About 90% of all hacked content management systems (CMS) that Sucuri investigated and helped fix in 2018 were WordPress sites. The other platforms lagged far behind, namely Magento (4.6%), Joomla (4.3%) and Drupal (3.7%).
For the security company, most hacks are the result of vulnerabilities in plugins and themes, configuration errors, and a lack of maintenance by webmasters, who often neglect to update CMS, themes, and extensions.
E-commerce sites shun patches
Of the CMS-based sites examined by Sucuri, only 56% were running an up-to-date CMS before falling victim to an attack. An up-to-date system is necessary, but not always sufficient to protect against intrusions.
Indeed, while 90% of hacked sites were running WordPress, most of them were running up-to-date versions. Sucuri reports that only 36% of the hacked WordPress sites were not using an up-to-date version of the CMS.
On the other hand, CMSes like PrestaShop, OpenCart, Joomla and Magento, when hacked, were almost always running on an outdated version.
“This trend in outdated versions supports the idea that e-commerce sites are notorious for lagging on updates to avoid breaking features and losing money,” Sucuri observes.
Yet despite the fact that some sites use outdated versions of a CMS, “the main cause of infection came from component vulnerabilities,” including popular but rarely updated extensions, for example;