The gravest dangers for CMS-based websites

HITBSecConf2019 - The 10the annual HITB Security Conference in The Netherlands - Trainings, Conference track and Haxpo exhibition. Register now.

Over a third of all websites on the Internet are powered by one of these four key open source platforms: WordPress, Joomla!, Drupal and Magento.

This makes the life of attackers looking to compromise websites much easier, as they can simply concentrate on exploiting vulnerabilities in one of them, or one of the popular plugins and extensions for them.

CMS-based websites

Sucuri, a security company that concentrates on detecting web attacks and remediating compromised websites, has recently released fresh statistics on hacked websites.

How the websites get hacked

Based on the reports by the company’s Incident Response Team and Malware Research Team, in the first quarter of this year 78 percent of the successful compromises were of websites built on WordPress. Joomla!-based sites came in at 14 percent, Magento at 5 percent, and Drupal at 2.

Magento-powered e-commerce sites are usually hit with exploits for the critical remote code execution bug patched in February 2015, and the XSS hole that can lead to e-store hijacking, plugged in January 2016. Obviously, not all admins update their installations regularly.

In fact, admins of Magento sites are the worst at this: 97 percent of the Magento installations Sucuri’s experts encountered during cleanup were out of date. WordPress admins are much better – “only” 56 percent of the installations were out of date:

Percentage of out of date installations during cleanup

For WordPress sites, outdated plugins are a greater danger.

“The three leading software vulnerabilities affecting the most websites in the first quarter were the RevSlider and GravityForms plugins, followed by the TimThumb script,” researchers noted.

“All three plugins had a fix available over a year, with TimThumb going back multiple years (four to be exact, circa 2011). This goes to show and reiterate the challenges the community faces in making website owners aware of the issues, enabling the website owners to patch the issues, and facilitating the everyday maintenance and administration of websites by their webmasters.”

The problem with RevSlider, in particular, is that its embedded within WP themes and frameworks, and many users don’t even know they use it. It’s up to the authors of these offerings to keep the plugins updated, but too many can’t be bothered.

How hackers leverage compromised websites

Magento sites are usually hacked to get at customers’ payment information.

The rest are usually used for SEO spam (31%, and that percentage keeps rising), drive-by-download infections (60%), hosting hacking tools (exploit or DDoS tools), and phishing. Plain old defacements by hacktivists are few and far between.

In over two-thirds of cases, the cleaning team found backdoors in the websites – the attackers want to make sure that they will be able to get back in if admins attempt to clean up the site.

“On average, we clean 132 files per compromised site,” the researchers shared.

“This shows how deep the malware can be embedded within a website. It also explains why Google sees a 30% reinfection rate via their webmaster tool, which speaks directly to the challenges website owners face when trying to fix their own infected websites.”