up for those creator toolkits I told you about in the beginning of the episode. And you can say thank you to our sponsor GoDaddy Pro as well. If you liked this episode, share it with a friend. Thanks to GoDaddy Pro for sponsoring this and every episode of WP Review. And until next time. I'm Joe Casabona, and I'll see you out there.

Other Episodes

Episode 25

September 30, 2021 00:19:44
Episode Cover

Cutthroat software development in an open source world

It's been 10 years since WooCommerce was forked from JigoShop and turned into the giant of the ecommerce space that is it today. And while it was maybe a little cutthroat, the problem doesn't necessary lie with the fork. It lies with the way you position your product, and your business. Plus, thoughts on all the aquisitions from last week!  Show Notes Acquisitions are at an all time high LearnDash Joins the Liquid Web Family of Brands Awesome Motive has acquired our WordPress products and services WP Landing Kit Is Joining the Themeisle Family of Products! Celebrating 10 years of WooCommerce WooCommerce Marks 10 Year Anniversary of Forking Jigoshop 2021 Holiday Ecommerce Summit WordCamp US 2021 Safari Extensions for iOS and iPadOS 15: A Roundup of Our Favorites ‎Amplosion: Redirect AMP Links ...


Episode 39

February 25, 2022 00:16:33
Episode Cover

How Can You Be a WordPress Freelancer in 2022?

In 2022, we’re at an inflection point for WordPress — one even bigger than Gutenberg and 5.0. WordPress has been marching steadily on, to become a good no-code solution for people who have some technical proficiency. And Full Site Editing is likely going to speed that along…once it matures a little. So you might be wondering…how can you be a WordPress freelancer in 2022? That’s the question I intend to answer today. Brought to you by GoDaddy Pro. Get all of the show notes, and a written to be read article over at Show Notes The Modern Challenges of Starting a Freelance Web Design Business If You’re Afraid of Automattic Making $5K Websites, You Need to Change Your Approach - Joe Casabona Why You Need to Publish Content to Have an Expertise with Rochelle Moulton Leveraging YouTube to Build Trust and get Leads with Jessica Freeman ...


Episode 47

April 28, 2022 00:16:30
Episode Cover

MemberPress and Asking: Is the WordPress Way the Right Way?

MemberPress made some waves this week when it was discovered that they were completely locking out users who had expired license keys. The WordPress way is you get access to the plugin, which you get to keep because it's open source, whether or not you keep paying for the license. Generally, support and updates are the things that you keep paying for. But why is this the case when virtually every other piece of software we use today is based on, "a keep paying for access" model? Brought to you by GoDaddy Pro. Get all of the show notes, and a written to be read article over at ...