Abstract

WordPress, possibly world's the most popular Content Management System (CMS), which supports around 455 million websites and claims 60.3% of all content management systems in use. The WordPress core is known to be relatively secure, but its plugin ecosystem is not. 92% of vulnerabilities found in WordPress powered websites are attributed to third-party plugins that those websites depend on.This paper presents an empirical study, where we examine the efficacy of 11 WordPress security scanner plugins in the detection of known vulnerabilities in another set of 51 insecure plugins. The results are mixed, with some security scanner plugins failing entirely and even the most effective plugins failing to identify significant vulnerabilities. The findings are derived based on both a quantitative analysis and a deeper qualitative analysis.