Patchstack has released its State of the WordPress Security in 2022 Report: The takeaways

Patchstack's State of the WordPress security 2022 report is now out. Read an overview of the stats and successes from last year.

a series of tools laid by each other

Patchstack’s yearly report on security in WordPress has debuted. The reports aim to identify the various security risks that users face when using and building.  The theme seeks to try and come up with a way in which all WordPress members can take responsibility for these risks and fix them. Since WordPress makes up almost half of all websites online, tackling these issues also will result in a safer web for all. In 2022 the biggest risk found was the use of abandoned or poorly maintained plugins and themes and a broader concern with security issues in open-source. You can read the full breakdown here.

Patchstack and what they do

Patchstack is a company that specializes in providing security maintenance and management services for WordPress websites. Their aim is to protect websites from potential vulnerabilities that could arise from the use of WordPress core, plugin, and theme. The company boasts of having the top WordPress vulnerability database and running the first bug bounty program for WordPress plugins. They also offer an mVDP program. In addition, Patchstack provides threat intelligence feeds to WordPress hosting services such as Plesk, Hostinger, Pagely, among others. We had the fortunate chance to host a workshop by Robert Rowley of Patchstack on making security simple for developers. This workshop is still available for beginners or intermediate users of WordPress. 

The Stats

In 2022 Patchstack saw:

  • 328% more security bugs reported in WordPress plugins (4,528 vs 1,382 in 2021)
  • Most security bugs were found in plugins (93%) 
  • 6.7% of bugs were found in Themes and 0.6% in the WordPress core platform
  • Cross-site Request Forgery (CSRF) was the most common security bug reported followed closely by Cross-Site Scripting (XSS)
  • CSRF bugs are up by 29%
  • 26% of the most critical security bugs disclosed in 2022 never received a fix (this is due to abandoned and/or unsupported plugins still remaining on websites.
  • The most popular plugins with reported security bugs were Elementor Website Builder, Essential Addons for Elementor, and UpdraftPlus WordPress Backup. 
  • 42% of WordPress sites have at least 1 vulnerable software installed.
  • The three new vulnerabilities with the most attempted exploits were: AccessPress, Frontend File Manager, and School Management Pro
  • In 2022 WordPress core published 4 security releases in the project, addressing 26 security bugs. 

However, they stressed that this doesn’t mean that we should worry that WordPress is becoming more unsafe but that security detection workers and technology is improving. 

Most common security bugs in WordPress in 2022 patchstack Cross-Site Request Forgery (CSRF) 29.4% Cross-Site Scripting (XSS) 27.2% Sensitive Data Exposure 20.8% Other vulnerabilities 8.2% Broken Access Control 7.2% SQL Injection 5.4% Arbitary File Upload 1.9% 0 250 500 750 1000 1250 1500
Most common security bugs in WordPress in 2022

Advice for WordPress developers and plugin/theme builders.

Since one of the biggest concerns revolves around outdated tech, the advice Patchstack has for us is to pay attention to the libraries we are using on our projects. Especially if they are or are not getting security updates. Unpatched bugs pose the biggest security risks, and it takes a combination of user and/or developer reviews to keep them from harming your sites. This also applies to unsupported plugins. They also recommend the use of their tools the Patchstack app or Patchstack Threat Intelligence feeds to identify these security issues. 

More people are taking action

  • fixed 56,000 vulnerabilities on their customers’ sites with the help of Patchstack’s intel
  • Patchstack paid $16,050 in bounties to ethical hackers for valid bug reports. This resulted in 748 unique security bugs being found.
  • 147 bugs were escalated to the WordPress team when they could not contact the developer

In 2021 Patchstack created the Patchstack Alliance, a community of cybersecurity experts, including researchers, developers, pentesters, and bug bounty hunters, who utilize the Patchstack platform to identify and report security concerns in WordPress plugins. Members of the community are eligible to win monthly bounties, as well as participate in annual competitions for grand prizes. Those numbers continue to grow as more people are willing to get involved in bug hunting and the game like style with cash prizes doesn’t hurt. 

This image shows the top contributors to the Patchstack Alliance in the year 2022, organized by month. 1st, 2nd, and 3rd place respectfully. 
January: Kim Jong Min, Ngo Van Thien, Rasi Afeef.  February: Muhammad Daffa, Ngo Van Thien Rasi Afeef. 
March: Muhammad Daffa, Nguy Minh Tuan, Tien Nguyen Anh.  April: 0xB9, ptsfense, Ngo Van Thien.  May: Rasi Afeef,  Muhammad Daffa, Rotem Bar.  June: Muhammad Daffa, Muhammad Daffa, Rasi Afeef.  July: Muhammad Daffa, Muhammad Daffa, Rasi Afeef.  August: Muhammad Daffa, Lana Codes ,Tien Nguyen Anh  September: Lana Codes, Muhammad Daffa, Tien Nguyen Anh.  October Lana Codes, Nguyen Anh Tien, TomS,  November: Lana Codes, Mika,  Muhammad Daffa.  December: Lana Codes, Muhammad Daffa, Cat.
2022 Patchstack alliance top contributors

You can read the full breakdown by Patchstack here. They also talk about what to expect for 2023 and the growing importance of open source security. Overall, the future looks bright as more and more bugs are being discovered and security awareness is becoming a more popular part of development in the community.  

Author Profile Image

Nyasha is the Editorial Director at MasterWP and a software developer at Howard Development & Consulting, the company behind WP Wallet.

Subscribe & Share

If you liked this article, join the conversation on Twitter and subscribe to our free weekly newsletter for more 🙂

MasterWP contains no affiliate links. We’re entirely funded by the sponsors highlighted on each article. In addition to MasterWP, we own EveryAlt, WP Wallet, Understrap and Howard Development & Consulting.

Latest Posts