Connect with us

SEO

Data Confirms A Surge In WordPress Vulnerabilities

Published

on

Data Confirms A Surge In WordPress Vulnerabilities

WordPress security researchers at Patchstack published their annual State of WordPress Security whitepaper that showed an increase of high and critical severity vulnerabilities, highlighting the importance of security for all websites on the WordPress platform.

XSS Is Top WordPress Vulnerability Of 2023

There are many kinds of vulnerabilities but the most common by far was cross site scripting (XSS) vulnerabilities, accounting for 53.3% of all new WordPress security vulnerabilities.

XSS vulnerabilities generally occur due to insufficient “sanitization” of user inputs, which includes blocking any inputs that do not conform to what is expected. Patchstack shared that the Freemius framework, a third-party managed eCommerce platform, accounted for over 1,200 of all XSS vulnerabilities, representing 21% of all new XSS vulnerabilities discovered in 2023.

The Freemius Software Development Kit (SDK) is used as a component of over 1,200 plugins which in turn is installed in over 7 million WordPress sites. This highlights the problem of supply chain vulnerabilities where a component is used as a part of a WordPress plugin which subsequently increases the scope of a vulnerability beyond just one plugin.

Patchstack’s report explained:

Advertisement

“This year we saw once again how a single cross-site scripting vulnerability in the Freemius framework resulted in 1,248 plugins inheriting the security vulnerability, exposing their users to risk.

21% of all new vulnerabilities discovered in 2023 can be traced back to this one flaw. It’s vital for developers to choose their stack carefully and promptly apply security updates when these become available.”

More Vulnerabilities Rated High Or Critical

Vulnerabilities are assigned a severity score that corresponds to how disruptive a discovered flaw is. The ratings range from low, medium, high and critical.

In 2022 13% of new vulnerabilities were classified as high or critical. That percentage skyrocketed in 2023 to 42.9%, meaning that there were more destructive vulnerabilities in 2023 that in the previous year.

Authenticated Versus Unauthenticated Vulnerabilities

Another metric that pops out in the report is the percentage of vulnerabilities that require no authentication (unauthenticated), meaning the attacker does not need any user permission level in order to launch an attack.

Flaws that require an attacker to have a subscriber level to admin level permissions have a higher bar for attackers to overcome. Unauthenticated vulnerabilities do not require that the attacker first obtain a permission level, which makes those kinds of vulnerabilities more concerning because they can be exploited through automatic attacks like with bots that probe a site for the vulnerability then automatically launch attacks.

Patchstack found that 58.9% of all new vulnerabilities required no authentication at all.

Advertisement

Abandoned Plugins Spike As a Risk Factor

Another significant cause for vulnerabilities is the large amount of abandoned plugins. In 2022 Patchstack reported 147 abandoned plugins and themes to WordPress.org and out of those 87 were removed and the remainder were patched.

In 2023 the number of abandoned plugins exploded from 147 in 2022 to 827 plugins and themes in 2023. Whereas 87 vulnerable abandoned plugins were removed in 2022, 481 were removed in 2023.

Patchstack noted:

“We reported 404 of those plugins in a single day to draw attention to the “zombie plugin pandemic” in WordPress. Such “zombie” plugins are components that seem safe and up-to-date at first glance, but may contain unpatched security issues. Furthermore, such plugins remain active on user sites even if they are removed from the WordPress plugins repository.”

Most Popular Plugins With Vulnerabilities

As mentioned earlier, severity ratings range from low, medium, high and critical. Patchstack compiled a list of the most popular plugins with vulnerabilities.

In 2022 there were 11 popular plugins with over a million active installations that contained vulnerabilities. In 2023 Patchstack lowered the bar on installations from a million to over 100,000 installations. Yet despite making it easier to get on the list, there were only 9 popular plugins that were found to have a vulnerability, far less than in 2022.

In 2022 only five out of 11 of the most popular plugins with vulnerabilities contained a high severity vulnerability, none contained a critical level vulnerability and the rest were medium level severity.

Advertisement

Those numbers became significantly worse in 2023. Despite lowering the threshold of what’s considered a popular plugin, all nine plugins on the list contained critical level vulnerabilities, all of them. The overwhelming majority of the plugins on that list, six out of nine, contained unauthenticated vulnerabilities, meaning in that exploiting them is easy to scale with automation. The remaining three that required authentication only required a subscriber level access, which is the easiest permission level to acquire, just sign up, verify the email and they’re in. That too can be scaled with automation.

List Of Most Popular Plugins With Vulnerabilities

  1. Essential Addons for Elementor  1M+ installations (severity rating 9.8)
  2. WP Fastest Cache 1M+ installations (severity rating 9.3)
  3. Gravity Forms 940k installations (severity rating 8.3)
  4. Fusion Builder 900k  installations (severity rating 8.5)
  5. Flatsome (Theme) 618k installations (severity rating 8.3)
  6. WP Statistics 600k installations (severity rating 9.9)
  7. Forminator 400k installations (severity rating 9.8)
  8. WPvivid Backup and Migration 30ok installations (severity rating 8.8)
  9. JetElements For Elementor 30ok installations  (severity rating 8.2)

State Of WordPress Security Is Worse

If you feel like there are more vulnerabilities lately than ever before, now you know the reason, the statistics speak for themselves. There are more vulnerabilities in 2023 and a greater percentage are at high and critical levels which can be exploited with automation at scale.

This means that all publishers need to improve their security and make sure that someone is taking responsibility for auditing their plugins and themes on a regular basis to make sure they are all updated and actively maintained.

SEOs should take notice because security quickly becomes a ranking problem when Google drops a hacked site from the search results. Many SEOs who perform site audits don’t do even the most basic security checks like verifying if the security headers are in place, which is something that I do as a part of every audit I perform. Always make sure to have a discussion with clients about their security to make sure they are aware of the risks.

Patchstack is an example of a service that automatically protects WordPress sites against vulnerabilities even before the plugin issues a patch to fix the vulnerability. Those kinds of services are important in order to create a defense against getting hacked and losing search visibility and earnings.

Read the Patchstack report:

State of WordPress Security In 2023

Advertisement

Featured Image by Shutterstock/Iurii Stepanov

Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address

SEO

Google Limits News Links In California Over Proposed ‘Link Tax’ Law

Published

on

By

A brown cardboard price tag with a twine string and a black dollar sign symbol, influenced by the Link Tax Law, set against a dark gray background.

Google announced that it plans to reduce access to California news websites for a portion of users in the state.

The decision comes as Google prepares for the potential passage of the California Journalism Preservation Act (CJPA), a bill requiring online platforms like Google to pay news publishers for linking to their content.

What Is The California Journalism Preservation Act?

The CJPA, introduced in the California State Legislature, aims to support local journalism by creating what Google refers to as a “link tax.”

If passed, the Act would force companies like Google to pay media outlets when sending readers to news articles.

However, Google believes this approach needs to be revised and could harm rather than help the news industry.

Advertisement

Jaffer Zaidi, Google’s VP of Global News Partnerships, stated in a blog post:

“It would favor media conglomerates and hedge funds—who’ve been lobbying for this bill—and could use funds from CJPA to continue to buy up local California newspapers, strip them of journalists, and create more ghost papers that operate with a skeleton crew to produce only low-cost, and often low-quality, content.”

Google’s Response

To assess the potential impact of the CJPA on its services, Google is running a test with a percentage of California users.

During this test, Google will remove links to California news websites that the proposed legislation could cover.

Zaidi states:

“To prepare for possible CJPA implications, we are beginning a short-term test for a small percentage of California users. The testing process involves removing links to California news websites, potentially covered by CJPA, to measure the impact of the legislation on our product experience.”

Google Claims Only 2% of Search Queries Are News-Related

Zaidi highlighted peoples’ changing news consumption habits and its effect on Google search queries (emphasis mine):

“It’s well known that people are getting news from sources like short-form videos, topical newsletters, social media, and curated podcasts, and many are avoiding the news entirely. In line with those trends, just 2% of queries on Google Search are news-related.”

Despite the low percentage of news queries, Google wants to continue helping news publishers gain visibility on its platforms.

Advertisement

However, the “CJPA as currently constructed would end these investments,” Zaidi says.

A Call For A Different Approach

In its current form, Google maintains that the CJPA undermines news in California and could leave all parties worse off.

The company urges lawmakers to consider alternative approaches supporting the news industry without harming smaller local outlets.

Google argues that, over the past two decades, it’s done plenty to help news publishers innovate:

“We’ve rolled out Google News Showcase, which operates in 26 countries, including the U.S., and has more than 2,500 participating publications. Through the Google News Initiative we’ve partnered with more than 7,000 news publishers around the world, including 200 news organizations and 6,000 journalists in California alone.”

Zaidi suggested that a healthy news industry in California requires support from the state government and a broad base of private companies.

As the legislative process continues, Google is willing to cooperate with California publishers and lawmakers to explore alternative paths that would allow it to continue linking to news.

Advertisement

Featured Image:Ismael Juan/Shutterstock

Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
Continue Reading

SEO

The Best of Ahrefs’ Digest: March 2024

Published

on

The Best of Ahrefs’ Digest: March 2024

Every week, we share hot SEO news, interesting reads, and new posts in our newsletter, Ahrefs’ Digest.

If you’re not one of our 280,000 subscribers, you’ve missed out on some great reads!

Here’s a quick summary of my personal favorites from the last month:

Best of March 2024

How 16 Companies are Dominating the World’s Google Search Results

Author: Glen Allsopp

tl;dr

Glen’s research reveals that just 16 companies representing 588 brands get 3.5 billion (yes, billion!) monthly clicks from Google.

My takeaway

Glen pointed out some really actionable ideas in this report, such as the fact that many of the brands dominating search are adding mini-author bios.

Advertisement
Example of mini-author bios on The VergeExample of mini-author bios on The Verge

This idea makes so much sense in terms of both UX and E-E-A-T. I’ve already pitched it to the team and we’re going to implement it on our blog.

How Google is Killing Independent Sites Like Ours

Authors: Gisele Navarro, Danny Ashton

tl;dr

Big publications have gotten into the affiliate game, publishing “best of” lists about everything under the sun. And despite often not testing products thoroughly, they’re dominating Google rankings. The result, Gisele and Danny argue, is that genuine review sites suffer and Google is fast losing content diversity.

My takeaway

I have a lot of sympathy for independent sites. Some of them are trying their best, but unfortunately, they’re lumped in with thousands of others who are more than happy to spam.

Estimated search traffic to Danny and Gisele's site fell off a cliff after Google's March updatesEstimated search traffic to Danny and Gisele's site fell off a cliff after Google's March updates
Estimated search traffic to Danny and Gisele’s site fell off a cliff after Google’s March updates 🙁 

I know it’s hard to hear, but the truth is Google benefits more from having big sites in the SERPs than from having diversity. That’s because results from big brands are likely what users actually want. By and large, people would rather shop at Walmart or ALDI than at a local store or farmer’s market.

That said, I agree with most people that Forbes (with its dubious contributor model contributing to scams and poor journalism) should not be rewarded so handsomely.

The Discussion Forums Dominating 10,000 Product Review Search Results

Author: Glen Allsopp

Tl;dr

Glen analyzed 10,000 “product review” keywords and found that:

Advertisement

My takeaway

After Google’s heavy promotion of Reddit from last year’s Core Update, to no one’s surprise, unscrupulous SEOs and marketers have already started spamming Reddit. And as you may know, Reddit’s moderation is done by volunteers, and obviously, they can’t keep up.

I’m not sure how this second-order effect completely escaped the smart minds at Google, but from the outside, it feels like Google has capitulated to some extent.

John Mueller seemingly having too much faith in Reddit...John Mueller seemingly having too much faith in Reddit...

I’m not one to make predictions and I have no idea what will happen next, but I agree with Glen: Google’s results are the worst I’ve seen them. We can only hope Google sorts itself out.

Who Sends Traffic on the Web and How Much? New Research from Datos & SparkToro

Author: Rand Fishkin

tl;dr

63.41% of all U.S. web traffic referrals from the top 170 sites are initiated on Google.com.

Data from SparktoroData from Sparktoro

My takeaway

Despite all of our complaints, Google is still the main platform to acquire traffic from. That’s why we all want Google to sort itself out and do well.

But it would also be a mistake to look at this post and think Google is the only channel you should drive traffic from. As Rand’s later blog post clarifies, “be careful not to ascribe attribution or credit to Google when other investments drove the real value.”

I think many affiliate marketers learned this lesson well from the past few Core Updates: Relying on one single channel to drive all of your traffic is not a good idea. You should be using other platforms to build brand awareness, interest, and demand.

Want more?

Each week, our team handpicks the best SEO and marketing content from around the web for our newsletter. Sign up to get them directly in your inbox.

Advertisement



Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
Continue Reading

SEO

Google Unplugs “Notes on Search” Experiment

Published

on

By

Google unplugs Notes On Search Experiment

Google is shutting down it’s Google Notes Search Labs experiment that allowed users to see and leave notes on Google’s search results and many in the search community aren’t too surprised.

Google Search Notes

Availability of the feature was limited to Android and Apple devices and there was never a clearly defined practical purpose or usefulness of the Notes experiment. Search marketers reaction throughout has consistently been that would become a spam-magnet.

The Search Labs page for the experiment touts it as mode of self-expression, to help other users and as a way for users to collect their own notes within their Google profiles.

The official Notes page in Search Labs has a simple notice:

Notes on Search Ends May 2024

That’s it.

Advertisement

Screenshot Of Notice

Reaction From Search Community

Kevin Indig tweeted his thoughts that anything Google makes with a user generated content aspect was doomed to attract spam.

He tweeted:

“I’m gonna assume Google retires notes because of spam.

It’s crazy how spammy the web has become. Google can’t launch anything UGC without being bombarded.”

Cindy Krum (@Suzzicks) tweeted that it was author Purna Virji (LinkedIn profile) who predicted that it would be shut down once Google received enough data.

She shared:

Advertisement

“It was actually @purnavirji who predicted it when we were at @BarbadosSeo – while I was talking. Everyone agreed that it would be spammed, but she said it would just be a test to collect a certain type of information until they got what they needed, and then it would be retired.”

Purna herself responded with a tweet:

“My personal (non-employer) opinion is that everyone wants all the UGC to train the AI models. Eg Reddit deal also could potentially help with that.”

Google’s Notes for Search seemed destined to never take off, it was met with skepticism and a shrug when it came out and nobody’s really mourning that it’s on the way out, either.

Featured Image by Shutterstock/Jamesbin



Source link

Keep an eye on what we are doing
Be the first to get latest updates and exclusive content straight to your email inbox.
We promise not to spam you. You can unsubscribe at any time.
Invalid email address
Continue Reading

Trending

Follow by Email
RSS