Last Wednesday we discussed an ongoing issues where security journalist conflate WordPress plugin’s download count at WordPress.org with how many websites are using the plugin, making a vulnerability seem like it has much larger impact than it actual it does. In the case last week the headlines proclaimed things like “More than 1 million WordPress websites imperiled by critical plugin bug” about a security vulnerability that existed in older versions of WP Slimstat, beyond explaining the fact that the security vulnerability in question was unlikely to be widely exploited, we pointed out that the website count used was way off base. The journalist were taking the 1.3 million downloads the plugin had and using that to back up their claim on over 1 million websites impacted, which they shouldn’t have since it isn’t close to being appropriate substitute for an actual count of use.
Over the weekend WordPress.org made a change that should stop this, as they started displaying a count of Active Installs in addition to download counts for WordPress plugins. In the case of the WP Slimstat plugin the actual number of websites using it is much less than a million, with the Active Installs listed at 100,000+:
Hopefully this will be a wake-up call to some of those journalist that they need to stop taking so many liberties when reporting on WordPress plugin security issues, since this isn’t the only problem that there has been with their coverage of the issue (which could use more quality coverage).