Updated: April 7, 2020 by Agnes Talalaev
Every developer, agency or website owner should be aware of the alarming state of website hacking statistics. Almost every software built can be “hacked” in some way and statistics will give some insight on where to point your focus to.
Cybersecurity is now an every-day issue for companies. Websites get hacked every day and some of those hacks are fatal to businesses attacked.
“Cybercrime is the greatest threat to every company in the world.”IBM’s chairman, president and CEO
In order to give you a better idea of the current website hacking statistics, we’ve compiled the must-know website hacking statistics.
Let’s dig in.
A study was made that stated that there is an attack every 39 seconds on average on the web and the non-secure usernames and passwords that are being used give attackers more chance of success.(Source: Security Magazine)
An attack does not always mean something is hacked. For example, we at WebARX see thousands of attacks targeted to the websites we protect every day. These attacks are logged and monitored by our firewall system and the web application firewall on the website is to make sure the attacks won’t be successful.
Hackers steal 75 records every second.(Source: Breach Level Index)
These facts show us the average number of records stolen per second. Breaches, in general, are actually rare, but when they happen, as we have seen, there are a lot of records that get stolen all at once.
73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete.(Source: Thycotic.com)
This is true, but only when we talk about targeted attacks. Under a targeted attack, we mean that a hacker has specifically chosen your site and now tries to find an entry point.
The attacks that are usually targeted at websites or web applications are being implemented by using bots. This means usually that an automated tool has been told to search for a specific vulnerability or software that has a vulnerability.
This is most often happening with WordPress sites where hackers try to exploit vulnerabilities in popular plugins. This is where you need a firewall with virtual patches to be protected.
Hackers create 300,000 new pieces of malware daily.(Source: McAfee)
Actually, only in 2017 alone, there were more than 317 million new pieces of malware – computer viruses or other malicious software created (Source: CNN). Unfortunately, we do not know the statistics of how many were created daily in 2019 yet.
On average 30,000 new websites are hacked every day.(Source: Forbes)
These 30 000 sites are usually legitimate small businesses sites, that are unwittingly distributing malware. You can read about why would anyone hack a small business website here.
WordPress is one of the main targets for hackers and it may be because it has a massive user-base. The main threat as it is seen is not WordPress itself, but the wide range of third-party plugins that are used by WordPress users.
Whether WordPress makes its core more secure or not, the effectiveness of these security tactics does not apply to its plugins. It’s because WordPress allows users to extend the basic functionalities of the platform using all these different kinds of components.
The vulnerabilities most commonly found in WordPress plugins can range from the disclosure of sensitive information to SQL injection, and remote code execution.
Since WordPress is used by over 35% of all websites it is unsurprisingly also registered as the one with the highest number of vulnerabilities (542) in 2018, which is a 30% increase from 2017 (Figure 5).
According to the WordPress official site, the current number of plugins is 54,971 and the number of plugins has actually decreased since the end of 2018.
Despite the slow growth or decrease of new plugins, the number of WordPress vulnerabilities is still increasing. The explanation for this could either be the code quality of the plugins, or the fact that WordPress is such a popular CMS, which motivates more attackers to develop attack tools and try their luck in searching for security holes in the code.
A very worrisome fact about website hacking statistics: 98% of WordPress vulnerabilities are related to plugins. (See Figure 7 below.)
The most popular vulnerability types in WordPress plugins are Cross-site Scripting and SQL Injection.
According to CVE Details, XSS attacks are the biggest threat to WordPress sites. The second most popular type of attack is code execution and third are different bypass vulnerabilities.
What is even the most worrisome is that in these top 10 WordPress plugins listed you can see 5 commercial plugins, they have around 21 million downloads and one of these plugins is a security plugin. (Source: WP WhiteSecurity)
To top it off, even more, the sad part is that anyone can create a plugin and publish it — WordPress is open source and nobody is performing a code analysis before the new plugin is sent out for the world. Also, there are no serious security standards for these plugins hence, WordPress plugins are unfortunately prone to vulnerabilities.
According to statistics, web applications have become the #1 target for the exploitation of vulnerabilities and unfortunately, all kinds of software are prone to security breaches.
In 2018 researchers found around 70 types of weaknesses in web applications. As always, cross-site scripting (XSS) vulnerabilities are present in many web applications. (Source: PT Security)
46% of web applications have critical vulnerabilities.Acunetix’s report “Web Application Vulnerability 2019”
Four out of five web applications contained configuration errors such as default settings, standard passwords, error reporting, full path disclosure, and other information leaks that might have value for potential intruders. (Source: PT Security)
30% of web applications are vulnerable to XSS.Acunetix’s report “Web Application Vulnerability 2019”
Usually, the attacker’s goals are to make the victim involuntarily run a maliciously injected script, which is executed by a trusted web application. In this way, the cybercriminal can steal the user’s data, or even modify the applications to send sensitive data to any recipient.
87% of websites have mid-level weaknesses.Acunetix’s report “Web Application Vulnerability 2019”
There are different sources for website hacking statistics that we found information from and some of the information varies. According to ENISA Threat Landscape Report made in 2018 the most popular type of attacks were SQL injections which were leading with 51%. Local File Inclusion comes in second place with 34% and cross-site scripting comes in third with 8%.
According to a study, Americans are more worried about cybercrime than violent crimes (including terrorism, being murdered, and being sexually assaulted). Not only are Americans more worried about cybercrime than other crimes, but their worries about cyber crimes has been consistent for about a decade now. (Source: news.gallup.com)
As you also can see from the picture above, the study states that out of 13 crimes measured, Americans continue to worry most about cybercrimes. 71% worry about the hacking of personal data while 67% about identity theft.
To put in perspective only 24% of people participating in the study were worried about being a victim of terrorism, 22% were worried about being attacked while driving, 20% about being sexually assaulted, and 17% about being murdered.
The study of more than 4,000 organizations across the US, UK, Germany, Spain, and the Netherlands found that most organizations are unprepared and would be seriously impacted by a cyber attack. It states that a whopping 73 percent of companies are not ready for a cyber attack. (Source: hiscox.co.uk)
These statistics are highlighting how important it is to always be on top of what happens with your company, the people and the software you are using.
To be alert and secured you should always keep the software you use updated and monitored. Make sure you are always aware of the components you are using on your web applications and always remove the ones that you are not using.
Choose a trustworthy hosting provider. You can learn about how to choose a hosting provider here.
It is also very important to choose the right security provider for your WordPress site or any web application. When it comes to WordPress security plugins, first I recommend you to get a better understanding of the WordPress security plugins ecosystem and how they all work. Find one that can offer virtual patching and before enabling a firewall on your web app, take a look at the code.
If you haven’t got technical skills to evaluate the chosen firewall code, let a professional help you out. Always remember that when it comes to security – make your research before buying a fancy bucket of hope. Be critical and be smart.
On average 30 000 new websites are hacked every day. These 30 000 sites are usually legitimate small businesses sites, that are unwittingly distributing malware.
Cybercrime will cost the world $6 trillion by 2021.
WordPress is used by over 35% of all websites and it is unsurprisingly also registered as the one with the highest number of vulnerabilities. About 98% of WordPress vulnerabilities are related to plugins.
Hackers attack every 39 seconds, on average 2,244 times a day.
Resources used in the article:
Protect your websites from malicious traffic - set-up in under 3 minutes.
WebARX is compatible with the following platforms: