The 2024 WordPress Security Threat Landscape: Key Trends and Stats

WPScan recently released their review of 2023 vulnerabilities and threats to WordPress sites. With this information in hand, site owners and WordPress professionals alike can navigate 2024 a little more safely. 

Led by dedicated security experts, WPScan maintains the premier database of threats to the WordPress ecosystem. Used by the top professionals throughout the industry, WPScan is regarded as the most complete resource available. To date, WPScan and contributors have identified, verified, and classified more than 49,000 vulnerabilities. 

The database is used by enterprise organizations like Mercedes-Benz Group, WP Engine, Accenture, and Kinsta. It also powers renowned WordPress security tools like Jetpack Scan, which is available through Jetpack Protect or with a Jetpack Security plan. 

Why does this report exist? Where does the data come from?

WPScan’s team is dedicated to identifying, verifying, and indexing threats to the WordPress ecosystem, so that WordPress security tools (like Jetpack Security) can effectively guard against them and protect the community. 

Identifying and understanding threats are the first steps in cybersecurity protection. 

The data in this report was compiled from vulnerabilities disclosed by WPScan and verified by their security researchers, as well as a sample of more than 350,000 websites and Automattic services that use Jetpack Scan or Jetpack Protect. 

What did we learn?

Don’t have time to read the full report? Don’t worry. We’ve got you covered with a summary of the key points.

XSS gets a lot of attention, but SQL injections are a more prevalent threat

Cross-site scripting gets a lot of attention. It’s often reported by bug bounty hunters and security researchers (53% of all disclosed vulnerabilities). 

But the most common type of threat — as demonstrated through actual blocked attempts by Jetpack firewall —  is actually SQL injections. The threat of an SQL injection tends to be particularly serious because little to no authentication is needed to exploit this kind of vulnerability. 

Two threats are most common when it comes to WordPress security

The report confirmed what we already know: Weak user credentials and nulled plugins are the gateway for the majority of attacks.  

This means that site admins can prevent most security problems by keeping software up to date and requiring strong authentication. 

More than 20% of vulnerabilities required no authentication

The WPScan team reviews vulnerabilities to determine the level of authentication required to exploit the affected code. While about a third of all vulnerabilities would require access to an admin account (reducing the risk of exploitation) 22% of disclosed vulnerabilities would require absolutely no authentication or just a subscriber-level account. 

Malware attacks remain prevalent

Jetpack Scan (which utilizes the WPScan database) identified a staggering 70,000 sites with at least one malicious file. Most causes can be traced back to either (you guessed it!) leaked/weak credentials or nulled software. 

75% (600,000 malicious files) were determined to be generic malware. 

Existing tools are working

The Jetpack firewall blocked more than seven million requests involving a high severity vulnerability — preventing countless XSS attacks on endangered sites.

The report states, 

The Jetpack firewall, although a recent addition to the Jetpack Security suite, is proving its worth by blocking potential attacks early in the cycle, preventing attackers from getting a foothold on protected sites.

The Jetpack firewall also blocked more than half a million each of SQL injection and Path Traversal attacks. 

What should cybersecurity and WordPress professionals do next?

You can’t prevent attacks if you don’t know what to look for. WPScan provides the most robust, up-to-date library of verified threats. Developers and cybersecurity professionals can incorporate it into their in-house programs through an API to bolster their defenses. 

Web security teams can also use WPScan’s CLI Scanner as part of penetration testing. It provides an outside look at the information hackers may be able to view about your site without authentication. 

Developers and enterprise organizations should reach out to WPScan immediately to see if it’s the best tool for their operation. 

What should WordPress site owners do next?

WPScan’s assessment of the WordPress security ecosystem demonstrates that threats persist. The good news is that the most prevalent ones can be thwarted fairly easily. WordPress site owners can make use of the WPScan database through Jetpack Protect and gain access to a full suite of prevention and recovery tools with Jetpack Security. 

Enforce strong authentication

Weak passwords are not only the most common weakness in cybersecurity, but one of the easiest to fix. You can require strong passwords from users and educate your team about password best practices like using a mix of numbers, letters, and special characters, having unique credentials for each site, and updating passwords regularly. 

You may also want to require two-factor authentication, especially on admin-level accounts.

Assign the proper user roles and follow the principle of least privilege 

WordPress user roles are powerful because they allow you to grant access to specific functions based on a person’s area of responsibility. Limiting the number of high-level roles assigned reduces the number of access points and allows for greater education and accountability regarding passwords and secure authentication. 

Known as the principle of least privilege, users should only have access to the lowest role required for their necessary job functions. 

Keep core, themes, and plugins up to date

Along with weak passwords, outdated software is the most common root of successful attacks. Your site should be using the most up-to-date version of WordPress core, your theme, and any plugins that are installed. 

As vulnerabilities are discovered, reputable plugin developers will release updates to patch them. Ignoring these updates leaves your site exposed. 

Install a WordPress security plugin

For the most complete protection, site owners need to go a step beyond strong passwords, updated software, and proper user role assignment. Veteran WordPress professionals know that the right WordPress security plugin will help prevent intrusions and provide recovery options in case one gets through.

If you want comprehensive protection with minimal complications — Jetpack Security is the solution you need. Here’s just some of what’s included:

• Downtime monitoring. Know the second that there’s a problem with your site so you can take immediate action. 

• A website firewall. WPScan’s report repeatedly mentioned attacks thwarted by Jetpack’s Firewall. Get access to it with Jetpack Security. 

• Real-time malware scanning and one-click fixes. Get access to WPScan’s full database and continuously scan your site for malware and vulnerabilities. Even better — you’ll also get one-click solutions for the majority of issues. 

Don’t need a full security plugin, but want access to WPScan’s database for vulnerability and malware scanning? Those features are also available in a standalone plugin, Jetpack Protect.

• Real-time backups. Remember, you also need a recovery method in case an attacker makes it through. Jetpack VaultPress Backup saves everything on your site and logs all activity. Restore to an exact moment in time and review your log to troubleshoot and prevent future issues. You can access and restore backups even if your site is completely down, from your mobile device. 

• Spam protection. Unwanted, irrelevant comments and form submissions are more than annoying — they’re dangerous to you and your visitors. Jetpack Security comes with Akismet Anti-spam so you can prevent 99% of spam without forcing visitors to complete an aggravating CAPTCHA. 

• Brute force attack protection. Brute force attacks are a pretty common WordPress threat. They can also be easily stopped with Jetpack Security. 

Jetpack and WPScan: working together for a safer WordPress 

WPScan’s team works tirelessly to maintain the most accurate database of WordPress vulnerabilities. WordPress professionals and enterprise organizations can integrate with WPScan tools for the most advanced protection available. 

WordPress site owners access this same information through Jetpack Security, alongside other security tools. This security plugin simply goes to work with minimal hassle and ongoing effort. Your site is simply protected. 

Learn more about Jetpack Security. 

Learn more about WPScan. 

---