News Courtesy of Imperva.com:
WordPress vulnerabilities have tripled since last year, and they continue to dominate in terms of the number of vulnerabilities published in the CMS category. Although WordPress leads the pack in sheer vulnerabilities numbers, Drupal vulnerabilities had a larger effect and were used in mass attacks that targeted hundreds of thousands of sites during 2018. However, there is some good news for the security industry — the number of Internet of Things (IoT) vulnerabilities declined, as well as the number of vulnerabilities related to weak authentication. In the server side technologies category, the number of PHP vulnerabilities continued to decline. In addition, the growth in API vulnerabilities also slightly declined.
Ryan’s Take 
The key takeaway from this report is that more vulnerabilities doesn’t necessarily mean more attacks. Given WordPress’s large and increasing footprint, it isn’t that far-fetched to expect more vulnerabilities. Just think of all the plugins and themes out in the wild. How many of those have been abandoned? Furthermore, how many websites sit idle, not receiving updates for months or even years.
When looked at it from this perspective, it’s a little easier to understand why there are so many vulnerabilities. Sure, it’s a little frightening to learn issues in this regard have tripled, but any good server admin will have additional layers of security and protection. It’s kinda like locking your door by the handle and the turning the deadbolt lock.
Although I’ve never used Drupal, I can’t help but feel a little sympathetic to their attack woes of 2018. A recent report I read on CMS market share says that WordPress has an astonishing 59%. That’s followed by (Joomla 6.7%) and Drupal (4.7%). The latter two CMS’s probably have zero chance of dethroning WordPress. I’m curious to see what these statistics look like next year, especially since Drupal received the most attacks.
