In this post I examine the fact that only 31% of Wootheme based sites in the top 1 million are running the latest version of the Wootheme Framework. WordPress themes are an important part of the security checklist when maintaining your WordPress installation.
[box type="note"]A key security maintenance function of any WordPress install is performing regular updates. Many people do update the WordPress Core and Plugins; in addition it is just as important to update to the latest version of all installed WordPress Themes. In fact any themes you are not using should be removed.[/box]
On 29th April 2012, an exploit was released for the Woothemes Framework. This exploit allows possible code execution through the short code preview function. Version 5.3.10 resolved the issue, but additional fixes were applied to make 5.3.12 the recommended version to stay secure.
Back in August 2011, an exploit was released for an image function called "timthumb" this affected many wordpress themes; as it was a popular function included with many frameworks and standalone themes (this not only applied to woothemes).
There has been two critical security vulnerabilities in the past year that affected Woothemes framework based sites; as we see in the charts below even those websites with significant levels of web traffic appear to have little knowledge or no regard for security updates to WordPress themes.
Since we use Woothemes here at HackerTarget.com, we dug a bit further into the woothemes frameworks in the top 1 million websites. The following statistics show the breakdown of the Woothemes Framework versions in use.
WooFramework Versions Compared
This chart shows the detected WooFramework versions of WordPress installs in the top 1 million websites. A total of 2476 Woo Powered sites were detected; note that this only includes sites that have the metagenerator tag enabled.
The next chart shows a simple breakdown of the sites, with the latest version; compared to sites with older versions of the Woothemes Framework. It would not be an unreasonable assumption to predict that many of the 1699 websites with an older version are indeed vulnerable to known security exploits.
Data was collected in mid May; only 31% of Woothemes sites were running the latest version of the framework.
Disabling the Metagenerator Tag
These statistics have been determined by searching for the Metagenerator Tag in the html source. It is easy to remove this information from your Woothemes installation as shown in the following image.
Disabling the metagenerator tag is a good way to remove what security people like to call "information disclosure"; that is information leakage that allows an attacker to more easily find ways to break into a system. You will of course still need to keep all your WordPress bits and pieces up to date; to avoid becoming a victim.
Want to do your own analysis? Download the full wootheme count in .csv format.