WordPress is undisputedly the most popular Content Management System (CMS) in use today. With the most commonly quoted figure being the one published by w3techs, putting WordPress at 37.7% of all websites today (July 2020) and growing. It is no surprise then that WordPress is also the most targeted CMS by hackers.
Despite what some believe, WordPress is a secure CMS, depending on what your definition of “secure” is.
WordPress has been around since May 27th, 2003, with the release of WordPress 0.7. That means that WordPress has been around for 17 years and has changed a lot in that time. Today, WordPress Core is a mature project, but that doesn’t mean that it still does not, or will not in the future, suffer from security vulnerabilities. No software can ever be 100% secure.
The main problem with WordPress when it comes to security is its third-party plugins. These plugins can be developed by anyone with varying degrees of security experience and uploaded to the official WordPress plugin repository. The plugins are verified by a team at WordPress when initially uploaded, but it is not known to what extent the plugins are checked for security issues. And once the plugin has been approved, the developer is free to make any future changes without any verifications. This can lead to developers introducing security vulnerabilities later on in subsequent updates to the plugin.
According to Sucuri’s 2019 Website Threat Research Report they found that “44% of all vulnerable websites had more than one vulnerable software present in the environment”.
Here at WPScan, we can offer many different solutions to this problem. To help you reduce the risk of your WordPress website being hacked by an outdated and vulnerable version of WordPress, plugin vulnerabilities, or theme vulnerabilities.
WPScan WordPress Security Scanner
Our Command Line Interface (CLI) WPScan WordPress Security Scanner can give you a hacker’s view of your WordPress security. It checks for security misconfiguration issues, as well as for known vulnerabilities in WordPress Core, plugins and themes, using our own constantly updated WordPress Vulnerability Database.
To learn how to use the CLI tool we have some handy WPScan User Documentation available on our Github wiki. For those of you who may not be too comfortable using a CLI tool we have other solutions too.
Online WPScan WordPress Security Scanner
Our Online WPScan WordPress Security Scanner is a SaaS based solution, where you can simply enter in your WordPress website’s address and we’ll take care of the rest. This solution uses our CLI tool in the background coupled with the vulnerability data from our own WordPress Vulnerability Database. This solution also gives you a hacker’s view of your WordPress security.
WPScan WordPress Security Plugin
And for those of you who would rather install a WordPress security plugin, we have our very own WPScan WordPress Security Plugin that will list any known vulnerabilities that affect your WordPress Core version, any installed plugin and any installed themes.
We offer many different services to help keep you informed about WordPress security vulnerabilities that may affect your website. Hopefully one of our services is the right fit for you!