90% of hacked CMS sites in 2018 were powered by WordPress

A depiction of a bug on a blue binary background
(Image credit: Shutterstock)

The overwhelming majority of hacked content management system (CMS) websites last year were built using WordPress.

Approximately 90% of hacked CMS sites were powered by the open source content platform throughout 2018, analysis Sucuri has shown. This represents an increase from 83% of hacked CMS sites in 2017, despite WordPress market share remaining at roughly 60% across the last few years.

Websites powered by Magento and Joomla! represented the second and third most hacked CMS platforms last year, at 4.6% and 4.3%. This was followed by Drupal!, ModX, PrestaShop, OpenCart, and others.

The security firm analysed a total of 18,302 infected websites and a total of 4,426,795 cleaned files in its report.

Meanwhile, the leading cause of infections stemmed from vulnerabilities introduced with add-ons like plugins, themes and extensions. They also generally encompassed improper deployment, security configuration issues, and a lack of security knowledge.

Infections that had exploited outdated CMS platforms, meanwhile, accounted for 44% of all instances, against 56% of websites that were deemed up-to-date.

WordPress represented the lowest proportion of infected sites that were powered by an outdated installation, 36.7%. This was a decline from 39.3% last year.

The CMS with the highest proportion, on the other hand, was PrestaShop with 97.2%, followed by OpenCart with 91.3%, and both Magento and Joomla! also registering a score of above 80%.

"This data demonstrates that the work WordPress continues to do with auto-updates has a material impact," the report said.

"The one area that requires considerable attention, however, are the extensible components of the platform (e.g., plugins). These extensible components are the real attack vectors affecting tens of thousands of sites a year.

"The primary attack vector abused when infecting WordPress are plugins with known and unknown vulnerabilities. This makes the role of third-party components more significant for this CMS."

The 2018 analysis also showed two-thirds of sites that made cleanup requests revealed at least one PHP-based backdoor that hidden within the system. Although this was a 3% reduction against last year's figures, it is still the number one leading infection type.

"Backdoors function as the point of entry into a website's environment after a successful compromise and are one of the first things an attacker will deploy to ensure continued access," the report added. "These tools allow an attacker to retain unauthorized access to an environment long after they have successfully infected a website.

"In many instances, we see attackers scanning sites for known backdoors in target hosts, looking to potentially abuse another attacker's backdoor. Backdoors give attackers the opportunity to bypass existing access controls to web server environments and are particularly effective at eluding modern website scanning technologies."

Meanwhile, malware was found in 56.4% of instances, while SEO spam was in 51.3% of sites. Overall there was a significant increase in the general malware family distribution from 47% in 2017 to 56.4% in 2018.

SEO spam campaigns were the fastest growing form of cyber affliction in the previous year, having soared from just 7.3% in 2017.

The researchers found this form of attack is difficult to detect, and most commonly involves search engine poisoning, which involves attempts to abuse site rankings to monetise on affiliate marketing.

IT Pro approached WordPress for comment.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.