Report on Website Hacking Trends from Sucuri

Get your FREE WordPress Troubleshooting Guide – see how to fix most WordPress problems!

Hacker insideSucuri has just released a report on a study they did through the first quarter of 2016 on hacking trends affecting Content Management Systems (of which WordPress is one).

The report is available from the Sucuri website but you can also download it by clicking here.

In that study they analysed the hacks on 11,485 CMS-based websites, of which 78% (8,958) were built on WordPress. This is not surprising, given that WordPress is by far the most widely used CMS globally (it has 60% of the CMS market and powers 25% of all websites online).

In the sections that follow I’ve focused only on the findings related to WordPress (since that’s all we do here at Abledragon!).


But first let’s take a quick look at today’s online environment.

I have said in a few places on this site that hacking websites is one of the few growth industries around today. Here’s a quote from Sucuri’s report that emphasises the scale of the problem:

“. . . As of March 2016, Google reports that over 50 million website users have been greeted with some form of warning that websites visited were either trying to steal information or install malicious software. In March 2015, that number was 17 million. . . .”

That’s a 294% increase in one year – pretty spectacular by any standards.

And just in case that wasn’t enough:

“. . . Google currently blacklists close to ~20,000 websites a week for malware and another ~50,000 a week for phishing . . .”

All too often I hear that ‘no one would be interested in hacking my little website’. Unfortunately, the hackers are not interested in who owns the site or (except in revenge or personal-attack style hacks) how big it is.

They just want control of as many sites as possible so they can add them to their ‘assets’.

These ‘assets’ can then be used to distribute malware, participate in denial of service attacks, redirect visitors to porn sites, or pharmaceutical sites, or whatever other nasty scheme they come up with.

The point is this: no site is safe from the hackers’ attentions, and no site is truly ‘hack-proof’

Key take-away from the Sucuri report

The leading take-away from the report is that vulnerable software is the leading weakness in websites (any website) that suffered a successful hack.

To quote from the report again:

“. . . The leading cause of compromises in today’s websites comes from the exploitation of software vulnerabilities found in out-of-date software, specifically in its extensible components . . .”

By ‘extensible components’ they mean (in the case of WordPress) plugins or themes.

Focusing specifically on the sections in the report that deal with WordPress (it also covers Joomla!, Drupal and Magento), Sucuri found that in all cases the weaknesses that had enabled the hack were to be found in plugins, not the WordPress core.

In fact, just 3 plugins accounted for 25% of all the successful attacks on WordPress websites – and all 3 had had versions available for more than a year that patched the specific vulnerability that was exploited.

The webmasters had simply failed to update them.


I’ve said it before and, no doubt, I’ll say it again: the way to approach website security is to think in terms of ‘when’ your website is hacked, not ‘if’, and prepare accordingly.

A number of my own websites (luckily not this one!) were hacked a couple of weeks ago. In all cases I was able to delete the affected sites and restore them from clean backups, so they were back online within a couple of hours.

What took the extra time was all the other activities you need to undertake to clear your site and prevent a re-hacking: getting your website removed from the blacklist(s), checking and cleaning your computer, changing the various passwords you need to use (websites, FTP client, hosting control panel, etc.), and so on.

And again (as I’ve mentioned before!) we at Abledragon offer a range of service options to help secure your website and, if it is hacked, to sort everything out for you – for full details:

As I said at the beginning, if you’d like to read the full report from Sucuri you can download it by clicking here.

Stay vigilant..!

Martin Malden

About the author: Martin Malden owns Abledragon, a WordPress agency that was established in 2009. Today it serves customers in Hong Kong, Australia and the UK. Abledragon websites are built for today’s Internet, with the mobile user in mind, and are known for security and speed. Successful Abledragon projects.