In this whitepaper, we will go over the biggest statistics and trends in WordPress ecosystem security in 2022. We will also offer a few pieces of advice to people building sites with WordPress. The main highlights from the year 2022 are the risk of using abandoned or poorly maintained plugins and themes, and a broader concern with security issues in the open-source supply chain. The theme of this whitepaper is one of responsibility – how every member of the WordPress ecosystem can contribute to making the internet safer. In this spirit, we’ll start off the paper with two pieces of advice – one for WordPress website developers, and one for plugin/theme makers.
If you’re a WordPress website developer, please be mindful of the plugins and themes you use in your sites. Through the years we’ve seen a lot of security issues arising from nulled, outdated, and abandoned components. Consider this fact – in 2022, we found that 26% of plugins with critical security bugs never received a patch. This means that any sites running those components are vulnerable to attacks. This number has sadly remained steady over the past few years. If you’re a plugin/theme developer, pay attention to the libraries you are using in your own projects, and whether these are getting updates – particularly, security updates.