Skip to content
Archived content. You are viewing v1 of SME Digital Advisor — the original multi-section site (risks, scenarios, policies, OWASP, flashcards). Go to current site →

OWASP A06: Vulnerable and outdated components

Is your website built on software with known holes?

Based on the OWASP Top 10 — 2021 edition. Check owasp.org/Top10 for the current edition.

Background

Most websites are built from many bits — CMS, plugins, libraries. If anything's out of date, the website inherits the holes. Most hacked WordPress sites are running old plugins, not zero-days.

Questions to ask yourself

  • When was our website (or its CMS, plugins, libraries) last updated?
  • Who's named as responsible?
  • Do we know which third-party libraries the site uses?
  • Are old themes or plugins still installed but unused?

For owners — questions to ask your developer

Questions to ask your developer

Outdated components are the most common cause of SME website breaches.

  • 01“Can you produce an SBOM — a list of every third-party library we use and its current version?” If they can't produce one, that's a sign nobody's tracking.
  • 02“When did we last apply security updates to our CMS, plugins, and libraries? What's our patching cadence?”
  • 03Decision: For WordPress sites, move to a managed WP host (WP Engine, Kinsta, SiteGround) that handles patching.