Last year, nearly one million unique WordPress sites were infected with malware, claims security company Wordfence. On any given day, between 325,000 and 350,000 sites were infected, the annual “WordPress Security Report” states. For example, the malware on WordPress sites attempts to infect visitors with malware by offering them so-called “browser updates” or redirects visitors to a rogue website.
In many cases, WordPress websites get compromised via vulnerable plug-ins, and there were many of those last year, according to the report. According to Wordfence, the use of vulnerabilities to compromise sites increased, while the number of password attacks decreased. That is due to better password security such as two-factor authentication (2FA), according to Wordfence.
WordPress Core, the basic WordPress installation, faced only five vulnerabilities last year. Plug-ins for the platform counted more than eight thousand, and two thousand of them are still waiting for an update. The most attacked “WordPress vulnerability” last year was present in the LiteSpeed Cache plug-in, followed by a security vulnerability in the WP Meta SEO plug-in.
WordPress administrators are therefore advised to keep their installations and plug-ins up-to-date. Furthermore, “good password hygiene” is advised, setting up 2FA and not using outdated, unsupported or “abandoned” software. The reason vulnerable plug-ins are not patched, according to Wordfence, is often because the developers involved can no longer be reached or are simply unresponsive.