Software Vulnerabilities

posted in: News

website vulnerabilities

During some routine work to update a number of client website software packages, I was interested to discover, how many WordPress software vulnerabilities there have been in just the last few years. If you click on the link, you’ll see that’s quite a large amount, which is rather troubling.

In this article, I’m going to share a couple of points about why WordPress is fabulous and also why it’s important to have a good developer, consultant or “go-to-person” ( like me 🙂 ), on your side to help you get the most out of keeping your installation safe and up to date!

Some Basic WordPress Facts

  • As at 2019, WordPress is one of the largest open-source software platforms – it currently powers around 30% of ALL websites on the internet – that’s about 177 million websites!  It’s also powering over 40% of ALL eCommerce and online shops!
  • With such popularity comes great responsibility (and of course income, since it’s big business).  In this respect, the software has a large number of contributors and that means it’s updated regularly – The WordPress developer team has had more than 80 developers who have worked on the WordPress core.
  • WordPress “core” contains more than 430,000 lines of code !
  • WordPress also has over 54,000 apps – known as plugins, available in the wings – if there’s a feature or functionality you need that’s not available in the core, you’re quite likely to find it available as an “add on” in the WordPress plugins directory!

There are many WordPress stats out there that demonstrate how impressive the software is – and how far it has spread.  We can easily see that due to its ease of use and popularity, it has been adopted across every industry, in every country.

Nevertheless, what’s obviously not touted quite so loudly, is the number of software vulnerabilities that have been found in all of this code – which potentially could be bad news for you!  [All stats sourced from reliable sources!].

Website Software Vulnerabilities

WordPress is indeed wonderful, impressive, powerful and flexible.  But it has a ‘darkside’ – just like all software.  With so much code and so many developers, inevitably, it means errors creep in and get missed (sorry devs!) – and sometimes, these errors can be innocent and innocuous – and other times they can represent huge “glaring great big holes” in the software – or to put it in a more friendlier description – “vulnerabilities”.

Obviously, such human embellishments (aka imperfections!) are a common part of everything in our lives – not just software – and obviously, WordPress is not alone in this regard.  Nonetheless, since insecure software is not really a selling point, as a WordPress (or any software) user, you’d be forgiven for not being aware of the risks.

After-all, despite best efforts, cross-checking and testing, it’s impossible to capture weaknesses / errors that can creep in due to gaps in knowledge, inexperienced coders, changes in other related platforms, out-of-date dependencies and several other reasons. These weaknesses can become exposed as “security holes” or “software vulnerabilities” or “exploits” (basically, someone finds the backdoor!).

Quite often, these vulnerabilities are notified to, or are discovered by the developers who usually quickly rectify them and release an updated “patched version”, but in other instances, such vulnerability information can be shared or sold to those with nefarious intentions.  The worst case scenario is, at the stroke of a few keys, a malicious person could gain unauthorised entry to your website and / or database and cause you all sorts of trouble.

You only have to look at the wikipedia page “List of data breaches” to see how enormous the problem is – though to be fair, this is across all software (not just WordPress).

It is estimated that in first half of 2018 alone, about 4.5 billion records were exposed as a result of data breaches. In 2019, a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords, was posted on the web for sale

WordPress vulnerabilities
WordPress vulnerabilities

How Bad Can It Be?

Small businesses may not be the large “trophy hack”, like those listed in the breach databases that the bad guys appear to enjoy targeting.  However, because small businesses often have fewer resources dedicated to security, they may be considered to be “soft-targets”, especially when a software vulnerability has been identified in a widespread app.

Once a vulnerability has been identified, it’s quite common for hackers to use bots to trawl the internet looking for any site that’s using the same vulnerable code.  If they find this vulnerable code on your site…. well, you can guess the rest!

Looking at the number and types of WordPress software vulnerabilities that exist, it’s rather eye-opening.  According to the WP vulnerability database index, there have been a total of 2407 vulnerabilities disclosed.  Plugins accounted for 54% of them, WordPress core software is next with 31.5% of the share.  The remainder is attributed to WordPress themes which account for 14.3% of the total.  It’s important to remember that these are only the disclosed vulnerabilities (in other words, the real number could be much higher).

WordPress theme developers and the core software team are usually pretty good at getting their software updated, once they become aware of any potential security hole.  Sadly, the same can’t be said for all plugin developers.  Many plugins are out of date, often because the dev has lost interest and has simply abandoned the project.

Software Vulnerabilities – Best Practice

Such software vulnerabilities are a fact of life and there will always be a risk of a potential breach or unauthorised entry. A hacked site can mean anything from “simply” having you site defaced, to bogus advertising links being riddled throughout your installation, to being the target of a spam attack – or indeed being part of one, to perhaps the worst case scenario, the ever feared “stolen customer data”.

If this happens to you, you can expect it to be; time consuming and therefore, costly; embarrassing and potentially devastating for your business reputation; most unpleasant and best avoided.

So what can you do?  Whilst there are a number of actions you can take to at least reduce the risks, no strategy is 100% effective.  However, the first point is obvious:  software does not update itself, even when a vulnerability update is available.  Therefore, the first thing is: check for updates regularly and keep all software up to date.

Next, avoid using old or abandoned software apps – uninstall / delete them as soon as you can find an up to date replacement.  It can be difficult to find a replacement for those “good” old apps, but it should nevertheless, be your priority to only use software that is being maintained.

Another important point: Backups!  It’s always a good idea to ensure you have multiple backups in case of any disaster.  If the worst happens, you can revert to a previous build.

Furthermore, a simple trick to avoid having customer data stolen?  Don’t store customer data in an insecure manner.  Yes – this can be hard to achieve unless you trust your service provider(s) to provide highly secure systems (in other words, not storing sensitive information where it can be easily stolen).  Where possible, sensitive customer data and information should be stored in an encrypted manner, so that even if it is stolen, the hacker will find it very difficult to read.

While there are many other precautions and actions, the above should get you started; but you should also consider wider security practices too, such as using strong passwords, limiting access and so forth, as detailed in a previous article here and in another one here.

Maintenance Services

At Purple Dog, we take security and online safety seriously and do our best to encourage adoption of best practices.  We recommend that you join our service called “Club Purple” – it’s a maintenance program that stays on top of your website software and helps keep it current – with regular updates to all the software installed soon after they’re made available by the developers.  Plus a range of other benefits such as a monthly activity report, multiple off-site data backups, reduced rates for ad-hoc jobs and more!

Find out about Club Purple here:

If you have the interest. time and energy, you can also learn how to do it yourself through many various online tutorials.  Just like anything else, your website software needs maintenance so that you stay safe online.

So don’t put it off too long – get yourself up to date, or get in touch to request more information on how we can assist you.