WordPress Hack Statistics
While publishing an article about the new WordPress password generator, I started researching WordPress security. In doing so, I pulled together the following info on WordPress hacks & vulnerabilities.
If you have more stats or resources to add, please let me know in the comments, and I’ll add them to the write-up.
The Ways Hackers Gain Access
There’s an infographic out there that depicts the various ways WordPress sites get hacked. The sources appear to be quite scattered, but let’s assume they are at least somewhat accurate. Here’s what it says about WordPress hacks:
- 41% were hacked through a security vulnerability on their hosting platform
- 29% were hacked via a security issue in the WordPress theme they were using
- 22% were hacked via a security issue in the WordPress plugins they were using
- 8% were hacked because they had a weak password
I’m not blaming any one group for being more or less responsible for WordPress vulnerabilities, but if these stats are even somewhat accurate, then the bigger security issues lie with third-parties, not WordPress users.
Those numbers add up to 100%, and I don’t see anything on there that cites WordPress core security issues as a culprit. It’s certainly possible that no WordPress hacks have been traced back to bugs in the core code. And WordPress does release security patches very quickly after new releases. Regardless, obviously they are doing a lot of things right in terms of security.
Of those 8% that were hacked because of a weak password, let’s take a look at the data on brute force attacks.
WordPress Bruce Force Attacks
An article from sucuri (April 2013) presents some data on WordPress brute force attacks. By no means does this tell us the entire security story, but it’s a solid start.
- Top usernames being attacked: admin, Admin, administrator, test, root
- Top passwords being tried: password, 12345678, 123admin, 123abc, qwerty, and a handful of other common ones
WordPress Vulnerabilities reported by National Vulnerability Database
The government maintains a website that tracks website vulnerabilities. A search for “WordPress Core” over the past 3 months returns 5 results (as of Nov 11, 2013). All 5 were reported on 9/12/2013, after they were fixed with the release of WordPress 3.6.1. Run your own search to view other stats. The reason I cited “WordPress Core” is to eliminate the theme & plugin vulnerabilities, and only look at security issues with the core code.
Props to wptemplate.com for the original infographic.