WordFence: State of WordPress 2022

The experts in WordPress security at WordFence have released their 2022 report on the state of WordPress security, and things are looking up compared to a few years ago!

There is Both Good and Bad News

It seems like almost every negative in this report has a positive counterpoint. This makes me hopeful about the future of WordPress as a platform and about how WordPress administrators are (on average) improving their knowledge of security practices.

Here are a few of the biggest takeaways:

  • Bad: More plugin vulnerabilities were responsibly disclosed this year.
    • Good: Because the number of security professionals taking a look at WordPress plugins has increased from last year. More good guys looking mean more vulnerabilities will be found by the good guys.
  • Good: Credential stuff attacks, where bad guys try to break into sites by using credentials found in password breaches, decreased over the course of 2022.
    • Bad: There was not a decrease in overall attacks, which means that other forms of attack increased as credential stuffing became less successful.
  • Good: There was a noticeable drop in installation (and infection) from “nulled” plugins (paid plugins that are “cracked” and distributed for free, often including malware).
    • Bad: The overall number of WordPress sites that are currently infected with malware largely stayed the same from the beginning to the end of 2022. Additionally, more WordPress sites seem to be abandoned – they are no longer receiving regular plugin or core WordPress updates. Many times these sites contain plugins with known vulnerabilities, meaning these sites often get infected and stay infected (and sometimes infect other users).

Keeping Your WordPress Site Safe

For all the WordPress administrators out there, WordFence also provides a few things to do to ensure that your site stays as safe and secure as possible:

  • Update your site and plugins regularly.
  • Ensure all users (or at least high-permission users like administrators) use long, complex, and random passwords. Especially as more and more leaked credentials populate the dark web.
    • Related to this, enable MFA (multi-factor authentication) on any and all accounts you can.
  • Never install plugins from unknown sources. Either install from the WordPress Plugin Directory or buy directly from the plugin creator.

You can read the complete 2022 State of WordPress report here.

Need More WordPress Help?

If you have any questions about running your WordPress site, need some help keeping your site up-to-date, or just need a new website, I offer WordPress Maintenance Plans that can help keep your site running smoothly!