The 2024 WordPress vulnerability report by WPScan highlights key trends in WordPress security and provides insights for website publishers and SEOs on potential vulnerabilities to watch out for.
A significant finding from the report is that just over 20% of vulnerabilities were categorized as high or critical threats. The majority of vulnerabilities, about 67%, were rated as medium severity, which many publishers perceive as lower threats. However, it is advised that publishers review these vulnerabilities to confirm their installations are not at risk.
While the report does not fault users for malware and vulnerabilities, it notes that user mistakes can enhance the effectiveness of hacker exploits. The WPScan report emphasizes that while severity doesn’t directly equate to the risk of exploitation, it serves as a guideline for website owners to decide when to disable or update extensions.
WordPress Vulnerability Severity Distribution
Critical vulnerabilities, representing the highest level of threat, accounted for only 2.38% of cases, which is reassuring for WordPress publishers. However, combining critical and high-level threats brings the total to almost 20%.
Severity Ratings Breakdown:
- Critical: 2.38%
- Low: 12.83%
- High: 17.68%
- Medium: 67.12%
Authenticated Versus Unauthenticated Vulnerabilities
Authenticated vulnerabilities require attackers to obtain user credentials and corresponding permissions to exploit a vulnerability. Subscriber-level authenticated exploits are the most accessible, while administrator-level exploits present the least risk.
Unauthenticated attacks are generally the simplest to execute because they don’t require obtaining user credentials beforehand. The report found that about 22% of vulnerabilities needed subscriber-level or no authentication, making them highly exploitable. In contrast, vulnerabilities requiring admin permission levels comprised 30.71% of the total.
Nulled Software And Weak Passwords
Jetpack Scan identified weak passwords and nulled plugins as common causes for malware. Nulled plugins often contain backdoors that allow malware infection, and weak passwords are susceptible to brute-force attacks.
The WPScan report elaborates on authentication bypass attacks, which can exploit weak passwords, credential guessing, brute force, social engineering tactics, and privilege escalation.
Permission Levels Required For Exploits
Exploits requiring administrator credentials are the most prevalent, followed by Cross Site Request Forgery (CSRF) which exploits social engineering to gain user permissions.
User Roles for Vulnerabilities by Ascending Order:
- Author: 2.19%
- Subscriber: 10.4%
- Unauthenticated: 12.35%
- Contributor: 19.62%
- CSRF: 24.74%
- Admin: 30.71%
Most Common Vulnerability Types Requiring Minimal Authentication
Broken Access Control allows attackers to bypass necessary permissions. The report shows that Broken Access Control constituted 84.99% of such vulnerabilities, followed by SQL injection at 20.64%.
According to the Open Worldwide Application Security Project (OWASP), access control is challenging to implement correctly and is crucial for ensuring only authorized users can perform certain actions. SQL injection, identified as both high severity and risk, allows attackers to tamper with the database, which is central to every WordPress website.
Vulnerability Types Requiring Minimal Authentication:
- Broken Access Control: 84.99%
- SQL Injection: 20.64%
- Cross-Site Scripting: 9.4%
- Unauthenticated Arbitrary File Upload: 5.28%
- Sensitive Data Disclosure: 4.59%
- Insecure Direct Object Reference (IDOR): 3.67%
- Remote Code Execution: 2.52%
- Other: 14.45%
Vulnerabilities In The WordPress Core
Most vulnerabilities are found in third-party plugins and themes, but in 2023, 13 vulnerabilities were reported in the WordPress core itself. Only one of these was rated as a high severity threat.
The WordPress core is held to high standards, supported by a global community dedicated to discovering and patching vulnerabilities.
Website Security and Technical SEO
Security is a critical component of technical SEO. If a website is compromised, it can lose rankings in search engine results, making proactive security measures essential. Strong passwords and two-factor authentication are vital for protecting against attacks. Using security headers can also help guard against Cross-Site Scripting and other vulnerabilities.
Implementing a WordPress firewall and website hardening are effective proactive approaches to ensuring website security. Virtually every website worldwide is under constant attack by bots scanning for vulnerabilities.
Featured Image by Shutterstock/Ljupco Smokovski
