Sucuri has just released a report on a study they did through the first quarter of 2016 on hacking trends affecting Content Management Systems (of which WordPress is one).
The report is available from the Sucuri website but you can also download it by clicking here.
In that study they analysed the hacks on 11,485 CMS-based websites, of which 78% (8,958) were built on WordPress. This is not surprising, given that WordPress is by far the most widely used CMS globally (it has 60% of the CMS market and powers 25% of all websites online).
In the sections that follow I’ve focused only on the findings related to WordPress (since that’s all we do here at Abledragon!).
Background
But first let’s take a quick look at today’s online environment.
I have said in a few places on this site that hacking websites is one of the few growth industries around today. Here’s a quote from Sucuri’s report that emphasises the scale of the problem:
That’s a 294% increase in one year – pretty spectacular by any standards.
And just in case that wasn’t enough:
All too often I hear that ‘no one would be interested in hacking my little website’. Unfortunately, the hackers are not interested in who owns the site or (except in revenge or personal-attack style hacks) how big it is.
They just want control of as many sites as possible so they can add them to their ‘assets’.
These ‘assets’ can then be used to distribute malware, participate in denial of service attacks, redirect visitors to porn sites, or pharmaceutical sites, or whatever other nasty scheme they come up with.
The point is this: no site is safe from the hackers’ attentions, and no site is truly ‘hack-proof’
Key take-away from the Sucuri report
The leading take-away from the report is that vulnerable software is the leading weakness in websites (any website) that suffered a successful hack.
To quote from the report again:
By ‘extensible components’ they mean (in the case of WordPress) plugins or themes.
Focusing specifically on the sections in the report that deal with WordPress (it also covers Joomla!, Drupal and Magento), Sucuri found that in all cases the weaknesses that had enabled the hack were to be found in plugins, not the WordPress core.
In fact, just 3 plugins accounted for 25% of all the successful attacks on WordPress websites – and all 3 had had versions available for more than a year that patched the specific vulnerability that was exploited.
The webmasters had simply failed to update them.
Summary
I’ve said it before and, no doubt, I’ll say it again: the way to approach website security is to think in terms of ‘when’ your website is hacked, not ‘if’, and prepare accordingly.
A number of my own websites (luckily not this one!) were hacked a couple of weeks ago. In all cases I was able to delete the affected sites and restore them from clean backups, so they were back online within a couple of hours.
What took the extra time was all the other activities you need to undertake to clear your site and prevent a re-hacking: getting your website removed from the blacklist(s), checking and cleaning your computer, changing the various passwords you need to use (websites, FTP client, hosting control panel, etc.), and so on.
And again (as I’ve mentioned before!) we at Abledragon offer a range of service options to help secure your website and, if it is hacked, to sort everything out for you – for full details:
As I said at the beginning, if you’d like to read the full report from Sucuri you can download it by clicking here.
Stay vigilant..!
