400 WordPress Security Vulnerabilities?!

Trust me: It’s not as bad as it sounds.

Searching the National Vulnerability Database using keyword “WordPress” blasts you with 400 listed vulnerabilities! I’ve seen this number quoted recently when comparing WordPress to other content management systems, and it puts WordPress security in a negative light.

“Holy hole in a firewall, Mattman! How can you sleep at night, knowing WordPress is putting the world at risk?”

Never fear! Read on to see the truth I found just beneath the surface of those numbers.

Statistics explored

Time periods

I found these 400 vulnerabilities include all security problems reported since 2004. Searching for the last 3 years only reports 176 records, and the last 3 months reports 23 records–an encouraging trend. Still, I wanted to dig deeper.

Limitations in the search engine

The only way to get the scary 400 WordPress security issues is to search the database by keyword. While there is an advanced search by “Product,” searching for all versions of WordPress this way yields only 231 issues total. Since we’re trying to address the recurring rant that WordPress has over 400 security vulnerabilities, we’ll stick with the broader results returned by my keyword search.

Hacking off miscategorized results

28% of the results–112 issues–were not related to WordPress at all. They show up in the keyword search because somewhere in the details folks provided web links to WordPress-powered sites that give more details about the issue. Both WordPress.com blogs and self-hosted sites using the default “wordpress” directory name have “wordpress” in their page URLs.

Great–we’re down to 288 reports over 8 years.

Separating WordPress core from 3rd-party plugins and themes

WordPress enjoys a thriving theme and plugin development community, but that also means more potential security problems. 40% of results–159 issues–were from 3rd-party plugins and themes. While we need to be concerned about this, it seems the WordPress core–what you get when first installing WordPress–isn’t so bad after all. Removing the 159 3rd-party issues, we’re down to only 129 issues with WordPress core, spread over 8 years.

Positive trends–warning included

Eight years of data helps us see two important trends. Security vulnerabilities reported for WordPress core have trended downward. Issues reported for 3rd-party plugins, however, are trending upward.

While it’s great to see WordPress core being really secure, those 3rd-party plugins and themes are an important part of the WordPress ecosystem.

Stay alert, but don’t freak out

• WordPress core security is excellent and continues to improve, with quick patches released when anything is discovered.
• Plugin and Theme developers need to understand and implement security better.
• Website admins need to be careful installing plugins and themes they are unfamiliar with on a production machine.
• Plugin security review in the community would be helpful, but difficult and time-consuming.

A last word about the National Vulnerability Database

I couldn’t find any resource better than the NVD for this type of security information. That said, the database is only as good as those who report to it. Does data just come from random IT folks? Important data is being left out, for sure.

Case in point: TimThumb

Sorry to make most of you cringe. TimThumb is an on-the-fly image resizing PHP script used in many 3rd-party plugins and themes. In 2011, all hell broke loose in the WordPress community as a serious security flaw was found in TimThumb, affecting most derivative works.

There is absolutely no mention of TimThumb in the National Vulnerability Database. None.

Moving forward

Have faith in your WordPress core, fellow developers. And before you release that snazzy new plugin or theme, make sure you’ve covered the bases regarding WordPress security!