WordPress has experienced exponential growth in the past several years and now holds over 42% of the CMS market share for all major sites. There are over 50,000 plugins available to download in the WordPress repository. That does not include the thousands of premium or open source plugins available outside of the repository, along with the thousands of themes that site owners can use to customize their WordPress site.
With the vast assortment of plugins and themes, there are thousands of developers with unique backgrounds, coding styles, and preferences contributing to the WordPress ecosystem. The vast differences in developers’ styles contributes to what makes WordPress the dominant CMS, as this creativity in code is what gives WordPress a diverse and uniquely customizable platform. However, with that diverse contribution to the possibilities with WordPress, it is important to make sure that developers are aware of what type of code can introduce vulnerabilities, and how they can ensure they don’t create a product that has the potential to adversely affect thousands of WordPress users whose livelihoods may be running on WordPress.
This paper has been created as a resource for developers creating WordPress products to provide guidance as to what coding flaws can introduce some of the most common and significant WordPress vulnerabilities, in addition to providing recommendations on how to prevent the introduction of these vulnerabilities.
Further, we hope that this white paper serves as a tool for security researchers looking for vulnerabilities in WordPress core, themes, and plugins. This guide details what to look for when evaluating WordPress-related code and recommendations that should be supplied to a developer or vendor in the event that a vulnerability is discovered.
In this paper, you will find the most common vulnerabilities the Wordfence Threat Intelligence team discovers, along with what to look for when auditing themes or plugins for these vulnerabilities, and what measures can be taken to remediate or avoid them.
You can download the paper here, and be sure to share with colleagues who can benefit from a deeper dive into common vulnerabilities seen in the WordPress space.
Special thanks to Kathy Zant, Director of Marketing, and Ram Gall, Threat Analyst, for all of their contributions to this paper.