Most CMS-run websites have obsolete software and are vulnerable to attack
If you’ve been putting off software updates on websites that you’ve developed, been bamboozled into managing, or somehow become inexplicably responsible for, you’re not alone. All of the major content management systems (CMS) website brands are out of date much of the time.
Magento-built websites are running on aging software 97 percent of the time, according to a security firm that handles clean-ups of attacked website. Magento was the worst of the bunch, but WordPress-, Joomla- and Drupal-driven websites also are not being updated, reveals Sucuri in its first Website Hacked Trend Report (PDF), covering 2016 Q1.
In its study, Sucuri found that over half of the WordPress platform sites (56 percent) it attended to were using obsolete software. About three-quarters of the 11,000 infiltrated websites (78 percent) that were analyzed over the period were running WordPress.
The other CMSs followed far behind in terms of platform distributions. Joomla was the second most-distributed platform, with only 14 percent of the installs.
Running outdated software is a bad idea, experts say. It can pose a security risk and allow attackers easier access. Piercing a website's defenses can allow attackers to contaminate the site with phishing exploits and malware, among other things.
Notably, the infections found by the security company included more than the as-expected basic phishing elements. Phishing is where users are tricked into sharing information. Holes in websites are used in the ploys.
Much more than phishing exploits
Phishing infections made up only 3 percent of the defilements. Backdoors, where files are used to keep access open indefinitely to the intruders for the purposes of reinfecting the website, were the most prevalent scheme. A massive 4,900 of the 11,000 penetrated sites contained backdoors, the report says.
Malware was found on 60 percent of the sites, and a Search Engine Optimization (SEO) genre of spam crossed the line third with 2,300, or about a quarter, of the infections uncovered. Spam-SEO is where hackers scupper a website’s SEO result pages.
Sucuri also found Hacktool, which is a DDoS tool; redirects; mailers; and defacements of the sites.
“Over a third of websites online are powered by four key platforms: WordPress, Joomla, Drupal and Magento,” Sucuri says. Magento is becoming popular because of its online commerce functions, and Drupal has a following from “large, enterprise and federal organizations,” the firm says.
Inexperienced website administrators
A problem, it says, is that with the migration of websites overall to CMS systems rather than hand-coded sites, as has been the practice in the past, there is now “a large influx of unskilled webmasters and service providers responsible for the deployment and administrations of these sites.”
That’s a challenge because CMSs need regular updating.
Sucuri stresses that it doesn’t think the three main culprits for outdated installs (WordPress, Joomla and Magento) are any less or more secure than others—just that they are the ones the company is coming across during its work.
“In most instances, the compromises analyzed had little, if anything, to do with the core of the CMS application itself, but more with improper deployment, configuration, and overall maintenance by the webmasters and their hosts,” the security firm says.