Sucuri: Website Hacked Trend Report – 2016/Q1

Sucuri have released a very interesting website security report detailing their analyses of 11,000+ systems made up largely of WordPress, Joomla! and Magento. These three systems make up a significant proportion of the world’s 1 billion websites, in fact over one third of the world’s websites are powered by either Wordpress, Joomla!, Magento or Drupal.

“The blanket guidance to stay current and update is falling on deaf ears." Sucuri Q1 2016 report

In almost all instances, the security compromises found were the result of improper deployment, configuration, and overall maintenance by the webmasters and their hosts. Most issues were due to outdated non-core extensions which had available updates solving the security issue that were never applied.

Sucuri analysed 11,485 websites in Q1 2016 finding that Wordpress leads the sector at 78%, followed by Joomla at 14%, Magento at 5%, Drupal at 2%. 56% of the total Wordpress infected websites were using out of date software which is good compared to the other platforms. Joomla! instances were out of date 84% of the time, Magento 96% of the time, and Drupal 81% of the time. Outdated, unmatched versions are significantly more vulnerable to attack, infection and compromise.

“In all instances, regardless of platform, the leading cause of infection could be traced to the exploitation of software vulnerabilities in the platform’s extensible components, not its core. Extensible components directly relate to the integration of plugins, extensions, components, modules, templates, themes and other similar integrations" Sucuri Q1 2016 report

Google currently blacklists more than 70,000 websites each week which have been compromised with malware or phishing. About 70% of attacks include a back door which if not properly dealt with can persist after the initial issue is fixed and lead to re-infection. Google sees a 30% reinfection rate via their webmaster tool, which illustrates the difficulties in properly restoring and securing an infected site.

We are seeing, and will continue to see an increase in the level of insecure implementations as the knowledge required to maintain a secure system is not keeping up with the speed of user adoption of easy-to-implement website technologies. This can also result in a sudden shock for website owners as important partners such as Google, Twitter and Facebook are continuing to take stronger action against infected websites, blacklisting or blocking them to protect their own user base. The challenges include such a mix of skill sets and options in terms of server hosting, platform configuration, and security strategies that all organisations both small and large are affected.

Checking for updates

Are you running an outdated CMS or outdated extensions? Wordpress will display available updates on the admin home screen.

Example pending updates on Wordpress
Example pending updates on Wordpress

To check in Joomla! navigate to Extensions > Manage > Updates to see the list of pending updates. Version 3 and above in Joomla also notifies you from the administrator home page.

Checking Joomla for pending updates
Checking Joomla for pending updates

Performing the updates

If you’re not comfortable with updating your extensions, please get in touch for help and advice. We even do a free, no-obligation assessment to let you know your best options. As always, make sure you have a full, restorable backup before performing any major changes such as updates.

Performing the updates can be as simple as following the prompts in your chosen CMS. While these will most often cause no hassles especially in recent releases, there can sometimes be errors or conflicts that need resolving. This is why we always have a backup to hand to roll back if necessary. Fixing any errors or conflicts is highly platform-specific, so please get in touch if you have problems.

  • Rate this item
    (1 Vote)
  • Published in Blog
back to top

Enjoyed this post? Don't miss out! Connect up with us:            

Free assessment

Please type your full name.
Invalid domain name
Invalid email address.
Invalid Phone #
Invalid Captcha