25% Of WordPress Security Holes Thanks To Just 3 Add-Ons

25% Of WordPress Security Holes Thanks To Just 3 Add-Ons

WordPress is arguably the most prevalent of content management systems on the web today so, unsurprisingly, it’s a massive target for malicious activities. While the core WordPress package has had its share of security issues, it’s outdated plugins that are a major contributor, with three in particular comprising 25 per cent of all WordPress vulnerabilities.

Which three plugins should you make sure are up-to-date? The culprits are TimThumb (dynamic image resizing), RevSlider (now Slider Revolution, simplifies creating responsive designs) and GravityForms (contact form creator), according to a new report from web security firm Sucuri.

RevSlider and TimThumb in particular were singled out:

Almost 10% of the compromised WordPress sites that we analyzed had a vulnerable version of RevSlider. When you combine RevSlider, Gravity Forms, and TimThumb, they account for 25% of the total compromised WordPress sites. All three plugins had a fix available over a year, with TimThumb going back multiple years (four to be exact, circa 2011).

It goes on to mention that website administrators need to be vigilant when it comes to updating not only WordPress, but installed plugins as well.

One might advocate automatic updates, but this would only work for the most basic of WordPress websites. More often than not, complex sites have custom themes and modified plugins, which would cause a lot of pain if you had no control over the upgrade process.

Website Hacked Report 2016 — Q1 [Sucuri, via Softpedia]


  • Thanks for picking the story, surely a very in-depth look at the website security challenges we look at this year.
    On June 1st, 11am PST, our founders, Daniel Cid and Tony Perez, will be presenting a special webinar going over this report, in greater detail. If anyone is interested to join, we do have a maximum 1,000 seats, so be sure to get yours now: http://sucuri.hs-sites.com/webinar-website-hacked-report-2016-q1

Comments are closed.

Log in to comment on this story!