Patchstack’s yearly report on security in WordPress has debuted. The reports aim to identify the various security risks that users face when using and building. The theme seeks to try and come up with a way in which all WordPress members can take responsibility for these risks and fix them. Since WordPress makes up almost half of all websites online, tackling these issues also will result in a safer web for all. In 2022 the biggest risk found was the use of abandoned or poorly maintained plugins and themes and a broader concern with security issues in open-source. You can read the full breakdown here.
Patchstack and what they do
Patchstack is a company that specializes in providing security maintenance and management services for WordPress websites. Their aim is to protect websites from potential vulnerabilities that could arise from the use of WordPress core, plugin, and theme. The company boasts of having the top WordPress vulnerability database and running the first bug bounty program for WordPress plugins. They also offer an mVDP program. In addition, Patchstack provides threat intelligence feeds to WordPress hosting services such as Plesk, Hostinger, Pagely, among others. We had the fortunate chance to host a workshop by Robert Rowley of Patchstack on making security simple for developers. This workshop is still available for beginners or intermediate users of WordPress.
In 2022 Patchstack saw:
- 328% more security bugs reported in WordPress plugins (4,528 vs 1,382 in 2021)
- Most security bugs were found in plugins (93%)
- 6.7% of bugs were found in Themes and 0.6% in the WordPress core platform
- Cross-site Request Forgery (CSRF) was the most common security bug reported followed closely by Cross-Site Scripting (XSS)
- CSRF bugs are up by 29%
- 26% of the most critical security bugs disclosed in 2022 never received a fix (this is due to abandoned and/or unsupported plugins still remaining on websites.
- The most popular plugins with reported security bugs were Elementor Website Builder, Essential Addons for Elementor, and UpdraftPlus WordPress Backup.
- 42% of WordPress sites have at least 1 vulnerable software installed.
- The three new vulnerabilities with the most attempted exploits were: AccessPress, Frontend File Manager, and School Management Pro
- In 2022 WordPress core published 4 security releases in the project, addressing 26 security bugs.
However, they stressed that this doesn’t mean that we should worry that WordPress is becoming more unsafe but that security detection workers and technology is improving.
Advice for WordPress developers and plugin/theme builders.
Since one of the biggest concerns revolves around outdated tech, the advice Patchstack has for us is to pay attention to the libraries we are using on our projects. Especially if they are or are not getting security updates. Unpatched bugs pose the biggest security risks, and it takes a combination of user and/or developer reviews to keep them from harming your sites. This also applies to unsupported plugins. They also recommend the use of their tools the Patchstack app or Patchstack Threat Intelligence feeds to identify these security issues.
More people are taking action
- One.com fixed 56,000 vulnerabilities on their customers’ sites with the help of Patchstack’s intel
- Patchstack paid $16,050 in bounties to ethical hackers for valid bug reports. This resulted in 748 unique security bugs being found.
- 147 bugs were escalated to the WordPress team when they could not contact the developer
In 2021 Patchstack created the Patchstack Alliance, a community of cybersecurity experts, including researchers, developers, pentesters, and bug bounty hunters, who utilize the Patchstack platform to identify and report security concerns in WordPress plugins. Members of the community are eligible to win monthly bounties, as well as participate in annual competitions for grand prizes. Those numbers continue to grow as more people are willing to get involved in bug hunting and the game like style with cash prizes doesn’t hurt.
You can read the full breakdown by Patchstack here. They also talk about what to expect for 2023 and the growing importance of open source security. Overall, the future looks bright as more and more bugs are being discovered and security awareness is becoming a more popular part of development in the community.