Roughly 90 percent of all the hacked content management systems (CMSs) Sucuri investigated and helped fix in 2018 were WordPress sites. In a distant second, third, and fourth came Magento (4.6 percent), Joomla (4.3 percent), and Drupal (3.7 percent), according to a report the company published yesterday.
Sucuri experts blamed most of the hacks on vulnerabilities in plugins and themes, misconfiguration issues, and a lack of maintenance by webmasters, who often forgot to update their CMS, themes, and plugins.
Experts said that only 56 percent of the sites they investigated were running an up-to-date CMS at the time they were called in to remediate a hack.
But while 90 percent of all hacked sites were WordPress, most of these were running up-to-date versions. Sucuri said that only 36 percent of the hacked WordPress sites that the company investigated ran an outdated version.
On the other hand, CMSs like PrestaShop, OpenCart, Joomla, and Magento, when found to be hacked, they almost always were running on an out-of-date version.
"This trend in outdated versions supports the idea that e-commerce sites are notorious for straggling behind on updates to avoid breaking functionality and losing money," Sucuri said.
"Attackers have a high interest in targeting e-commerce websites with valuable customer data (i.e., credit card and user information). It's imperative these website owners update their software to ensure their sites have the latest security enhancements and vulnerability patches."
Yet, despite some sites running outdated CMS versions, "the leading cause of infections stemmed from component vulnerabilities," Sucuri said.
And when the hacks happened, Sucuri said that hackers usually deployed backdoors, with the company finding one on 68 percent of all the compromised sites it investigated.
Sucuri experts said that hackers also used around 56 percent of the hacked sites to host malware for other operations, and deployed SEO spam pages on 51 percent of the hacked sites --a number that has risen in the past year, from 44 percent in 2017.
"[SEO spam] is one of the fastest growing families over the previous years," Sucuri said. "They are difficult to detect and have a strong economic engine driven by impression-based affiliate marketing.
"Most frequently, the result of Search Engine Poisoning (SEP) attacks, where attackers attempt to abuse site rankings to monetize on affiliate marketing or other blackhat tactics, SEO spam typically occurs via PHP, database injections, or .htaccess redirects.
"Websites impacted by SEO attacks often become infected with spam content or redirect visitors to spam-specific pages. Unwanted content is regularly found in the form of pharmaceutical ad placements but may also include injected content for other popular industries like fashion or entertainment (i.e. pornographic material, essay writing, fashion brands, loans, and online gambling)."