WordPress As Riskiest Web Software In 2010

January 4th, 2011
WordPress Discussions

Trend Micro which is an anti-virus company announced their most dangerous list for 2010. Just about everything mentioned in the list has a strong correlation with market share and size which tends to make them more dangerous. This is especially apparent when Trend Micro lists Google as the most dangerous website thanks to its popularity for blackhat-SEO schemes which lead to malware infected sites. However, as for Website Software, Trend Micro labeled WordPress as the riskiest web software used in 2010:

The riskiest software used by websites in 2010 was the popular blogging platform WordPress. Tens of thousands of un-patched WordPress blogs were used by cybercriminals for various schemes, primarily as part of redirection chains that led to various malware attacks or other blackhat search engine optimization (SEO)-related schemes.

I beg to differ. While WordPress certainly made the headlines this year as webhost after webhost became the target of attacks, in most instances, it was discovered that the webhost was to blame as was the case with Network Solutions earlier in 2010. Since WordPress hosted sites appeared to be the ones most targeted, the webhost would immediately place the blame on WordPress itself, a theme or a plugin causing news to spread that WordPress indeed had a security vulnerability which was not the case. All security vulnerabilities discovered in the WordPress software during 2010 were quickly patched and released to the community. Which is why the following is no big shock to anyone with common sense:

Tens of thousands of unpatched WordPress blogs

Un-patched anything is going to be attacked. If Trend Micro wanted to give their statement validity, they would have explained that WordPress is the most popular publishing platform in use across the web and because of that large market share, it is a big target for malicious users. It’s the same reason Microsoft Windows is constantly under attack. However, by keeping your WordPress software up to date along with any themes or plug-ins in use, using a good web-host (note that I’ll be discussing this in more detail in a follow up post/guide) and routinely backing up your entire website, you should have no problems sleeping at night.




  1. Glenn (1 comments.) says:

    That’s kind of like declaring that Toyota vehicles are the most vulnerable to water damage because the largest number of water damaged vehicles found after the city dam broke were Toyotas.

    The dam broke because the dam company couldn’t engineer it correctly. Toyota had the most damaged vehicles because they were the most popular vehicle in town.

    All that stat proves is that WordPress was the most popular CMS when the hosting company’s dam broke.

  2. Chris (1 comments.) says:

    I agree that this analysis is pretty shoddy. It is easier and more productive to develop tactics for attacking a larger platform because if millions are using it then there are many more opportunities to do your dirty work.

    It would be interesting to find out what software system was the most vulnerable tested side by side in a fair fight though…

  3. Kenny Younger (1 comments.) says:

    The problem is that they used the words “risky” & “dangerous”.

    “Dangerous” & “risky” are words that have to do with safety, not necessarily security.

    For example:

    Mac = Living in the country with your doors unlocked. Safe, but insecure.

    Windows = Living in the ghetto with your doors deadbolted and windows barred. Secure, but not safe.

    The problem with their analysis is they aren’t consistent. They talk about WordPress and say it’s the riskiest website software because it’s so widely used and therefore a large attack vector (true), but then go on to say Mac OS X is the riskiest OS because of poor software patching? Uh, no, that would make Mac OS X less *secure*. But it’s still *safer* than Windows.

    Either way, proper journalism would require both the explanation of the difference between safety and security, and a consistent analysis.

    I hope they are happy with the traffic they received from this article.

  4. shayne (1 comments.) says:

    Completely inaccurate. Web hosts were the issue, not WordPress.

    WordPress just happens to have millions of installs and was an easy target.

    If hosts were doing their jobs, we wouldn’t be reading this particular article.

  5. Chip Bennett (63 comments.) says:

    This just in: WindowsME is a security vulnerability, too.

    By the way, even if the redirect exploit had been the fault of WordPress (it wasn’t), “tens of thousands” of WordPress installs represents less than 1/10 of one percent of all self-hosted WordPress installs.

    Of course, WordPress wins by default. There were probably more self-hosted WordPress installs hacked than there are total installs of those other CMS applications. WordPress is the riskiest “WebSite Software” because it is, effectively, the only one in the game.

  6. Dre (2 comments.) says:

    Tred, this is plain ridiculous. The comments are spot on though.

    Here are the 3 biggest issues in order that led to all of these problems last year:

    1. Outdated software (Some cases down to 2.1 of WordPress. Over 70% of the malware we cleaned last year was due to outdated software. This is not a WordPress issue, it’s a user awareness and execution issue that happens across all platforms.

    2. Host specific security problems. I won’t get into names, do a Google search. There were a ton of security breaches last year on major hosts exploited anything from “unencrypted” user credentials, to outdated host administration software. How can you be secure if you’re host isn’t following best practices, it happens more than you think.

    3. Exploited client side machines. Another big issue, as is almost every year, is sites being exploited via FTP because the clients machine has some shady business going on. It’s reality people, if you don’t take care of your stuff, someone else will gladly use it for malicious reasons.

    How many active WordPress installs around the world today? A cubic ton, naturally the risk floor is higher because it is a widely used platform. I read this morning that WordPress is being used on 13.1% of all websites giving it more than 55% of the CMS. I have not validated this number but if it’s even semi-accurate it should be a good indicator.

    To claim it is the riskiest is irresponsible at best. Trend, please read Glenn’s comment, and quit pushing water in the wrong direction.

  7. tom hermans (2 comments.) says:

    Indeed no really logical deduction here. Large userbase > more attacks possible, esp. unpatched ..

    Looking forward to your follow up post on good webhosts.

  8. Mark (2 comments.) says:

    Trend Micro picking WordPress as the most dangerous Web software of 2010 is about like saying “Chevrolet makes the most dangerous automobiles because most criminals drive one during get-a-ways from crime scenes” — or — “Smith and Wesson makes the most dangerous piece of metal on earth because nearly 3/4 of gunshot wounds happen with their guns”


    The most dangerous company is always the one whos PR machine makes blanket statements generated by the use of less than 3 neurons…

  9. Dave Doolin says:

    It’s pretty common around here (SF Bay Area) to hear “WordPress is insecure” from software and web application developers. It’s a meme. It’s a cultural belief. Has no basis in logic as far as I’m concerned, but then again, beliefs have requirement to be logically based.

    I don’t care anymore. I’m happy to install WordPress for someone, and just as happy to roll them a custom built site if that makes them feel happier.

  10. BT says:

    Their own blog is powered by WordPress.

  11. Tomas Kapler (6 comments.) says:

    I have to blame WordPress, because it is WordPress (team) who are doing everything for SUPPORT of NOT-PATCHING

    a) not testing plugins from even the most common critical updates
    b) do allow plugins which shows warnings when wordpress debug is true
    c) do not pushing developers to update their plugins (and do not allow to overtake the plugins with not active developers)
    d) do show plugins for very old and unsecure versions of WP
    e) do not push the plugins to use some developers standards (wp only functions, i18n …)
    f) not pushing the users with very old wordpress versions
    g) wordpress does not contain some check for possible security problems (there are few plugins which do something, they should be implemented into core)…

    they do a lot of this with themes (but there also can be such improvements), so why not for plugins?!?! I have asked for this several times before and they answer was “we are not going to do it”.

    So it is a WordPress problem.

    • dre (2 comments.) says:

      One word, capitalize the P.

    • Chip Bennett (63 comments.) says:

      None of those things make WordPress itself insecure. All of those things have to do with how the end user uses WordPress.

      If you register a domain name, purchase a hosting account, and install public-facing software, you bear the responsibility for how you install and use that software. An end user’s improper installation and/or use of that software (poorly configured permissions, easily brute-forced passwords, not bothering to click one button to update core, Themes, and Plugins, etc.) that leads to his installation getting hacked reflects poorly on that end user, not on the software itself.

      • Tomas Kapler (6 comments.) says:

        It is like saying that you simply ignore e.g. car drivers of your cars and if they die because they bought unsecure 3rd party wheels from your eshop, you just say “they should use the original ones”.

        Users are stupid. Yes, we are. Noone understand everything. Yes, skilled programmer may look at the plugin before he installs it and before any plugin update. But how many such users are? 0,00001 % ? I doubt that even 1 user go deeply Athrough all plugins before every single plugin update.

        Few of us are not believing plugins at all and developing our own versions, at least for the simpler things. But when you have a software for masses, you must focus on masses and overall mass stupidity.

        I wrote simple checks, which can be done on WordPress side, most of them would mean just reusing existing theme procedures and plugins. I believe, that they should be done and that they would improve the overal WordPress security. And this should be WordPress team first priority.

        • Chip Bennett (63 comments.) says:

          RE: after-market tires – that is exactly what I would say. Use the manufacturer’s recommended tires. If you don’t, whatever happens is on you, not me.

          Everything you’re describing is PEBKAC, and cannot and generally should not be addressed by the core developers. They have more important things on which to spend their time and effort.

          Public-facing web software applications are powerful, and inherently dangerous. Look at the whole transaction stack, and ask yourself how relatively dangerous WordPress is: Shared Web Host, Linux, Apache, MySQL, PHP, WordPress, (possibly unsecured) wi-fi router, web browser (or FTP client), user.

          Is WordPress really any more or less (relatively) dangerous than any other application in that stack? Do WordPress developers bear any more or less relative responsibility for protecting WordPress against the single greatest source of risk (the user)?

          Just a suggestion: why not take those “simaple checks” you wrote, package them up as a Plugin, and add it to the Plugin Repository so that everyone can benefit? Or, if you feel that strongly about it, submit them as a core patch.

          • Tomas Kapler (6 comments.) says:

            Problem with tires is that you offer them in your eshop (aka wordpress oficial plugin repository) and that every tires are 3rd party (every plugin is 3rd party, no one is from WP and WP originaly is very limited).

            P.S.: when leading developers say that they will not implement it, why would i waste my time? And most of this would neet to be implemented on magento plugin repository side, otherwise it would be almost useless

          • Tomas Kapler (6 comments.) says:

            P.S.: i do not say that WP is more or less dangerous then the others, if you want to know my opinion, it is more dangerous as there are more plugins and more newbie users and developers, but it is not so important.

            Point is that WordPress is a strong brand. And i believe that WP team do not wont it to compromise.

            It is like security improvements in IE – yes, MS could stay with the basic security and only offer patches for its problems and do not care when people use wrong security settings etc. But this makes IE the most unsecure browser in history and even perception of the newer versions without such problems is poor and security is always a question when comparing with other browsers, what is not when user compares e.g. opera vs. firefox.

  12. MacGuffin, the devil's advocate says:

    [cite] However, by keeping your WordPress software up to date along with any themes or plug-ins in use,… [/cite]

    Exactly the point, where the problems begin. However.

  13. Bill Bennett (3 comments.) says:

    I’m not saying Trend Micro made this stuff up. And I’m not saying it isn’t important. But you have to keep in mind Trend Micro is a security software company. It has a vested interest in ramping up paranoia levels.

  14. Suneel (1 comments.) says:

    Trend Micro had been hasty and I think their PR team was even more anxious to release the news that many WordPress blogs are under attack or being used as a means to attack.

    Is there any update to this news? Like TM actually saying they didn’t mean that way? I think not, yet.

  15. Tami says:

    Might also be a good idea to include a feature in WordPress which automatically sends an email to the web admin if there are available critical patches or something along those lines.

  16. that girl again (41 comments.) says:

    So… it’s OK for them to list Google as the most dangerous website but not WP as the most dangerous web software? It sounds to me like they’re using the same logic in both cases. Obviously using the same software as everyone else is going to be risky, because this is the code all the bad guys are trying to find and exploit holes in, and obviously there are thousands of outdated and insecure wordpress sites knocking around, thanks to webhosts offering one-click installs that make it easy to set up WP and forget about it.

    There are two ways you can approach this: you can be fanboys and deny that there’s a problem, or you can use it to emphasise the importance of keeping your site updated and performing thorough safety checks on all themes and plugins. I’d like to see a guide to anti-malware plugins, for example.

  17. Ulysses (15 comments.) says:

    Trend Micro just couldn’t come up with a better pick, so it chose WordPress because it’s ubquitous. Just the sheer number of unpatched blogs makes it dangerous? If a good percentage of blog owners and administrators update their WordPress blogs, security wouldn’t be an issue. So, naming WordPress the most dangerous software is misleading.

  18. Ondrej says:

    Not just WordPress, I bet that these clowns themselves:

    – Use Macs
    – Search with Google
    – Have a Facebook page (they do)
    – Send newsletters in the PDF format
    – At least somebody there uses Internet Explorer
    – And don’t tell me that they have disabled Java on their comps.

    Eat your own dogfood guys! Show us that you don’t use all this poison yourself before you start lecturing others.

  19. Ike (13 comments.) says:

    Trend Micro is popular with enterprise-level IT people, who are looking for a reason to not like WordPress. Essentially, WordPress is a piece of code, and there is no corporate-level support (or sales) they can shift the burden to.

  20. J.D.MN says:

    None of the so-called leading-edge prophylactic vendors, like Trend, are. Except, perhaps, in sales which means nothing about quality in the real world. Look at the infamous MSFT.

    In edgy thought, giants are stumblers, fumblers, also rans and more frequently (and successfully) targeted than lesser known trending thought software/platforms.

    In whiny America (USA), blame is an important game. Pointing fingers or finding blame serves no useful purpose. Close review of IT problems followed by solution focus outcomes wins every time. US IT is far from that perspective which helps keep them a fair distance from the front of the line.

    Nothing Trend (and numerous other oligarchic vendors) says interests most WordPressians. Hopefully this story and its perspective will properly ding Trend in the marketplace–the area where they are no doubt focused. The rest they do is mostly smoke and mirrors.

    Success breeds mediocrity as it ascends the corporate ladder. The last heard of Trend on this front was in the year of WinME (Millions of Errors). They are expendable….

    On the other hand, WP deserves support. At least a few hosts are beginning to wake up to WP reality. The individual blogs/sites are the responsibility of the owner/authors; hosts had better be vigilant to minimize their exposure for “business as usual”. That doesn’t exist on the Internet. Every day is day one of the future-web.

  21. Mark (2 comments.) says:

    TREND MICRO HAS PRODUCED AT LEAST 30 VULNERABILITIES IN ITS OWN PRODUCTS over the last 3 years alone – including 2 in 2010, one of which crashes a computer and another which lets the bad guys run arbitrary code on a user’s system.

    From where I sit, that’s infinitely more dangerous than having some nutcase scammers issue redirects through the world’s most popular web platform.

    By producing these kinds of press releases and reports, Trend Micro and other companies like them (IBM, Symantec, McAfee, Kaspersky, et al) who routinely do the same thing are looking for one thing: Free media coverage. I’ve seen it so many times over the past 15 years that it’s totally expected, and summarily ignored for the hype that it is – by diligent news reporters anyway.

  22. drmike (7 comments.) says:

    The 3.0.2 security fix was for a security problem known for 18 months:

  23. Jack (1 comments.) says:

    “Tens of thousands of un-patched WordPress blogs were used by cybercriminals”

    This says it all really… with such a popular (because it’s awesome) open source CMS, there will always be out-of-date installations all over the web. Not WordPress’ fault – they are always updating it, with easy one-click upgrades.

  24. Gareth (1 comments.) says:

    Jeff, your remark that “If Trend Micro wanted to give their statement validity, they would have explained that WordPress is the most popular publishing platform in use across the web and because of that large market share, it is a big target for malicious users. It’s the same reason Microsoft Windows is constantly under attack.” is dead on. It is a simple numbers game for cyber criminals. With so many installations, they are bound to find numerous ‘opportunities’, i.e. outdated installations.

    Not only the manufacturer has an obligation to constantly update their software. End users do so as well. I mean, if you would by a new car, aren´t you supposed to have regular maintenance? You cannot expect that car to continue to work properly for say 10 years without ever going to a garage…..

  25. Larry (1 comments.) says:

    I agree. It’s typical hosts would see the trend of attacks being made to WordPress sites and “assume” the problem has to be WordPress.

    WP is a great CMS but the problem is you’re at the mercy of the developers of these plugins/themes. The moment a new version of WP gets released you can only hope a hole didn’t get created that needs to be patched (not to mention upgrading doesn’t cause plugins to no longer work properly).

    If you have numerous plugins, you pretty much increase your chances of a potential hack as updates come out.

    Many authors do a great job of releasing necessary updates but you’re still at their mercy.

  26. doktorthomas2 (1 comments.) says:

    Trend Micro isn’t what it once was. I can’t see using them or their advice for anything. Haven’t used them since first time their software got hacked; that’s been awhile. Generally, corporate leaders in IT are lost and/or misdirected. For small guys using them as little as possible is probably a good choice. The big guys are more targeted because they are big.

    I had nearly 100 WP sites running during 2010 (all updated and all with multiple security plugins). The ones at hosting services with poor security practices got hacked. They ones at the better hosts did not. I won’t embarrass the less secure hosts, but rest assured I do not have sites hosted there any more (4 vendors). I had only one non-WP site at a secure vendor, that site was not hacked. I agree that hosts are more responsible for pervasive hacking results than web site operators.

    It is sad state of affairs that governments are more than willing to restrict lawful users and turn a blind eye to the villains who attack the public’s sites. All users should keep their efforts high to keep governments away from the Internet.

    Because personal demands on my time, I am effectively off line. However, relaunching later this year will happen for half of the mentioned sites (my interests have changed). I am going to use well chosen hosting company with control and maximum security.

    Anyway I disagree with Trend Micro. Am enjoying most of the posts here on the Trend comment. Keep blogging.

Obviously Powered by WordPress. © 2003-2013

page counter