Sucuri's Hacked Website Report 2017

The most comprehensive analysis of trends in the website security finally is out. There are couple of interesting fact worth highlighting.

Most important is something we expected: Joomla is emerging as the most secure CMS.

The 2017 telemetry indicates a shift in CMS infections:

  • WordPress infections rose from 74% in 2016 Q3 to 83% in 2017.
  • Joomla infection rates have dropped from 17% in 2016 Q3 to 13.1% in 2017.
  • Magento infection rates rose marginally from 6% in Q3 2016 to 6.5% in 2017.
  • Drupal infections dropped slightly from 2% in Q3 2016 to 1.6% in 2017.

The main cause of infection is still the fact that the CMS installations are not properly updated.

 At the end of Q3 2016, 61% of hacked WordPress sites recorded outdated installations, however, this has since decreased. In 2017, only 39.3% of clean up requests for WordPress had an outdated version.

Joomla! (84%) and Drupal saw more than a 15% decrease in outdated versions from the previous year, down to 69.8% and 65.3% respectively.

Similar to previous years, Magento websites (80.3%) were mostly out of date and vulnerable at the point of infection; though this number has declined over 13% since Q3 2016.

Bottomline: the siteowners seems to be learned the lesson, and the number of outdated sites are decreasing. But still not updating the sites causes the large majority of problems.

In our experience this is mainly caused by 3 major factors:

  • highly customized deployments,
  • issues with backward compatibility,
  • and lack of staff available to assist with the migration to newer CMS versions

These areas tend to foster upgrading and patching issues for the organizations that leverage popular CMSs for their websites, also resulting in potential incompatibility issues and impacts to the website’s availability. And here are coming into play the decisions (sometime bad ones, but mostly based on lack of expertise) made by the website owners.

In most cases this is originated in one single decision: to not choose to work with developers who are really mastering these CMS's. It is the responsability of the developer to guide the website owners towards building sustainable sites, eliminating from day zero backward compatibility problems, implementing solutions which are NOT jeopardizing the future upgrade paths.

Each website owner must be aware of these problems - and also must be aware of the risks assumed when the maintenance of the websites are neglected.

There are reliable firms offering great packages safeguarding your Joomla sites. Go for them!