Based on statistical data gathered by Sucuri from 7,937 compromised websites, WordPress, Joomla, and Magento, in this order, continued to be the most hacked CMS platforms in the third quarter of 2016 (months of July, August, and September).
Among all hacked websites, 74% ran WordPress, which isn't surprising if we take into account the CMS' massive market share among today's sites.
Just like for the rest of the year, Joomla with 17% and Magento with 6%, followed WordPress to make up the top three most hacked CMS platforms.
Other notable entries on this list included Drupal, vBulletin, and ModX, but incidents involving these platforms barely made up 2.25% of all security incidents, if putting together all their numbers.
This particular statistic doesn't mean WordPress, Joomla, or Magento are insecure platforms, but only that webmasters make configuration errors that allow attackers to take control over their websites.
The graph above shows a decrease in the number of incidents compared to previous months, but this is due to a smaller sample size, and readers should only focus the percentage values showed on the left axis.
According to Sucuri, a large part of these hacks took place because webmasters failed to run up-to-date CMS versions.
While outdated installations was a major source of problems for Joomla, Magento, and Drupal installations, the percentage was lower for WordPress, where only 61% of all hacked sites ran outdated WordPress installs.
Nevertheless, despite running up-to-date WordPress sites, Sucuri says webmasters failed to update plugins and themes, which eventually led to attackers finding an entry point they could exploit.
According to Sucuri, around 18% of all hacked WordPress sites can be attributed to websites running three out-of-date plugins: RevSlider, TimThumb, and GravityForms.
More interesting is that these plugins received updates a long time ago, but webmasters failed to protect their sites, with the most outrageous case being TimThumb, which received a security update in 2011, almost six years ago, but which site admins failed to install even now.
In most cases, the reason is that TimThumb has been used as part of other plugins and themes, and most websmasters didn't even knew they're site was vulnerable to begin with.
Cleaning up all these hacked websites is no small feat. According to Sucuri, an infection usually implies the contamination of 92 files on average.
Webmasters that remove a suspicious folder or a few files usually fail to remove the entire infection. According to Sucuri, on 72% of all hacked websites, attackers leave a backdoor behind. In these cases, neglecting to properly clean infected servers results in attackers regaining access shortly after.
The direct result of these clean-up failures is that the website becomes a harbinger of malware, a participant in email spam campaigns, a pawn in black hat SEO schemes, or a participant in exploit kit operations.
But worse than all is that websites lose their search engine ranking. According to the same Sucuri report, around 15% of these hacked websites aren't discovered in due time, and end up being blacklisted.
Removing a website from a blacklisting service, such as Google Safe Browsing, Norton SafeWeb, or McAfee SiteAdvisor, is not only extremely difficult and time-consuming but also damaging to a website's reputation, which sometimes results in loss of revenue due to decreasing traffic.
For more insights, the Sucuri Hacked Website Trend Report for Q3 2016 is available for download here.
Comments
Almarma - 6 months ago
That's why I moved from a CMS to a service like weebly. I'm an IT pro, and since I played since many years ago with Wordpress and other platforms before (the first one I tried was Postnuke ;) ), I learnt a lot about hosting, domains, security, etc. With Wordpress, I was very worried about security and never got infected, but I know many "professional designers", with a lot of knowledge about design, but very little about security, and that I think it's the main reason many are hacked. With services like weebly and other similar, you can relax. Other than choosing a good password, it's their problem ;)
Demonslay335 - 6 months ago
WordPress is way more secure with just two simple, free plugins: WordFence and WPRemote. In addition to locking down things and blocking any exploit attempts, WordFence alerts me when any plugins or themes are out of date on all my client's websites. I then hop over to WPRemote to press one button to update them all at once.
EGAN - 6 months ago
Thanks for the info Demonslay335. I'd never heard of either plug-in but you can believe I'm going through my list of Wordpress sites today and installing one or both to each of them.
EGAN - 6 months ago
To what extent is this due to those three CMS platforms being the most commonly used by a wide margin?
Is there something about any/all of the three that makes them more susceptible to malicious activity or can this be attributed to the sheer volume of sites utilizing one of the three platforms mentioned in the article?
I'm curious because I'm about to launch a new project that is far more elaborate than any I've ever worked on, and I'm trying to determine which platform would best suit my needs. Since there will be other people (users, members... whatever you want to call them) creating accounts and potentially linking financial information to said accounts, if there is a legitimate downside to building the site/community with Worldpress (which is the platform I'm by far most familiar with), Drupal or Joomla (which I've heard good things about and are garnering serious consideration), I'd like to know in advance before I develop the project enough that there's no turning back.
I appreciate the article. Any additional information would be greatly appreciated.
cyoungster - 6 months ago
@ Almarma
As an "IT Pro" you need to read this. Weebly is not safe either.
http://www.csoonline.com/article/3133031/security/weebly-data-breach-affects-43-million-customers.html