It's no wonder that WordPress continues to be one of the most hacked CMS platforms online—the sheer numbers of sites powered by WordPress make it logical. But a new survey out today shows that a lack of training and security practices among WordPress users may also contribute to the problem. It showed that many WordPress users also tend to avoid hiring a professional administrator and are themselves only lightly trained in how to run the content management system.
Based on a survey conducted by CodeGuard of 503 WordPress users, 44 percent of respondents don't employ a website or IT manager. And fewer than one-quarter of users have received extensive training in the use of WordPress. Unsurprisingly, just a little over half of these users report that they regularly update their WordPress platforms and 69 percent have had a plugin fail after an update.
According to market data from W3Techs, 23.5 percent of websites today use WordPress to power their backend. That's head and shoulders above the next runner-up, Joomla, which has about 10 times less usage, with a 2.9 percent market share. WordPress is an attractive target for attackers. A report from Imperva out last fall showed that WordPress sites were attacked 24.1 percent more than websites running on all other CMS platforms combined and that it suffers 60 percent more cross-site scripting incidents then all other CMS-backed sites combined.
According to security researchers, the vast majority of WordPress-related—and other CMS-related—security problems arise through vulnerabilities in plugins. To date, WordPress features 36,547 different plugins available for download. It’s a huge attack surface, and one which poses problems frequently. For example, just yesterday, the security team at Sucuri released an advisory about the MainWP Child plugin that affects 90,000 WordPress sites using it as an admin tool that allows for easy remote exploitation, resulting in password bypass and privilege escalation. Meanwhile, just last month, Sucuri found a different plugin, WP-Slimstat, left 1.3 million sites vulnerable to SQL injection attacks.
In order to avoid attacks against these types of vulnerabilities, website owners are going to need to do a better job educating themselves about the risks, says Tony Perez, co-founder and CEO of Sucuri.
"I’s easy to feel overwhelmed by some of this information, but it is our belief that the best tool you have at your disposal as a website owner is knowledge," he says. "Driving your head into the proverbial sand does not make these things disappear; it simply amplifies the impact if and when any of these attacks affect you directly."