A week ago we wrote this:
A good rule of thumb based on what we have seen over the years is that stats on security are probably not accurate. So it isn’t surprising that when we looked into a claim by a company named Imperva that WordPress vulnerabilities tripled in 2018, it was a mess, but that hasn’t stopped security journalists from repeating the claim.
In that post we had also noted the poor coverage of the claim by a security news outlet, Threatpost. Before we did that we had contacted the listed editorial contact for that website, Thomas Spring, to note the issues with their article. We have yet to hear back from them, so we went back to the article to see if there had been a change and there had.
The change though didn’t correct anything we had noted, like this obviously incorrect line:
Automattic, the owner of WordPress, did not immediately respond to a request for comment from Threatpost.
Automattic doesn’t own WordPress.
What was changed was that the headline claim of the article was radically changed. The headline now read “WordPress Vulnerabilities Up 30 Percent in 2018”. That is significant drop from the previous claim that they tripled.
At the bottom of the article this was added:
This article was updated on Jan. 14 at 4 p.m. EST, to reflect new statistics about WordPress vulns based on Imperva’s report, due to an inconsistency with stats that made it into the initial report. “Due to a data transfer error, some of the 2017 figures were incorrectly reported; this version of the blog has been corrected. This error did not affect our 2018 statistics, nor our conclusions,” Imperva said.
It is hard to understand how this didn’t impact their conclusions since WordPress vulnerabilities discovered increased by a 10% of their original claim.
That there were data issues really surprising, considering what we noted last week:
Looking around various source to try to find a match or understand their sourcing we couldn’t find anywhere near 11 reports of vulnerabilities in the first plugin shown, Event Calendar WD. In fact we only found one, if you count each change made related to that vulnerability you would to more than 11, so we can’t figure out where the figure might have come from. What makes that more problematic is that the other portions of their post don’t seem to be written by someone that understands the topic at hand, so the accuracy of the data seems suspect to us.
Over at another outlet that ran with this, Bleeping Computer, the following update was added (emphasis ours):
The original article contained a factual error that slipped in the report we received, incorrectly claiming that WordPress-related vulnerabilities increased three times in 2018 compared to the previous year. In fact the amount of vulnerabilities related to the CMS increased by 30%. We have updated the article to correct the mistake. This does not change the fact that WordPress is the most popular CMS out there and that it received the largest number of vulnerability reports.
It doesn’t seem like the most popular CMS receiving the most reports would be news, especially considering that most of the count related not WordPress itself, but to plugins.
You might think that Threatpost and others outlets might reconsidering their sourcing in light of something like this, but as we noted last week these types of stats are generally not accurate and no amount of previous inaccuracies has changed things (the sourcing issues are a problem not just for stats based articles unfortunately). In this case even if accurate, the increase in the number of vulnerabilities discovered in WordPress plugins isn’t really all that newsworthy without understanding why they increased since the increase could be a sign of WordPress plugins getting more secure or less secure.