ROBERT JACOBI

Industry Analyst & Strategist

The WordPress Reports (2023)

Over the last few weeks we've had a number of reports fantastic independent reports on WordPress security, professionals, and more. So with great apologies to Mark Halperin's Wide World of News, and his occasional What That Loudmouth Will Still Say on Your Morning Zoom, my attempt with How to Discuss that Slack.

In 2022 we saw 328% more security bugs reported in WordPress plugins – we added 4,528 confirmed security bugs to our database, compared to 1,382 in 2021.

The vast majority of the security bugs were found in plugins (93%). Themes accounted for 6.7% of bugs and only 0.6% were in the WordPress core platform itself.

This doesn’t mean that WordPress is unsafe, or that plugin developers are getting sloppier - rather, the security researchers are looking harder and farther.

This also means that the WordPress ecosystem is becoming more secure because a lot more of these security bugs are being addressed and patched.

What that Slack slacker will say: WordPress is great, we are on top of securing 50%, can you imagine any other open source project with this much exposure and still being secure!

What the enterprise Slack slacker will say: How the heck can I trust mission critical services and solutions to an ever growing target without breaking the bank?

What you should Slack: Move security outside of WordPress, with trivial points of entry via plugins you'll never be able to stop exploits in-app. External threat mitigation will allow the freedom folks need to build with WordPress and true security experts can focus on the problems.

The average number of open source components in a given application this year was 595. When monitoring for security vulnerabilities and performing security maintenance activities, what might be practical for a small number of components becomes overwhelming and virtually impossible at this scale, and demands the use of an automated solution like SCA.

Eighty-four percent of codebases contained at least one known open source vulnerability, an almost 4% increase from the 2022 edition of the OSSRA report. And 48% of the codebases we examined contained high-risk vulnerabilities, down only 2% from last year. High-risk vulnerabilities are those that have been actively exploited, already have documented proof-of- concept exploits, or are classified as remote code execution vulnerabilities.

What that Slack slacker will say: If only the rest of the stack could be as secure as WordPress.

What the enterprise Slack slacker will say: Great, now I'm spending even more money and getting less sleep.

What you should Slack: Almost half of the exploits in this report (47%) are related to jQuery! PHP has fantastic numbers except that when it get's exploited you wind up with high-risk vulnerabilities.

Jason Nickerson, Exploring the 2023 Open Source Security and Risk Analysis Report: Key Insights and Implications for Businesses, takes a quick look at the report as well, "Open source software is at an all-time high with projects like WordPress, which now powers over 43% of the internet. However, with the widespread adoption of open source comes new security and compliance risks."

Survey Says

OpenLogic, 2023 State of Open Source Report:

The 2023 State of Open Source Software Survey started with a question about open source use and adoption over the past 12 months. According to this year’s respondents, the use of open source went up, with 80.04% affirming that they have increased their open source (compared to 77% last year), and 41.28% noting a significant increase (versus 36% last year).

What that Slack slacker will say: The Democratization of the Web is real!

What the enterprise Slack slacker will say: If one more department secretly deploys a WordPress site without going through IT, we're going to turn off the internet.

What you should Slack: I'm always surprised that we report any number less than 100%. Open source is embedded in literally everything, from your mobile devices, to SaaS platforms that are integrated with proprietary solutions. We are missing the forest for the trees.

Specifically for professionals, The Admin Bar, WordPress Professional Report:

My goal with the survey was to evaluate our collective performance. This provides the ability to identify opportunities for growth and improvement.

What that Slack slacker will say: I'm in a lot of company with my WordPress side-gig, that's cool.

What the enterprise Slack slacker will say: Yes, I've viewed the AirTable, and know it's a small sample size, but how can I trust mission critical enterprise business to agencies to professionals that can't clear 6 figures income?

What you should Slack: WordPress professionals are selling themselves short! Around 65% are charging less than $5,000 for a website, profit margins for 55% are less than 40%, and worst of all, 42% never charge for discovery!

Please let me know if you enjoyed the Slack slacker on the socials or email and whether it's worth having this discussion with myself in the future.

© 2024 Warbi, Inc. and Robert Jacobi
All rights reserved.