Publishers still struggle to keep sites safe

By: Rob Corbidge, 04 January 2023

A futuristic 3d scene of walls of futuristic monitors running text

Quarterly scan of WordPress powered major sites shows broad picture of overdue updates

Scanning a random international sample of 100 publishers' WordPress sites reveals that just under three quarters (74) have not yet updated to the latest version of WP.

Just over a quarter, 26, are running on the most up to date version of WP, version 6.1. 

Version 6.1 was released on November 1 2022, with a maintenance update (6.11) on November 15 2022.

Overall, of the sites surveyed by GPP, over 60 also carried identifiable security vulnerabilities as reported by the official WordPress scanning tool. 

Earlier last year, the same scan revealed, that of 114 sites in the representative selection, 82 sites were not running on the latest 5.9.2 Wordpress version, and over 65% carried identifiable security vulnerabilities as reported by the official WP scanning suite. 

Broadly, an overall trend continues for sites being moved off WP by larger publishers.

From the research, publishers struggle with "housekeeping" tasks such as a WP update for one of several reasons, or combination of them:

  • Not enough human resources -  the thing that must be fixed right now is the thing that will get attention. An out of date installation isn't broken as such, and if it functions, then it will fall off any priority list
  • Technology complexity - running an update to a WP install runs the risk a plug-in(s) might cease to function, which then requires further work.
  • Process breakdown - a CMS update is simply a maintenance task, but it is one that requires regularity and visibility. Some publishers don't have the process in place to ensure this work is done.