But I Thought there Were No Core Bugs in WordPress?

But I Thought there Were No Core Bugs in WordPress?There have been a lot of posts lately talking about how secure WordPress core is and how so few vulnerabilities have been reported over the last few years. WPEngine had one that became very popular a few months ago and I’ve seen numerous others. I’ve even written myself on how WordPress problems are not necessarily in the code but are instead a result of education and the human element of WordPress.

That said, WPDaily has an infographic this morning talking about WordPress security where they list a full 32% of WordPress vulnerabilities as being in core and 40% in plugins and themes. While I don’t have the time to really look into this claim this morning I still find their numbers quite intriguing especially coming on the back of WordPress 3.5.2 which patched seven vulnerabilities itself.

So which is it? Is WordPress secure or isn’t it? Considering my plugin I’m not going to elaborate on my thoughts. I’m more interested in what you think. Lets talk about it in the comments below.

About Chris Wiegman

Chris is a developer for iThemes where he works on the iThemes Security and iThemes Security Pro WordPress plugins. In past roles he has served as a teacher, blogger, manager and even an airline captain. He resides in Austin, TX with his wife Joy and their four-legged children.

Find Chris on Facebook, , LinkedIn, and Twitter.

Comments

  1. I’ve seen similar statistics in the past (stats from the vulnerability database, etc.). Much of that 42% is probably related to older versions of WordPress. If you take a snapshot of the past 2 or 3 years of WordPress history, you will find a large number of vulnerabilities (which probably adds up to that 32%). However, if you were to take a snapshot of just the last few dot versions of WordPress (3.5+), you would more than likely find a much, much smaller number.

    That, my friends, is why they say that keeping WordPress up-to-date is so vitally important.

    You also have to remember that these stats are all related to who’s reporting them and how they’re being reported. With 25,000+ plugins in the WordPress repository, there are bound to be a huge amount of vulnerabilities in there, but not all WordPress sites are using all 25,000 plugins (in fact, I’d wager no one is using all 25,000 plugins), so vulnerabilities in them are not going to be as widespread as vulnerabilities in core. The most popular non-out-of-the-box plugin (Akismet is the most popular plugin, according to the WordPress plugin repo) is Contact Form 7. It has been downloaded a total of less than 12 million times (and who knows how many of those are repeat downloads); there are, according to the infographic, more than 67 million WordPress sites on the Web. That means that even the most popular plugin that’s not packaged with WordPress is only used on ~18% of the WordPress installations in the world.

  2. I agree with other comments that the raw numbers don’t really help that much. All of the sites I look after are kept up to date. Same with plugins & themes. Some plugins die and this may not be so obvious but eventually they get cleaned out and replaced. More than half the security issues I’ve seen lately have come from Cpanel or other server hacks. It would be nice to have 2 factor authentication in the core system but there are always going to be tradeoffs on a project this size.

    Keep everything up to date, monitor actively and be proactive when there are known exploits – remember timthumb etc.

    1. The server hacks are getting worse, that is for certain. I’m curious as if this is to an improvement in WordPress security or a fall in server security (we all know some hosts are really bad).

  3. I tell people (clients) the good news and bad news about WordPress. The good news is it’s the )most popular CMS/blogging platform on the web. The bad news is its the most popular CMS/blogging platform on the web.

    When you are king of the hill with these kinds of numbers if you are a hacker/spammer what platform are you going to target? A quick look at the Windows/Mac OS would be a good indication, as Mac’s are becoming more popular, the vulnerabilities are starting to show up (while I believe the Mac OS is better coded) but as the market share increases so will the vulnerabilities of Mac’s and that is coming to light today.

    My point is, as long as software is written by “man” there are going to be vulnerabilities, and as long as that software is popular, those vulnerabilities magnified and will be targeted by many because of the ROI or should ROIOH (return on investment of hacking). So the question also begs, is the “software” less secure today than in the past or because more hackers working on the vulnerabilities?

    It would be interesting to know, of all WordPress sites hacked, what was the true root cause? The WordPress sites that where hacked was it because of poor or lack of upgrading, poor passwords, etc? Or was it because of the WordPress core vulnerabilities or the associated plugin vulnerabilities? I personally do not know the complete answer (I can comment only on what I have seen), but let me state clearly I am not saying that vulnerabilities in the core itself or plugins have not caused hacks. I am just asking what is the over all bigger problem, not that both should not be address, as they should.

    What I have personally seen in hacked WordPress sites, it was always on a site that was out of date (both WordPress or Plugins). Most recent hack I saw was a WordPress site still running version v2.9 (when 3.5.2 was available)! That site didn’t have any proactive manager of any type!

    And this I have seen more so in Joomla installs, because the owners, not technically minded are not wanting to spend money to have their Joomla installs upgraded so they wait until its a problem or their site is suspended because they have been hacked.

    And in regards to cPanel/WHM, I see this really as no different than WordPress or any other web based software that hasn’t been hardened for security and isn’t keep updated as it should be.

    In my other career (as a pilot) there was the “Swiss cheese model” or the cumulative act effect. I believe, like in safety related issues that can hurt or kill people, the same model can be displayed here in regards to writing and using of any software. When enough “errors” have taken place on many levels and the “swiss cheese holes” have lined up that is when bad things will happen.

    Well anyway, that’s my 2¢.

  4. The other thing to measure is how many of those bugs were conceptual fixes versus bugs that were being actively exploited in the wild. I’ll take a stab and guess that not many of those were being actively exploited, and I’d be interested to know how many actively exploited bugs were in the latest version of WordPress at the time. My guess is either none or a very low number.

      1. Totally agree, and of course, even if there hasn’t been a core bug there will be one eventually!

  5. At various times I have actively monitored up to 70 WP sites. All were WP up-to-date, most had Bit51 and/or other security employed that was available (more than 1 year ago) including appropriate IP banning. These sites were located on at three different “well-known” hosting companies, one smaller, one medium and one international. About 24 of the sites got hacked by some middle eastern chap with a gmail address in his “calling card”. It seems to me, the crack was done at the server level, not site level, and the vulnerability was common. SQL was affected so that it excluded back-up restoration and somehow locked and controlled what the server served–not the site. Hosting was shared–there’s where I believe a serious vulnerability can exist depending on who has set-up the host servers. All IT is not created equal. Just because they were WP sites doesn’t mean they were what was exploited.

Comments are closed.