Top 10 WordPress plugins with the most reported vulnerabilities according to the WPScan Vulnerability Database.
Please note that past vulnerabilities do not necessarily reflect the plugins’ state today. Reporting vulnerabilities so they can be fixed, is a good thing.
What’s the data source?
I wrote a script that once per day will download the WPScan Vulnerability Database and count the vulnerabilities per plugin. The result is published in a JSON file here (use this source at your own risk, it might go away or be changed without any notice), which I parse to use as data source in the above graph.
Wordfence has 11 #irony
Yup. iThemes Security too (the slug is better-wp-security). The problem with a lot of security plugins is that they are working on really sensitive parts of the stack, so if you’re not really careful, it is easy to do more harm than good.
In Wordfence’s defence: They haven’t had a reported security issue since version 5.2.4 which was released in September 2014 (and fixed by 5.2.5 released a few days later).
For iThemes Security (better-wp-security), their last vulnerability was in 5.6.1, released in August 2016 (fixed in 5.6.2, released about 6 weeks later).
Unfortunately, the WPScan is not too much reliable, because it misses a lot of vulnerabilities.
For instance, I checked another “state-of-the-art” security plugin: All In One WP Security & Firewall.
Reading its changelog shows that from version 3.8.0 to 4.2.7 there were 19 vulnerabilities fixed (versions 4.2.7, 4.2.2, 4.2.0, 4.1.7, 4.1.6, 4.0.9, 4.0.8, 4.0.7, 4.0.6, 4.0.5, 3.9.9, 3.9.8, 3.9.5, 3.9.4, 3.9.1, 3.9.0, 3.8.9, 3.8.8 and 3.8.4).
That’s insane. And I only checked from v3.8…
There are 500k+ websites using that plugin, ouch!