Regular Updates Remain Important
Keeping WordPress core, plugins, and themes up to date remains an important best practice,
but even in cases of rare critical 0-day vulnerabilities, a Web Application Firewall, such as the
one offered by Wordfence, is sufficient to keep most sites safe.
Despite record numbers of vulnerabilities being disclosed and patched in the WordPress
ecosystem, the vast majority of attacks in 2022 targeted vulnerabilities in practice and
process, rather than in software.
Even attacks targeting specific vulnerabilities predominantly focused on obtaining site
takeover on the few remaining vulnerable installations of plugins with easily exploitable
critical flaws, rather than on the much larger number of newly discovered but more difficult to
exploit vulnerabilities. As such, the greatest threat to WordPress security in 2022 was neglect
in all its forms.
Conclusion
We saw a number of changes in 2022, but one of the most significant was an increase in the
number of responsibly disclosed vulnerabilities, and we plan to continue this trend with the
launch of Wordfence Intelligence Community Edition , which is free to use, including for
commercial purposes. Despite the fact that more vulnerabilities were disclosed overall, very
few vulnerabilities were critical zero-days.
Meanwhile, credential stuffing attack volume declined for the first time in years, though it
remains the most common attack type by a large margin.
Nulled plugin installations, as well as average daily infections, declined. Persistent malware
infections are on the rise, however, as more sites go unmonitored and unmaintained,
coinciding with an increase in attackers searching for previously infected sites.
As a reminder, Wordfence Care includes site cleaning services when necessary, but it also
comes with an annual site audit to identify the biggest risks to your site as well as monitoring
for potential issues. If you require faster response times, Wordfence Response includes all the
features of Wordfence Care plus a 1-hour response time and 24-hour remediation.