Pirated themes and plugins are the most widespread threat to WordPress sites
With more than 70 million malicious files on more than 1.2 million WordPress sites over the past year, pirated themes and plugins were the most common source of malware infections to sites. Wordfence, a provider of website application firewall solutions for sites operating over WordPress, detected the massive amount of malicious files by utilizing a malware scanner. The Wordfence scanner found that malware originating from a nulled plugin or theme impacted 206,000 sites, roughly 17% of all infected sites.
Wordfence also reports that of the 206,000 sites, over 150,000 were infected with the same WordPress malware strain called WP-VCD malware, known for its use of pirated/nulled themes to distribute. The WP-VCD malware operation found so much success last year that it accounted for 13% of all infected WordPress sites in 2020. However, WordPress sites aren’t only being targeted by WP-VCD, legitimate sites also got hacked through brute force attacks and exploiting unpatched vulnerabilities.