Why WordPress is hacked more than all its competitors combined

According to research by Imperva, WordPress websites were attacked 24.1 per cent more often than websites running on all other CMS platforms combined.

WordPress websites suffer 60 per cent more XSS incidents than all other CMS platforms, and the research found that while WordPress is more likely to suffer fewer numbers of incidents for each attack type, it also suffers a higher traffic volume for each attack type.

Almost 75 million websites work on the WordPress content management system (CMS) and it seems that WordPress might be a victim of its own popularity. “We believe that popularity and a hacker’s focus go hand-in-hand,” Imperva said in its report. “When an application or a platform becomes popular, hackers realise that the ROI from hacking into these platforms or applications will be fruitful, so they spend more time researching and exploiting these applications, either to steal data from them, or to use the hacked systems as zombies in a botnet.”

The research also found that 48.1 per cent of all attack campaigns target retail applications, while websites that have log-in functionality, and hence contain consumer specific information, suffer 59 per cent of all attacks, and 63 per cent of all SQL Injection attacks.

Amichai Shulman, chief technology officer at Imperva, said: “Looking at other sources of attacks, we were also interested to find that infrastructure-as-a-service (IaaS) providers are on the rise as attacker infrastructure.

“For example, 20 per cent of all known vulnerability exploitation attempts have originated from Amazon Web Services. They aren’t alone; with this phenomenon on the rise, other IaaS providers have to worry about their servers being compromised. Attackers don’t discriminate when it comes to where a data centre lives.”

Ilia Kolochenko, CEO and founder of High-Tech Bridge, said: “For upwards of a decade, the major CMS platforms such as Joomla and WordPress have been deeply researched by both black and white hat hackers (some well-known CMS even changed names during their development).

Today it would be fair to say that the vast majority of data breaches are directly or indirectly related to vulnerable web applications and compromised websites."

Dan Raywood is editor of The IT Security Guru