In 2024, just under one million WordPress websites were infected with malware, and there were roughly 325,000 to 350,000 infected sites on any given day.
According to cybersecurity firm Wordfence, plugin vulnerabilities remain the biggest software threat to WordPress, accounting for 96% of all disclosed vulnerabilities.
The good news is that researchers didn’t observe any major zero-day exploits targeting WordPress vulnerabilities, which is an excellent sign of the evolving landscape of WordPress plugins and themes security.
The most common vulnerability disclosed in 2024 was cross-site scripting (XSS). Approximately 4,019 XSS vulnerabilities were discovered by Wordfence security experts. The firm blocked over 9 billion XSS exploit attempts last year.
XSS attacks involve an attacker injecting an arbitrary script, often JavaScript, into a webpage that makes it possible to perform actions on behalf of a victim in the browser where the script executes. Threat actors can thus gain access to session tokens, passwords, and other sensitive information stored by a web browser. Attackers can also use this method to spread malware and steal user credentials.
Another threat to WordPress websites in 2024 was SQL injection, which accounted for 47% of the total disclosed vulnerabilities. Wordfence blocked over 1.1 billion SQL injection exploit attempts in 2024.
An SQL injection is a common hacking method in which a hacker uses malicious code to manipulate a database and gain access to the data stored in it, such as password hashes and user data. Threat actors use this method to exfiltrate sensitive information or to elevate privileged access to a website.
However, this only works if a hacker can crack a password hash or obtain some other sensitive information that allows them to bypass traditional authentication mechanisms.
The majority of vulnerabilities discovered (81%) were classified as a “medium” severity CVSS score. Although high-threat vulnerabilities are increasing, they still comprise only a small percentage of all threats. Nevertheless, Wordfence predicts that security researchers will increasingly have to focus on high-risk vulnerabilities.
The cybersecurity firm encourages companies to invest in security education, implement good password hygiene, keep software up-to-date, put proper security defenses in place such as two-factor authentication (2FA), and remove unused WordPress plugins and themes.
Your email address will not be published. Required fields are markedmarked