March 9, 2018 by Agnes Talalaev
Every developer, agency or website owner should be aware of the alarming state of hacking statistics. These numbers will give some insight into how important is to be on top of everything that is going on with the software used in the company.
“Cybercrime is the greatest threat to every company in the world.”IBM’s chairman, president and CEO
So let’s dig into website hacking statistics.
PS! The article was updated in May 2019.
WordPress is one of the main targets of hackers and the reason as it is known is that it has a massive user-base. And the main threat as we see is not WordPress itself, but it’s a wide range of plugins that are used by WordPress users.
Whether WordPress makes its core more secure or not, the effectiveness of these security tactics does not apply to its plugins. It’s because WordPress allows users to extend the basic functionalities of the platform using all these different kinds of components.
The vulnerabilities most commonly found in WordPress plugins can range from the disclosure of sensitive information to SQL injection, and remote code execution.
Since WordPress is used by over 35% of all websites it is unsurprisingly also registered as the one with the highest number of vulnerabilities (542) last year, which is a 30% increase from 2017 (Figure 5).
According to the WordPress official site, the current number of plugins is 54,971 and the number of plugins has actually decreased since the end of 2018.
Despite the slowed growth or decrease of new plugins, the number of WordPress vulnerabilities is still increasing. The explanation for this could either be the code quality of the plugins, or the fact that WordPress is such a popular CMS, which motivates more attackers to develop attack tools and try their luck in searching for security holes in the code.
A very worrisome fact about website hacking statistics: 98% of WordPress vulnerabilities are related to plugins. (See Figure 7 below.)
The most popular vulnerability types in WordPress plugins are Cross-site Scripting and SQL Injection.
What is even the most worrying that in these top 10 WordPress plugins listed you can see 5 commercial plugins, they have around 21 million downloads and one of these plugins is a security plugin. (Source: WP WhiteSecurity)
To top it off, even more, the sad part is that anyone can create a plugin and publish it — WordPress is open source and nobody is performing a code analysis before the new plugin is sent out for the world. Also, there are no serious security standards for these plugins hence, WordPress plugins are unfortunately prone to vulnerabilities.
According to statistics, web applications have become the #1 target for the exploitation of vulnerabilities and unfortunately, all kinds of software is prone to security breaches.
In 2018 researchers found around 70 types of weaknesses in web applications. As always, Cross-Site Scripting (XSS) vulnerabilities are present in many web applications. (source)
46% of web applications have critical vulnerabilities.Acunetix’s report “Web Application Vulnerability 2019”
Four out of five web applications contained configuration errors such as default settings, standard passwords, error reporting, full path disclosure, and other information leaks that might have value for potential intruders. (source)
30% of web applications are vulnerable to XSS.Acunetix’s report “Web Application Vulnerability 2019”
Usually, the attacker’s goals are to make the victim involuntarily run a maliciously injected script, which is executed by a trusted web application. In this way, the cybercriminal can steal the user’s data, or even modify the applications to send sensitive data to any recipient.
87% of websites have mid-level weaknesses.Acunetix’s report “Web Application Vulnerability 2019”
There are different sources for website hacking statistics that we found information from and some of the information varies. According to ENISA Threat Landscape Report made in 2018 the most popular type of attacks were SQL injections which were leading with 51%. Local File Inclusion comes in second place with 34% and cross-site scripting comes in third with 8%.
Trustwave Global Security report puts cross-site scripting at 40% of all web attacks observed in 2017. ENISA Threat Landscape report states as well that 42% of all cyber attacks were focused on compromising web apps.
The 2018 February was definitely the month of crypto-jacking and government hacks. Website hacking statistics show that there were over 5000 sites that were infected with cryptocurrency mining malware and thousands of Government websites were down because of that. Symantec Researchers also announced that ‘Crytojacking’ attacks had increased 1,200% in the UK.
According to Symantec’s 2019 Internet Security Threat Report, there were four times more crypto-jacking events in 2018 than in 2017. Crypto-jacking particularly peaked in 2018, and the month of January and February 2018 were particularly noteworthy — with Symantec stating they blocked about 8 million crypto-jacking attempts each month.
Cryptojacking is when a hacker hijacks your computer and then uses its CPU power to mine cryptocurrencies.
Cryptojacking will probably rise in 2019, particularly as the cryptocurrency market is again showing some new signs of life.
According to a study, Americans are more worried about cybercrime than violent crimes (including terrorism, being murdered, and being sexually assaulted). Not only are Americans more worried about cybercrime than other crimes, but their worries about cyber crimes has been consistent for about a decade now. (Source)
As you also can see from the picture above, the study states that out of 13 crimes measured, Americans continue to worry most about cybercrimes. 71% worry about the hacking of personal data while 67% about identity theft.
To put in perspective only 24% of people participating in the study were worried about being a victim of terrorism, 22% were worried about being attacked while driving, 20% about being sexually assaulted, and 17% about being murdered.
The study of more than 4,000 organizations across the US, UK, Germany, Spain, and the Netherlands found that most organizations are unprepared and would be seriously impacted by a cyber attack. It states that a whopping 73 percent of companies are not ready for a cyber attack. (Source)
These statistics are highlighting how important it is to always be on top of what happens with your company, the people and the software you are using.
To be alert and secured you should always keep the software you use updated and monitored. Make sure you are always aware of the components you are using on your web applications and always remove the ones that you are not using.
Choose a trustworthy hosting provider. You can learn about how to choose a hosting provider here.
It is also very important to choose the right security provider for your WordPress site or any web application. When it comes to WordPress security plugins, first I recommend you to get a better understanding of the WordPress security plugins ecosystem and how they all work. Find one that can offer virtual patching and before enabling a firewall on your web app, take a look at the code.
If you haven’t got technical skills to evaluate the chosen firewall code, let a professional help you out. Always remember that when it comes to security – make your research before buying a fancy bucket of hope. Be critical and be smart.
Protect your websites from malicious traffic - set-up in under 3 minutes.
WebARX is compatible with the following platforms: