The online security firm Sucuri have just released their 2016 Q1 Websites Hacked report, which serves really well as a sort of ‘state of the union’ address in terms of website security for small-medium websites.
Sucuri specialise in security tools, scanning, and repairing hacked sites, and because of the free tools they provide (like their excellent WordPress security scanner plugin) they have access to tons of data to back up their assertions. Their report is available for free download here
WordPress is the most targetted CMS
The report shows that, of the four most popular content management systems (WordPress, Joomla, Drupal and Magento), WordPress was the most affected by hacking, accounting for over 78% of all websites they worked on in the first quarter.
The leading cause of compromises in today’s websites comes from the exploitation of software vulnerabilities found inout-of-date software
Sucuri are quick to point out though that “In most instances, the compromises analyzed had little, if anything, to do with the core of the CMS application itself, but more with improper deployment, configuration, and overall maintenance by the webmasters and their hosts.”
It’s little wonder that WordPress is the most affected by hacks, given that it is by far the most popular open source cms. Another factor in why it’s so affected is the huge range of plugins available, and the ease with which these can be installed by novice webmasters.
25% of all the WordPress infections they dealt with were caused by outdated versions of just three immensely popular plugins (RevSlide, GravityForms and TimThumb)
The key lesson here seems to be that, while WordPress can be easily setup and customised by people with very little technical knowledge, if your site is important to you it’s worth getting someone who knows what they’re doing to ensure that your setup is secure, and at the very least make sure that you’ve got the latest recommended versions of both WordPress and any plugins.
Out of Date Software
Another interesting takeaway from the report is how much/little out of date cms systems play a part in infections. For 56% of the WordPress infections they dealt with, the WordPress version was out of date. This number was much higher for Joomla, Drupal and Magento, in part seemingly because their update processes are not as streamlined as WordPress.
Credit Cards target for e-commerce hacks
An important point for e-commerce sites has been the rise in Magento specific hacks, and in particular the ShopLift Supee 5344 vulnerability. Again, making sure you have an up to date version of Magento will help protect you, but it’s important with e-commerce to review exactly how you’re handling the payment process and whether you are handling credit cards directly rather than using an established and trusted payment gateway.
Why are sites being hacked?
One question many site-owners ask, when they find out that they’ve been hacked, is why me? What possible use can my site have to a hacker? The answers in the report are clear – the vast majority of attacks have, as their primary goal:
And for these particular objectives the site itself isn’t necessarily important, but rather the quantity of infected sites that the hacker manages to gain and control. So just because you’re running a simple business profile site, of little interest to anyone outside your immediate customer base, doesn’t mean that you won’t end up being hacked – it’s enough that your site has a common vulnerability.