This year, security experts have found 2500 weak spots in additional tools (called plug-ins) for WordPress, a platform used by over 43% of all websites. Security company Wordfence reports that there are still no fixes for hundreds of these security holes. WordPress allows many of these plug-ins and themes to be added to websites created by outside developers.
Most Weaknesses in Extra Tools, Not WordPress Itself
Most security issues affecting WordPress sites are in these extra tools or plug-ins. In comparison, WordPress itself only had six reported weaknesses this year, against 2500 in its plug-ins. Often, these weak points allow a type of attack called cross-site scripting. In the worst case, this could allow someone malicious to steal the website owner’s access and take over the site.
Many Medium-Impact Weaknesses, Lots of Unresolved Issues
Wordfence’s numbers show that about 2000 weaknesses have a medium impact. The troubling part is the number of these security holes still waiting to be fixed. Out of the 2500 known weak spots in the plug-ins, 678 have not been dealt with by the developers. This means more than a quarter of these known weaknesses remain open.
Unsupported Tools Pose a Big Problem
The issue, in this case, is that many of these extra tools or plug-ins aren’t supported much or at all by the developers. WordPress often removes these from its store so others can’t download them, but that doesn’t solve the problem for sites that already have them installed. Therefore, Wordfence strongly advises website managers to remove these plug-ins before someone with bad intentions can exploit them.