Whitepaper: 86 billion WordPress attacks in 6 months | Storm Internet

The 2021 Mid-Year WordPress Security Report is now publicly available. The joint Wordfence-WPScan whitepaper analyses the current WordPress threat and vulnerability ecosystem.

Although just about all the stats in the report are centred around WordPress, it’s a must-read for all website owners since many of the threats discussed are platform agnostic. Below are some of the key highlights of the whitepaper. While some of the figures below appear astronomical, it should be kept in mind that WordPress now powers 42% of all major sites, or roughly 455 million sites.

• Over 86 billion password attack attempts in 6 months. Of the various forms of password attacks, credential stuffing is the most popular, with threat actors using leaked passwords to gain access to the WordPress backend.
• Brute force attacks, in which passwords are ‘guessed’, are less common but have more than doubled in the space of six months.
• XML-RPC along with the standard WordPress login page ( ‘/wp-login.php’) are the two most frequently targeted.
• WPScan reported 602 vulnerabilities across WordPress core, themes, and plugins,  during the first six months of 2021, compared to 514 for the entire 2020, which is good. But at the same time the number of attacks seeking to exploit vulnerabilities have doubled between January and June.
• It’s worthwhile to note that only three vulnerabilities have been identified (and patched) in the WordPress core since the start of 2021.
• Cross-site Scripting (XSS) accounts for more than half of plugin vulnerabilities. XSS vulnerabilities occur when input isn’t (correctly) validated, and output remains unencoded.

Download the full report here.

Why are attacks increasing?

Perhaps the most glaring conclusion is that attacks are on the rise. This isn’t just limited to the WordPress ecosystem, but across various digital platforms and media. And yet, they all share mostly common drivers.

Ransomware attacks, for example, rose by 62% between 2019 and 2020. Given that companies are more inclined to pay the ransom, it’s seen as an easy opportunity for many threat actors.

While website attacks are more diverse in nature, they are typically also motivated by money – whether that’s selling your information back to the website owner, or selling it to other threat actors.

The other widely-cited reason for the increase in online attacks is attributed to the COVID-19 pandemic; with many people forced to work from home, there are more people on the internet and therefore more opportunities for threat actors to find new victims.

Keeping your website safe

According to security firm, DOSarrest, 90% of all websites are vulnerable to attack. It’s obvious that website security should be a key consideration, but many website owners lack the technical expertise to safeguard their websites and servers to protect against threats. If that’s you, then you’re not alone. Skills shortages are common across the spectrum.

According to Statistica, the managed hosting market grew from 12.15 billion dollars in 2010 to 81 billion dollars in 2020, with enterprises typically opting for infrastructure/application monitoring and alerting, followed by disaster recovery.

If you’re a Storm Internet client, then you can start amping up your online security by checking your website and or server security report and activating security hardening features. If your server is managed by Storm then we’re automatically taking care of security with proactive monitoring, active patching, and updated firewall rules. We’re also taking care of disaster recovery, and actively work to keep your sites and servers online.

If you’re not a Storm client, keep an eye out for our next post where we’ll provide a few tips on finding a host that puts your security first.