At least 15,769 WordPress websites have been compromised so far this year by cyber-attackers, and most are serving up malware, unflagged by Google’s Safe Browsing checks.
WordPress is a popular target because the majority of the web uses it to manage and publish their content. That’s according to the 2016 Sucuri report on compromised web properties, which noted that out of 21,821 sites studied, the majority of them (78%) are using WordPress.
WordPress continues to lead the number of infected websites as well, at 74%.
The report focuses on four open-source content management systems (CMS). In addition to WordPress, it covers Joomla! (14%), Magento (5%) and Drupal (2%). About 3,099 Joomla! sites were hacked this year too.
When it comes to out-of-date software, a common vector for hackers, the report found that WordPress installations were out-of-date 55% of the time, while Joomla! (86%), Drupal (84%) and Magento (96%) continue to lead the way with out-of-date software. Year-over-year, WordPress saw a 1% decrease in out-of-date core software and infected websites, while Drupal had a 3% increase. Joomla! and Magento website deployments continue to show the most out of date instances of any platform.
Poorly secured extensions give hackers initial access much of the time. Sucuri found that on average, WordPress installations had 12 plugins installed at any given time. The top three plugin vulnerabilities contributed to 22% of WordPress site hacks: Gravity Forms, TimThumb and RevSlider.
Worryingly, only 18% of the infected websites were blacklisted by search engine and web protection services, leaving 82% of the infected websites out there unflagged and posing a danger to unwitting surfers. The most successful blacklisting effort was Google Safe Browsing, with 52% of blacklisted sites. Norton Safeweb managed to find 38%, while McAfee SiteAdvisor found only 11% of the hacked sites.