WordPress Remains Most Hacked CMS

Sucuri 2017 Hacked Website Trend Report

Sucuri — a global company that operates as a cybersecurity scout and analyzer — recently released their 2017 Hacked Website Trend Report, which provides in-depth visibility on website security issues currently occurring in the content management system (CMS) space.

The report, which analyzed 34,000+ compromised websites, detailed some startling WordPress vulnerabilities, as well as some statistics that are outright scary for WordPress webmasters.

Today, we're going to break the report down into segments and dissect Sucuri's findings.

Overview

Here is a brief overview of the key points we're going to talk about below.

  • WordPress infections up 9% this year — 84% were infected
  • Only 39% of WordPress websites are out-of-date, which means that these infections are happening mostly on up-to-date websites.
  • Backdoors that lead to SEO spam are the most common type of hack this year.
  • PHP is the most commonly abused method of entry.
  • Blacklisting statistics up slightly (2%,) but the numbers might be increasing heavily this year.

Let's discuss these findings.

WordPress Infections On the Rise

WordPress infections rose 9% this year, and a massive 84% of all websites that were infected used the WordPress platform.

This isn't surprising. Given WordPress's infection-ridden year last year, it's expected that their overall number of infected websites would rise. What is surprising is that the overall number of out-of-date WordPress sites fell dramatically. In Q3 2016, Sucuri was reporting that 61% of WordPress websites were out of date, and they even attempted to shift some of the blame for increasing vulnerabilities onto the webmasters under the guise of incompetence.

This year, only 39% of infected WordPress websites were out-of-date on their software updates. This means that despite having the latest software, WordPress users are still getting hacked at an alarming rate.

The theory that out-of-date software was somehow to blame for skyrocketing infection statistics doesn't seem to hold up given this year's analysis. More people are using the latest version of WordPress than ever before, yet more people using WordPress are getting hacked than ever before — it's a conundrum.

WordPress has managed to shift blame to webmasters during hacks for years, but they're starting to run out of excuses. That's not to say that there are cases of misuse, but there seems to be a trend of downright vulnerability on the part of WordPress.

Of course, some of this may have to do with plugins and themes (which do have significant problems,) but if we look at WordPress itself, we'll see that a substantial vulnerabilities  are coming from within the core of WordPress itself.

Backdoors and SEO Spam are Out-of-Control

Backdoors were the most common infection in the malware family. Sucuri reports that 71% of all hacked websites contained PHP-based backdoors. Now, it's important to note that backdoors themselves aren't the end-goal of hackers. They want to use those backdoors to inject spam or malware into the website.

So, where there are backdoors, there is spam. This is reflected in Sucuri's findings. Of the 34,000 + hacks, 44% of them were SEO spam. Essentially, that means that basic hackers are simply spamming ads (gambling, pills, pornography, etc.,) and some of the more nuanced hackers are sneaking hidden links in websites to steal link juice.

Is it surprising that 71% of all attacks had a PHP-based backdoor? Nope. WordPress's PHP issues have been getting out-of-hand over the last two years. From PHP unlink functions that are letting author-level users strip installs away and reinstall the website themselves (effectively becoming the owner,) to register_routes functions without integer identifiers tied to them (which allows hackers get in by asking for non-binary and binary requests in succession.) to tons of small vulnerabilities that allow hackers to bypass certain website restrictions,  WordPress obviously has some PHP issues.

Now, that's not to say that there aren't plenty of methods-of-entry that hackers can use to get PHP-based backdoors — there are. But, uploading these backdoors (usually titled something like phpinfo.php) has become increasingly easier to do with WordPress.

As an example, try Googling "PHP backdoor WordPress GitHub" You're going to find 147,000 results, and the first page is going to be littered with nasty little backdoors that anyone could download and use to infect WordPress websites.

If you don't know, GitHub is a website that's used to host open-source software project and code. This should give you an example of how widespread access to WordPress backdoors is. You could literally go and download them off of GitHub.

Blacklisting Statistics and Looming Threats

Blacklisting can destroy your SERP (page rank) and flag your professional website as insecure which turns visitors away, so it's critical that we approach blacklisting carefully.

In Sucuri's report, they show that 17% of websites that were infected had been blacklisted by some blacklisting authority (i.e., Google,) which is up 2% from Q2 of last year.

While that may not seem like a huge spike, it is essentially death-by-search-engine to have your website blacklisted. First, you're going to take a massive ranking hit (even complete exclusion,) then Google's going to flag your site, which makes it nearly impossible for users to visit it even if they already know the URL, and it makes other sources of communication coming from the website (like email) show as spam. It's a big deal.

17% may seem like a low percentage, but blacklisting is becoming more and more prevalent as time goes on. The 2018 report will most likely show a massive jump in blacklisting numbers. Google's bots are getting better at detecting backlinks daily, and Certificate Authorities are starting to run their own blacklisting campaigns. Google has made website security a priority — shifting blame from the visitor to the webmaster.

Google's move to mark all non-HTTPS websites as insecure was a definite step towards their overarching goal of internet security — expect more aggressive blacklisting to follow.

To learn more about how much of a pain it is to get whitelisted again, check out Google's post "Help I think I've been hacked."

Time to start Addressing the Security of Your Website

These findings should rattle WordPress owners. WordPress's security keeps getting worse, and their vulnerabilities are not only compounding, but they are also getting easier to access. If you run a WordPress website and you're gung-ho on sticking to it, we heavily recommend that you start investing in Cybersecurity elements throughout the site. Remember, having a website hacked is insanely expensive, be preemptive.

Rather than spending money on cybersecurity another approach is to simply replace your CMS.  Find a CMS that puts security at the forefront of its design and delivers an environment that is safe for your customers and your business.